lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEDdjHffb_1L0QCLKvTtLA+GjscQ9txO+cnOAkVNNAuSTPeMNg@mail.gmail.com>
Date: Wed, 3 Sep 2014 07:29:16 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: Advisories <advisories@...waisecurity.de>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
	Hans-Martin Münch <muench@...waisecurity.de>
Subject: Re: [FD] Mogwai Security Advisory MSA-2014-01: ManageEngine
 EventLog Analyzer Multiple Vulnerabilities

On 3 September 2014 07:23, Pedro Ribeiro <pedrib@...il.com> wrote:
> On 31 August 2014 16:39, Advisories <advisories@...waisecurity.de> wrote:
>> Mogwai Security Advisory MSA-2014-01
>> ----------------------------------------------------------------------
>> Title:              ManageEngine EventLog Analyzer Multiple Vulnerabilities
>> Product:            ManageEngine EventLog Analyzer
>> Affected versions:  EventLog Analyzer 9.9 (Build 9002) on Windows/Linux
>> Impact:             critical
>> Remote:             yes
>> Product link:       http://www.manageengine.com/products/eventlog/
>> Reported:           18/04/2013
>> by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
>>
>>
>> Vendor's Description of the Software:
>> ----------------------------------------------------------------------
>> EventLog Analyzer provides the most cost-effective Security Information and
>> Event Management (SIEM) software on the market. Using this Log Analyzer
>> software, organizations can automate the entire process of managing terabytes
>> of machine generated logs by collecting, analyzing, searching, reporting,
>> and archiving from one central location. This event log analyzer software
>> helps to mitigate internal threats, conduct log forensics analysis, monitor
>> privileged users and comply to different compliance regulatory bodies
>> by intelligently analyzing your logs and instantly generating a variety of
>> reports like user activity reports, regulatory compliance reports,
>> historical trend reports, and more.
>>
>>
>> Business recommendation:
>> ----------------------------------------------------------------------
>> During a penetration test, multiple vulnerabilities have been identified
>> that are based on severe design/implementation flaws in the application.
>> It is highly recommended not to use this software until a thorough
>> security review has been performed by security professionals and all
>> identified issues have been resolved.
>>
>>
>> Vulnerability description:
>> ----------------------------------------------------------------------
>> 1) Unauthenticated remote code execution
>> ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents
>> to send log data as zip files to the central server. Files can be uploaded
>> without
>> authentication and are stored/decompressed in the "data" subdirectory.
>>
>> As the decompress procedure is handling the file names in the ZIP file in a
>> insecure way it is possible to store files in the web root of server. This can
>> be used to upload/execute code with the rights of the application server.
>>
>> 2) Authorization issues
>> The EventLog Analyzer web interface does not check if an authenticated has
>> sufficient permissions to access certain parts of the application. A low
>> privileged
>> user (for example guest) can therefore access critical sections of the web
>> interface,
>> by directly calling the corresponding URLs. This can be used to access the
>> database
>> browser of the application which gives the attacker full access to the database.
>>
>>
>> Proof of concept:
>> ----------------------------------------------------------------------
>> 1) Unauthenticated remote code execution
>>
>>
>> - Create a malicious zip archive with the help of evilarc[1]
>> evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp
>> - Send the malicious archive to the agentUpload servlet
>> curl -F "payload=@...l.zip" http://172.16.37.131:8400/agentUpload
>> - Enjoy your shell
>> http://172.16.37.131:8400/cmdshell.jsp
>>
>> A working Metasploit module will be released next week.
>>
>>
>> 2) Authorization issues
>> - Log in as a low privileged user (for example guest/guest)
>> - Directly call the URL of the database browser
>> http://xxx.xxx.xxx.xxx:8400/event/runQuery.do
>>
>>
>> Vulnerable / tested versions:
>> ----------------------------------------------------------------------
>> EventLog Analyzer 8.2 (Build 8020) (Windows)
>> EventLog Analyzer 8.2 (Build 8020) (Linux)
>> EventLog Analyzer 9.0 (Build 9002) (Windows)
>> EventLog Analyzer 9.0 (Build 9002) (Linux)
>>
>> Other versions might also be vulnerable.
>>
>>
>> Disclosure timeline:
>> ----------------------------------------------------------------------
>> 14/04/2013: Vulnerability discovery
>> 18/04/2013: Informed vendor via ManageEngine Security Response Center (MESRC)
>> Form
>> 23/04/2013: Second try to contact MESRC, as we didn't receive any response from
>> the first try.
>> 23/04/2013: Response from vendor, they wait on some feedback from the
>> development team
>> 10/05/2013: Response from vendor, saying that this is rather a issue than a
>> vulnerability, will fix it anyway
>> 13/05/2013: Technical details including a working proof of concept send
>> ManageEngine.
>> 13/05/2013: Vendor response, say that they forward it to the development team
>> 24/05/2013: Vendor response, saying that they will fix it in 2013 as they are
>> "tightly scheduled on other priorities"
>> 24/05/2013: Response from us, asking if we will be informed when the
>> vulnerability is fixed
>> 28/05/2013: Response from ManageEngine, saying that we must subscribe to their
>> newsletter for release information
>> 05/09/2013: Verification that exploit is still working with the current version
>> 30/08/2014: Verification that exploit is still working with the current version
>> 31/08/2014: Public release
>>
>> Solution:
>> ----------------------------------------------------------------------
>> No known solution
>>
>> Workaround:
>> ----------------------------------------------------------------------
>> 1) Unauthenticated remote code execution
>> If agents are not used to collect log information, access to the servlet
>> can be disabled by commenting out the following lines in the web.xml file
>> (webapps/event/WEB-INF/web.xml) and restart the service.
>>
>>
>> agentUpload
>> com.adventnet.sa.agent.UploadHandlerServlet
>>
>>
>> agentUpload
>> /agentUpload
>>
>>
>>
>> 2) Authorization issues
>> No workaround, reduce the attack surface by disabling unused low privileged
>> accounts like "guest".
>>
>>
>> Advisory URL:
>> ----------------------------------------------------------------------
>> https://www.mogwaisecurity.de/en/lab/advisories/
>>
>>
>> References
>> ----------------------------------------------------------------------
>> [1] evilarc
>> https://github.com/ptoomey3/evilarc
>>
>> ----------------------------------------------------------------------
>> Mogwai, IT-Sicherheitsberatung Muench
>> Steinhoevelstrasse 2/2
>> 89075 Ulm (Germany)
>>
>> info@...waisecurity.de
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
> MITRE have assigned CVE-2014-6037 for this issue.
>
> Regards,
> Pedro

The CVE above is for issue 1) Unauthenticated remote code execution /
file upload via insecure path handling.

MITRE has also assigned CVE-2014-6043 for issue 2) Authorization issues.

Regards,
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ