Applications Manager 12.5 Arbitrary Command Execution Exploit

Title: Applications Manager 12.5 Arbitrary Command Execution Exploit
Advisory ID: ZSL-2016-5291
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 13.01.2016
Summary
ManageEngine Applications Manager is an application performance monitoring solution that proactively monitors business applications and help businesses ensure their revenue-critical applications meet end user expectations. Applications Manager offers out-of-the-box monitoring support for 50+ applications and servers..
Description
Applications Manager suffers from arbitrary command execution. Attackers can exploit this issue using the Upload Files/Binaries feature and adding a command with respected arguments using a .bat file to given binary for execution. In combination with the CSRF, Privilege Escalation, Arbitrary exe and bat file creation and executing system commands with SYSTEM privileges.
Vendor
Zoho Corporation Pvt. Ltd. - https://www.manageengine.com
Affected Version
<=12.5
Tested On
Apache-Coyote/1.1
PostgreSQL
Vendor Status
[22.10.2015] Contact with the vendor.
[23.10.2015] Vendor responded asking for details.
[23.10.2015] Advisory and details sent to vendor.
[03.11.2015] Follow up with the vendor. No response received.
[06.11.2015] Second follow up with the vendor. No response received.
[22.12.2015] Final follow up with the vendor. No response received.
[13.01.2016] Public security advisory released.
PoC
app_mgr_rce.py
Credits
Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>
References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5292.php
[2] https://cxsecurity.com/issue/WLB-2016010084
[3] https://www.exploit-db.com/exploits/39236/
[4] https://packetstormsecurity.com/files/135255
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/109662
Changelog
[13.01.2016] - Initial release
[14.01.2016] - Added reference [2] and [3]
[16.01.2016] - Added reference [4]
[19.01.2016] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk