Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!
Advisory: https://srcincite.io/advisories/src-2020-0011/ …
Exploit: https://srcincite.io/pocs/src-2020-0011.py.txt …
-
-
Replying to @steventseeley @zoho
FWIW, Zoho is quite responsive to the
@certcc We would have done a coordinated disclosure had you been interested.2 replies 4 retweets 22 likes -
Replying to @wdormann @steventseeley and
Zoho should say that somewhere on their website if that’s the only way they respond to outside security research. Researchers shouldn’t have the burden of seeking out whatever channel the vendor is willing to use to take a report seriously. The channel for reporting should be obv
1 reply 0 retweets 44 likes -
Replying to @k8em0 @steventseeley and
https://www.google.com/search?q=zoho+report+vulnerability … finds me: https://bugbounty.zoho.com/bb/info Which as far as I can tell is a way for a researcher to report a vulnerability to Zoho. Not much burden. I don't get the impression that this was a case of an unresponsive vendor. I don't think the vendor was notified.
2 replies 1 retweet 16 likes -
Replying to @wdormann @steventseeley and
Well that’s interesting - I wonder why the researchers chose this path instead? Btw, just because a vendor has a bug bounty doesn’t mean they are responsive, but this program looks active and easy to find. Guess we’ll have to see why if the researchers choose to share the reasonspic.twitter.com/jKM481kddS
3 replies 0 retweets 5 likes -
Because it’s a pay to stfu bounty? Also, I have submitted 3 other unauthed rce’s in the past only to have them silently patched, no credit and no payout.
2 replies 1 retweet 31 likes -
Replying to @steventseeley @wdormann and
Makes perfect sense to me. Bug bounties don’t help at all if they are thinly disguised speculative pen tests Cert/cc won’t put any restrictions on you, not sure if you knew that. Plus THEY will drop after 45 days for unresponsive vendors, so there’s no foreverdays to fear there.
1 reply 2 retweets 15 likes -
Replying to @k8em0 @steventseeley and
Indeed. I feel like that's one of the reasons why the
@certcc exists. Uncooperative vendors, unresponsive vendors, desire for anonymity, multi-party coordination, etc...1 reply 1 retweet 11 likes -
and if they lie and say "we already had a fix for this in the pipeline" every time, is there a mitigation against that?
1 reply 0 retweets 0 likes
If a vendor told the CERT/CC "we already had a fix for this in the pipeline", that would probably only ensure that we don't give them any leniency in a disclosure timeframe. I don't understand what's to be mitigated. Reporter gets credit from CERT/CC, not a bounty from vendor.
-
-
Ah fair enough, point was about denying bounties but if you don't have anything to do with those it is invalid, nm
0 replies 0 retweets 3 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.