Cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14120:*:*:*:*:*:* — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/cpes/cpe2.3azohocorpmanageengine_applications_manager14.0build14120/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000ManageEngine Applications Manager Authenticated RCE via File Upload (CVE-2020-14008)https://feed.craftedsignal.io/briefs/2024-01-manageengine-rce/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-manageengine-rce/CVE-2020-14008 is an unrestricted file upload vulnerability in Zoho ManageEngine Applications Manager that allows an authenticated attacker to upload a malicious JAR file containing a reverse shell to achieve remote code execution.An authenticated remote code execution vulnerability exists in Zoho ManageEngine Applications Manager due to an unrestricted file upload (CVE-2020-14008). Successful exploitation allows attackers to execute arbitrary code on the system. The exploit involves authenticating to the application, identifying the installation directory, crafting a malicious Java class within a JAR file, uploading the JAR to a specific directory via directory traversal, and then triggering the execution of the uploaded code through the Weblogic credential test. Default credentials of “admin:admin”, “admin:password”, “administrator:administrator”, and “guest:guest” may be leveraged to gain unauthorized access. This vulnerability affects multiple versions of ManageEngine Applications Manager.

Attack Chain

  1. Authenticate to ManageEngine Applications Manager using valid credentials (e.g., default credentials) to obtain a session cookie.
  2. Enumerate the ManageEngine base installation directory.
  3. Create a malicious Java class (e.g., weblogic.jndi.Environment) containing a reverse shell.
  4. Compile the Java class into a JAR file (e.g., weblogic.jar) using javac and jar.
  5. Upload the malicious JAR file to the classes/weblogic/version8/ directory using directory traversal techniques. As a fallback, create a scheduled task to move the file.
  6. Trigger the Weblogic credential test at the /testCredential.do endpoint.
  7. The application loads and instantiates the malicious Java class.
  8. The reverse shell within the JAR connects back to the attacker’s listener, granting remote code execution.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the affected system, potentially leading to complete system compromise, data theft, and disruption of services. Organizations using ManageEngine Applications Manager are at risk. The exploitation could lead to lateral movement within the network and further compromise of sensitive data.

Recommendation

  • Apply the security updates provided by ManageEngine to patch CVE-2020-14008 as detailed in the ManageEngine Advisory.
  • Deploy the Sigma rule for detecting JAR file uploads to the webserver log and tune for your environment.
  • Monitor process creation events for Java processes executing from the classes/weblogic/version8/ directory, using the provided Sigma rule.
  • Enforce strong password policies and regularly audit user accounts to prevent the use of default credentials, as mentioned in the overview.
]]>criticaladvisoryrcefile uploadmanageengine