| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Sep 2015 08:45:25 +0700 From: xistence <xistence@...0.nl> To: fulldisclosure@...lists.org Subject: [FD] ManageEngine OpManager multiple vulnerabilities Exploit Title: ManageEngine OpManager multiple vulnerabilities Product: ManageEngine OpManager Vulnerable Versions: v11.5 and previous versions Tested Version: v11.5 (Windows) Advisory Publication: 14/09/2015 Vulnerability Type: hardcoded credentials, SQL query protection bypass Credit: xistence <xistence[at]0x90.nl> Product Description ------------------- ManageEngine OpManager is a network, server, and virtualization monitoring software that helps SMEs, large enterprises and service providers manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation. Do-it-yourself plug-ins extend the scope of management to include network change and configuration management and IP address management as well as monitoring of networks, applications, databases, virtualization and NetFlow-based bandwidth. Vulnerability Details --------------------- ManageEngine OpManager ships with a default account "IntegrationUser" with the password "plugin". This account is hidden from the user interface and will never show up in the user management. Also changing the password for this account is not possible by default. The account however is assigned Administrator privileges and logging in with this account is possible via the web interface. Below you can see the account in the PostgreSQL database after a fresh installation: C:\ManageEngine\OpManager\pgsql\bin>psql.exe -h 127.0.0.1 -p 13306 -U postgres -d OpManagerDB psql (9.2.4) OpManagerDB=# select * from userpasswordtable where userid = 2; userid | username | password | ownername | domainname | sipenabled --------+-----------------+-----------+-----------+------------+------------ 2 | IntegrationUser | d7962CgyJ | NULL | NULL | false (1 row) The above password decrypted is "plugin". Any account that has access to the web interface with Administrator rights can use a web form (/api/json/admin/SubmitQuery) to execute SQL queries on the backend PostgreSQL instance. By default restrictions apply and queries that start with INSERT/UPDATE/DELETE are not allowed to be executed, this is however very easy to bypass by using something like "INSERT/**/INTO...". The "/**/" comment will create a space and the function is not detected by OpManager's protection and will be executed. The PostgreSQL environment runs as SYSTEM under Windows. By writing a WAR payload to the "tomcat/webroot" directory, the WAR payload will be deployed automatically and will give a shell with SYSTEM privileges. A metasploit module will be release shortly. Solution -------- ManageEngine has provided a patch to fix this issue: https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability Advisory Timeline ----------------- 05/17/2015 - Discovery and vendor notification 05/22/2015 - ManageEngine acknowledged issue 07/10/2015 - Requested status update 07/17/2015 - ManageEngine supplied fix 07/24/2015 - ManageEngine provied definitive fix at https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability 09/14/2015 - Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists