![]() ![]() Following this, it is possible to use lo_export to write the file anywhere on the system as the postgres service is running as NT AUTHORITY SYSTEM, the owner property of this file was set to SYSTEM with the highest integrity. Lo_import can be used to import any file system both on the server and hosted on an attacker-controlled SMB share via UNC path. Here is some great content on the abuse of lo_import and lo_export. Therefore, this user can use the built in server side functions lo_import and lo_export to achieve arbitrary file write. This user is a database administrator and has unrestricted access to all tables and databases within the postgres instance. Whilst logged in as a user who has full control over the “reporting” module within Desktop Central, an attacker could directly query the underlying Postgres DB.īy default, queries are made by the “dcuser” user. ![]() ![]() All of the reported issues have since been acknowledged and resolved by Managed Engine. This is the first post in a two part series on Manage Engine Desktop Central. Software: Zoho ManageEngine Desktop CentralĪttack Vector: SQL Injection / Arbitrary File Write ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |