ACTIVE-2019-007: ManageEngine Local Privilege Escalation
Vulnerability Type:
Privilege Escalation
Vendors:
Zoho Corporation Pvt. Ltd
CVE ID:
CVE-2019-12133
Affected Products:
- ManageEngine Desktop Central v10.0.380
- ManageEngine EventLog Analyzer v12.0.2
- ManageEngine ServiceDesk Plus v10.0.0
- ManageEngine SupportCenter Plus v8.1
- ManageEngine O365 Manager Plus v4.0
- ManageEngine Mobile Device Manager Plus v9.0.0
- ManageEngine Patch Connect Plus v9.0.0
- ManageEngine Vulnerability Manager Plus v9.0.0
- ManageEngine Patch Manager Plus v9.0.0
- ManageEngine Browser Security Plus
- ManageEngine OpManager v12.3
- ManageEngine NetFlow Analyzer v11.0
- ManageEngine OpUtils v11.0
- ManageEngine Network Configuration Manager v11.0
- ManageEngine FireWall v12.0
- ManageEngine Key Manager Plus v5.6
- ManageEngine Password Manager Pro v9.9
- ManageEngine Analytics Plus v1.0
Summary:
Multiple ManageEngine products suffer from local privilege escalation due to improper permissions of C:\ManageEngine directory and its sub-folders which grant the Users group the Create Files / write data permission. Moreover, the services associated with said products will try to execute a number of nonexistent binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM by placing a payload as one of the nonexistent binaries in the problematic folder.
Mitigation:
The reported vulnerability has been fixed in version 100393, please refer to vendor website for more information.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12133
- https://nvd.nist.gov/vuln/detail/CVE-2019-12133
Disclosure Timeline:
- 03-22-19: ACTIVELabs submitted bug to Zoho via their bug bounty portal
- 03-25-19: Vendor responded stating they are working on fix with high priority and will update soon
- 04-19-19: ACTIVELabs requested status update
- 04-19-19: Vendor said the patch is still working in progress
- 05-14-19: ACTIVELabs requested status update
- 05-15-19: Vendor said the patch has been rolled out for some of the effected products and they're currently working on the rest
- 05-15-19: ACTIVELabs request CVE entry from MITRE
- 05-15-19: CVE-2019-12133 has been assigned
- 06-01-19: Vendor informed ACTIVELabs the reported vulnerability has been fixed and released in version 100393
- 06-06-19: ACTIVELabs publishes this advisory