CVE-2018-13412

Vulnerability

The Self Service Portal component in Zoho ManageEngine Desktop Central prior to version 10.0.282 allows a local privilege escalation. The vulnerability exists because the Self Service Portal window runs with SYSTEM privileges and contains a clickable company logo that can be exploited. On cloud editions, the fix is available from agent version 10.0.470. Affected versions are Desktop Central less than 10.0.282 [1][2].

Exploitation

An attacker must first be logged into a system where the Desktop Central Agent is installed. The attacker can launch the Self Service Portal by executing C:\Program Files (x86)\DesktopCentral_Agent\bin\dcagenttrayicon.exe" -ssp, which opens a window running as SYSTEM. Clicking the ManageEngine logo in that window opens a web browser also running as SYSTEM. The attacker can then use the browser to launch a command prompt or PowerShell, thereby executing arbitrary commands with SYSTEM privileges [1].

Impact

A successful exploit allows an attacker to execute arbitrary commands with SYSTEM privileges on the affected machine. This results in full compromise of the local system, including complete confidentiality, integrity, and availability impacts [1][2].

Mitigation

Zoho ManageEngine released a fix on August 23, 2018, in Desktop Central build 10.0.282 and later. For cloud editions, the fix is included in agent version 10.0.470 and above. Administrators should update to the latest build by logging into the Desktop Central console, checking for the latest build, and applying the PPM update [1][2]. This vulnerability is not currently listed in the KEV catalog.