lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 Aug 2014 22:50:28 +0100
From: Pedro Ribeiro <>
To: bugtraq <>,
Subject: Re: [FD] [The ManageOwnage Series,
 part II]: User credential disclosure in ManageEngine DeviceExpert

On 27 Aug 2014 19:14, "Pedro Ribeiro" <> wrote:
> Hi,
> You can read the usernames and MD5 hashed passwords of all the users
> in the Device Expert application by sending an unauthenticated
> request.
> I am releasing this as a 0 day as ManageEngine have responded that
> they do not consider this a priority and won't fix it in the near
> future unless a customer requests it. See details below.
> >> User credential disclosure in ManageEngine DeviceExpert 5.9
> >> Discovered by Pedro Ribeiro (, Agile Information
> ==========================================================================
> >> Background on the affected product:
> "DeviceExpert is a web–based, multi vendor network change,
> configuration and compliance management (NCCCM) solution for switches,
> routers, firewalls and other network devices. Trusted by thousands of
> network administrators around the world, DeviceExpert helps automate
> and take total control of the entire life cycle of device
> configuration management."
> >> Technical details:
> Vulnerability: User credential disclosure / CVE-2014-5377
> Constraints: no authentication or any other information needed.
> Affected versions: UNFIXED as of 27/08/2014 - current version 5.9
> build 5980 is vulnerable, older versions likely vulnerable
> GET /ReadUsersFromMasterServlet
> Example response:
> <?xml version="1.0"
> The passwords are a salted MD5 hash.
> A copy of this advisory is available at my repo:
> Regards,
> Pedro

To clarify, older versions are definitely vulnerable, I just don't know on
which versions the vulnerability initially appeared.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists