CVE-2018-13411

Vulnerability

An issue in Zoho ManageEngine Desktop Central before version 10.0.282 (and cloud agent before 10.0.470) allows local privilege escalation. The Self Service Portal window, which runs with SYSTEM privileges, contains a clickable ManageEngine logo. When clicked, this logo opens a web browser also running as SYSTEM, providing a vector for privilege escalation [1][2].

Exploitation

An attacker with local access to a machine where the Desktop Central Agent is installed can trigger the vulnerability. First, execute C:\Program Files (x86)\DesktopCentral_Agent\bin\dcagenttrayicon.exe -ssp to open the Self Service Portal window as SYSTEM. Then, click the ManageEngine logo in that window, which opens a web browser with SYSTEM privileges. From the browser, the attacker can launch cmd.exe or PowerShell.exe to obtain a SYSTEM command prompt [1].

Impact

Successful exploitation grants the attacker a command prompt running with SYSTEM privileges, resulting in full compromise of the affected machine. The attacker gains complete control over the system, including the ability to install programs, modify data, and create new accounts [1][2].

Mitigation

The vulnerability is fixed in Desktop Central version 10.0.282 (on-premises) and agent version 10.0.470 (cloud), released on August 23, 2018. Administrators should log in to the Desktop Central console, click the current build number, download the applicable PPM, and apply the update. No workaround is documented [2].