[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20161120231122.00003010@mheydon.net>
Date: Sun, 20 Nov 2016 23:11:22 +0800
From: Michael Heydon <michael@...ydon.net>
To: bugtraq@...urityfocus.com;, fulldisclosure@...lists.org
Subject: Multiple issues in OpManager 12100 & 12200
Title: Multiple issues in OpManager
Author: Michael Heydon
Product: OpManager
Tested Versions: 12100 & 12200
Vendor: Zoho ManageEngine
Vendor Notified: 2016-08-14
Disclosure Date: 2016-11-20
Product Description:
====================
OpManager is a web-based network monitoring system. It is used primarily by
IT staff and it stores credentials in order to log in to systems which are
to be monitored. According to ManageEngine it is "Trusted by over a Million
administrators worldwide".
*******************************************************************************
Issue: DoS
======
Description
===========
The EncryptPassword API is susceptible to a denial of service attack. When
certain characters are in the EncryptPassword value the server process will
go into an infinite loop.
This is caused by the use of a "while (1) {search; if (found) break}"
algorithm in the baseConvertor function. An input value that is not present
within the lookup table will cause the function to loop indefinitely.
By sending a relatively small number of these requests the service can be
overloaded (in testing approx. 500 requests will make OpManager practically
unresponsive until someone logs in to the server and restarts the service).
Steps to Reproduce
==================
wget -O /dev/null --quiet --post-data='EncryptPassword=%10' http://opmanagerurl.example.com/servlets/SettingsServlet?requestType=AJAX
Notes
=====
This could be used to disrupt monitoring infrastructure while an attack is
in progress against a monitored system.
A similar algorithm is used in the baseDeconvertor function used to
"decrypt" passwords. Consequently it is likely that a similar issue can be
triggered by attempting to log in with a specially crafted cookie set
however this has not been tested.
*******************************************************************************
Issue: Stored XSS
======
Description
===========
The User Defined DNS Names table in System Settings -> DNS fails to sanitize
user input.
Steps to Reproduce
==================
Log in to OpManager as an administrator. Browse to the DNS settings page.
Add an entry with the following data:
IP Address: 1.2.3.4
DNS Name: <script>alert('XSS');</script>example.com
Any user browsing to the DNS settings page will receive an alert.
*******************************************************************************
Issue: Reflected XSS
======
Description
===========
The ping and traceroute buttons on the MonitoringDevice page fail to sanitize the name of the host being monitored.
Steps to Reproduce
==================
Browse to:
http://opmanagerurl.example.net/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/xssdemo%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E
Click on either the Ping or Traceroute buttons.
You will receive an alert.
Notes
=====
As the specified device does not exist, the page does not render correctly.
This makes it less likely that the attacker will be able to convince the
victim to click on the buttons.
*******************************************************************************
Issue: Reflected XSS
======
Description
===========
The packet loss graph and response time graph pages fail to adequately
sanitize the name of the host being monitored.
This issue has been partially mitigated in version 12200. The original non-
interactive examples no longer work, however XSS is still possible with user
interaction.
Steps to Reproduce (v12100)
===========================
Browse to:
http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A')"%20onfocus=alert('XSS');%20autofocus%20x='/PerfGraph/packetLoss/packetLoss
or
http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A')"%20onfocus=alert('XSS');%20autofocus%20x='/PerfGraph/responseTime/responseTime
You will receive an alert.
Notes (v12100)
==============
As this exploit is triggered by an "onfocus" event and generates an alert
(which takes focus when it opens and returns focus when it is closed) these
examples will continually generate alerts.
Steps to Reproduce (12200)
===========================
Browse to:
http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A');%20alert('XSS');nop('/PerfGraph/packetLoss/packetLoss
or
http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A');%20alert('XSS');nop('/PerfGraph/responseTime/responseTime
Click on any of the fixed Time Period buttons.
You will receive an alert.
Notes (v12200)
==============
Under 12200 this exploit presents a similar risk to the ping/traceroute
issue. It requires the victim to click on a malformed page and it is
therefore somewhat harder for an attacker to convince the victim to trigger
the payload.
*******************************************************************************
Issue: Insecure Storage of User Credentials
=====
Description
===========
When the "Keep me signed in" checkbox on the login page is ticked, the
user's password is saved in a cookie in (obfuscated) plaintext.
Steps to Reproduce
==================
Log in to OpManager with the "Keep me signed in" checkbox selected. Inspect
cookies. The "encryptPassForAutomaticSignin" value contains the user's
password obfuscated using a caesar shift and a form of base59 encoding.
Javascript code to read and decode the login cookies can be found at:
https://mheydon.net/Projects/Security/OpManager/ompw-js.txt
Notes
=====
The cookie is not HTTPOnly.
*******************************************************************************
Disclosure Timeline
====================
2016-08-15 - Reported to ManageEngine (ME)
2016-08-17 - Received acknowledgement
2016-09-17 - Requested status update
2016-09-17 - Received reply that fixes were underway, suggested "12100
consolidated fix"
2016-09-19 - Sent clarification that testing was against 12100. Requested
link to consolidated fix
2016-09-20 - Received link for 12000 to 12100 update
2016-09-20 - Advised that the linked patch would not install, repeated that
testing was against 12100
2016-09-20 - Received link to NCM/NF patch
2016-09-20 - Tested & informed ME that patch does not resolve any issues
2016-11-15 - OpManager 12200 released.
2016-11-18 - Retested & contacted ME confirming that Performance Graph XSS
is harder to trigger, but otherwise all issues remain in latest
version. Reminded ME that 90 days had passed and that details
would be made public.
2016-11-18 - Received acknowledgement
2016-11-20 - Public disclosure
Powered by blists - more mailing lists