Posted by Pedro Ribeiro on Jan 02

Hi,

This is part 10 of the ManageOwnage series. For previous parts, see [1].

This time we have a vulnerability that allows an unauthenticated user
to create an administrator account, which can then be used to execute
code on all devices managed by Desktop Central (desktops, servers,
mobile devices, etc).
An auxiliary Metasploit module that creates the administrator account
has been released and its currently awaiting review [2]. I will leave
to…