CVE-2020-10859

Vulnerability

ManageEngine Desktop Central before version 10.0.484 contains a directory traversal vulnerability during ZIP archive extraction. An authenticated user with permissions to add apps to the App Repository can craft a malicious ZIP file containing entries with directory traversal sequences (e.g., "."). This is triggered via a specially formed AppDependency API request, leading to arbitrary file writes on the server filesystem [1].

Exploitation

To exploit this, an attacker must have a valid user account on the Desktop Central server and the necessary role to add applications to the App Repository. The attacker uploads a crafted ZIP file where the file paths within the archive contain directory traversal sequences. The server's ZIP decompression routine does not properly sanitize these paths, allowing the attacker-controlled files to be written to arbitrary locations outside the intended extraction directory [1].

Impact

Successful exploitation allows the attacker to write arbitrary files to the server filesystem. This can lead to a full compromise of the server, depending on the location and content of the written files. For example, the attacker could overwrite application files, place a malicious executable, or modify configuration files to achieve remote code execution or privilege escalation. The vulnerability leads to a loss of integrity and confidentiality [1].

Mitigation

The vulnerability is fixed in Desktop Central build version 10.0.484. Users should upgrade to this version or later. The vendor provides a PPM (Patch Policy Management) update to apply the fix via the web console. Cloud editions of Endpoint Central, Patch Manager Plus, and Remote Access Plus are not affected [1].