← Advisories

Applications Manager 12.5 Arbitrary Command Execution Exploit

High
Advisory ID
ZSL-2016-5291
Release Date
13 January 2016
Vendor
Zoho Corporation Pvt. Ltd. - https://www.manageengine.com
Affected Version
<=12.5
CVE
N/A
Tested On
Apache-Coyote/1.1, PostgreSQL
Summary

ManageEngine Applications Manager is an application performance monitoring solution that proactively monitors business applications and help businesses ensure their revenue-critical applications meet end user expectations. Applications Manager offers out-of-the-box monitoring support for 50+ applications and servers..

Description

Applications Manager suffers from arbitrary command execution. Attackers can exploit this issue using the Upload Files/Binaries feature and adding a command with respected arguments using a .bat file to given binary for execution. In combination with the CSRF, Privilege Escalation, Arbitrary exe and bat file creation and executing system commands with SYSTEM privileges.

Proof of Concept
app_mgr_rce.pyTXT
Disclosure Timeline
22.10.2015Contact with the vendor.
23.10.2015Vendor responded asking for details.
23.10.2015Advisory and details sent to vendor.
03.11.2015Follow up with the vendor. No response received.
06.11.2015Second follow up with the vendor. No response received.
22.12.2015Final follow up with the vendor. No response received.
13.01.2016Public security advisory released.
Credits
Vulnerability discovered by Bikramaditya Guha
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2016-5292
[2]https://cxsecurity.com/issue/WLB-2016010084
[3]https://www.exploit-db.com/exploits/39236/
[4]https://packetstormsecurity.com/files/135255
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/109662
Changelog
13.01.2016Initial release
14.01.2016Added reference [2] and [3]
16.01.2016Added reference [4]
19.01.2016Added reference [5]