lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEDdjHep9zO6Z8O7xzgkpS+MWU3EF517FvzkD15A9k2akPEtBg@mail.gmail.com>
Date: Fri, 29 Aug 2014 11:43:09 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>, fulldisclosure@...lists.org
Subject: Re: [FD] [The ManageOwnage Series,
 part I]: blind SQL injection in two servlets (metasploit module
 included)

On 19 Aug 2014 17:55, "Pedro Ribeiro" <pedrib@...il.com> wrote:
>
> TL;DR
> CVE-2014-3996 / CVE-2014-3997
> Blind SQL injection in ManageEngine Desktop Central, Password Manager
> Pro and IT360 (including MSP versions)
> Scroll to the bottom for the Metasploit module link; the module will
> be submitted to Metasploit proper in a pull request in the next few
> days.
>
> ==========================================================================
> >> Blind SQL injection in ManageEngine Desktop Central, Password Manager
Pro and IT360 (including MSP versions)
> >> Discovered by Pedro Ribeiro (pedrib@...il.com), Agile Information
Security
> ==========================================================================
>
> >> Background on the affected products:
> "Desktop Central is an integrated desktop & mobile device management
> software that helps in managing the servers, laptops, desktops,
> smartphones and tablets from a central point. It automates your
> regular desktop management routines like installing patches,
> distributing software, managing your IT Assets, managing software
> licenses, monitoring software usage statistics, managing USB device
> usage, taking control of remote desktops, and more."
>
> "Password Manager Pro is a secure vault for storing and managing
> shared sensitive information such as passwords, documents and digital
> identities of enterprises."
>
> "Managing mission critical business applications is now made easy
> through ManageEngine IT360. With agentless monitoring methodology,
> monitor your applications, servers and databases with ease. Agentless
> monitoring of your business applications enables you high ROI and low
> TOC. With integrated network monitoring and bandwidth utilization,
> quickly troubleshoot any performance related issue with your network
> and assign issues automatically with ITIL based ServiceDesk
> integration."
>
> These products have managed service providers (MSP) versions which are
> used to control the desktops and smartphones of several clients.
> Quoting the author of the Internet Census 2012: "As a rule of thumb,
> if you believe that "nobody would connect that to the Internet, really
> nobody", there are at least 1000 people who did."
> These vulnerabilities can be abused to achieve remote code execution
> as SYSTEM in Windows or as the user in Linux. Needless to say, owning
> a Desktop Central / IT360 box will give you control of all the
> computers and smartphones it manages, while owning Password Manager
> Pro will give you a treasure trove of passwords.
>
> >> Technical details:
> The two blind SQL injections described below have been present in
> Desktop Central, Password Manager Pro and IT360 in all releases since
> 2006. They can only be triggered via a GET request, which means you
> can only inject around 8000 characters at a time.
>
> #1
> Vulnerability:
> Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP
> / authenticated on IT360)
> CVE-2014-3996
>
> Affected products / versions:
> - ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to
> v9 build 90033
> - ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5
> to version 7 build 7002
> - ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
> This affects all versions of the products released since 19-Apr-2006.
> Other ManageEngine products might be affected.
>
> Constraints:
> - DC: no authentication or any other information needed
> - PMP: no authentication or any other information needed
> - IT360: valid user account needed
>
> Proof of concept:
>
> DC / PMP:
> GET /LinkViewFetchServlet.dat?sv=[SQLi]
>
> IT360:
> GET /console/LinkViewFetchServlet.dat?sv=[SQLi]
>
>
> #2
> Vulnerability:
> Blind SQL injection in MetadataServlet (unauthenticated on PMP /
> authenticated on IT360)
> CVE-2014-3997
>
> Affected products / versions:
> - ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5
> to version 7 build 7003
> - ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
> This affects all versions of the products released since 03-Apr-2008.
> Other ManageEngine products might be affected.
>
> Constraints:
> - PMP: no authentication or any other information needed
> - IT360: valid user account needed
>
> Proof of concept:
>
> PMP:
> GET /MetadataServlet.dat?sv=[SQLi]
>
> IT360:
> GET /console/MetadataServlet.dat?sv=[SQLi]
>
> ==========================================================================
> A full text version of this advisory can be found in my repo:
>
https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt
>
> A Metasploit module that exploits this vulnerability can also be found
> in my repo:
>
https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb
>
> Regards,
> Pedro

I realised the advisory is not explicit as to what the fixed versions are,
so here it is:

Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build
10330

The advisory in my repo has also been updated:
https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt

Regards
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ