Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2019-007: ManageEngine Local Privilege Escalation

Vulnerability Type:

Privilege Escalation

Vendors:

Zoho Corporation Pvt. Ltd

CVE ID:

CVE-2019-12133

Affected Products:

  • ManageEngine Desktop Central v10.0.380
  • ManageEngine EventLog Analyzer v12.0.2
  • ManageEngine ServiceDesk Plus v10.0.0
  • ManageEngine SupportCenter Plus v8.1
  • ManageEngine O365 Manager Plus v4.0
  • ManageEngine Mobile Device Manager Plus v9.0.0
  • ManageEngine Patch Connect Plus v9.0.0
  • ManageEngine Vulnerability Manager Plus v9.0.0
  • ManageEngine Patch Manager Plus v9.0.0
  • ManageEngine Browser Security Plus
  • ManageEngine OpManager v12.3
  • ManageEngine NetFlow Analyzer v11.0
  • ManageEngine OpUtils v11.0
  • ManageEngine Network Configuration Manager v11.0
  • ManageEngine FireWall v12.0
  • ManageEngine Key Manager Plus v5.6
  • ManageEngine Password Manager Pro v9.9
  • ManageEngine Analytics Plus v1.0

Summary:

Multiple ManageEngine products suffer from local privilege escalation due to improper permissions of C:\ManageEngine directory and its sub-folders which grant the Users group the Create Files / write data permission. Moreover, the services associated with said products will try to execute a number of nonexistent binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM by placing a payload as one of the nonexistent binaries in the problematic folder.

Mitigation:

The reported vulnerability has been fixed in version 100393, please refer to vendor website for more information.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 03-22-19: ACTIVELabs submitted bug to Zoho via their bug bounty portal
  • 03-25-19: Vendor responded stating they are working on fix with high priority and will update soon
  • 04-19-19: ACTIVELabs requested status update
  • 04-19-19: Vendor said the patch is still working in progress
  • 05-14-19: ACTIVELabs requested status update
  • 05-15-19: Vendor said the patch has been rolled out for some of the effected products and they're currently working on the rest
  • 05-15-19: ACTIVELabs request CVE entry from MITRE
  • 05-15-19: CVE-2019-12133 has been assigned
  • 06-01-19: Vendor informed ACTIVELabs the reported vulnerability has been fixed and released in version 100393
  • 06-06-19: ACTIVELabs publishes this advisory