Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Adding ManageEngine Application Manager RCE #9684
This module exploits command injection vulnerability -0day as far as I know- in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user.
A successful check of the exploit will look like this:
Technical Details and Module Demo
This was my first time to using rubocop. I don't know how to fix following erros.
Those errors are mostly related with indentation of parameters of
Any idea how to fix them too ? or ignore by updating .rubocop.yml file ?
@todb-r7 thanks. It seem they released a patch. https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager
Left a comment but it's a tiny nit to pick. We probably need to grep through the other modules for this inconsistency, so don't consider this a hold up.
A couple tiny nitpicks with the grammar in the description.
It may also be worth adding the
[ 'BID' => '103358' ]
and patch URL
[ 'URL' => 'https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager' ]
Approved, but untested.
Works for me:
Mar 27, 2018
added a commit
this pull request
Mar 27, 2018
The exploits/windows/http/manageengine_appmanager_exec module has been added to the framework. It exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute an operating system command under the context of a privileged user.