lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 May 2020 16:33:47 +0000
From: xen1thLabs <xen1thLabs@...ital14.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Asset Explorer (Windows & Linux) - Authenticated Command
	Execution

XL-2020-004 - Asset Explorer (Windows & Linux) - Authenticated Command Execution

===============================================================================



Identifiers

-------------------------------------------------

* CVE-2019-19034

* XL-20-004



CVSSv3 score

-------------------------------------------------

7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)



Vendor

-------------------------------------------------

ManageEngine - [https://www.manageengine.com/products/asset-explorer/](https://www.manageengine.com/products/asset-explorer/)



Product

-------------------------------------------------

ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM) software that helps you monitor and manage assets in your network from Planning phase to Disposal phase. AssetExplorer provides you with a number of ways to ensure discovery of all the assets in your network. You can manage software & hardware assets, ensure software license compliance and track purchase orders & contracts - the whole nine yards! AssetExplorer is very easy to install and works right out of the box.



Affected versions

-------------------------------------------------

- All versions prior to 6.5 (6503)



Credit

-------------------------------------------------

Sahil Dhar - xen1thLabs - Software Labs



Vulnerability summary

-------------------------------------------------

ManageEngine Asset Explorer application does not validate System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. The vulnerability allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.



Technical details

-------------------------------------------------

The username is concatenated to the system command on line `143` and `144` of `SccmTask.java` from `AdventNetAsset.jar` package,  before being executed through the `exec()` method from `java.lang.Runtime` class on line `147` or `149`.



The following code snippet displays the vulnerable souce code:



```java

/*

Package Name: AdventNetAsset.jar

FileName: SccmTask.java

*/

123:        prop.setProperty("hostName", sccmHostName);

124:        prop.setProperty("databaseName", sccmDbName);

125:        prop.setProperty("domain", "-".equals(sccmDomain) ? "" : sccmDomain);

126:        prop.setProperty("username", sccmUserName);

127:        prop.setProperty("port", sccmPortNum);

128:        prop.setProperty("password", Encoder.convertFromBase(sccmPassword));

129:

130:        DBConnectorUtil connectionTester = new DBConnectorUtil(prop, false);

131:

132:        HashMap<String, Object> auditStart = new HashMap();

133:        auditStart.put("sccmId", sccmConfigId);

134:        auditStart.put("sccmName", sccmName);

135:        auditStart.put("startTime", new Timestamp(startTime.longValue()));

136:        auditStart.put("auditToken", auditId);

137:        SCCMUtil.updateSCCMScanStartAudit(auditStart);

138:

140:        if (connectionTester.testConnection())

141:        {

142:          logger.log(Level.INFO, "Connection has been established with the required SCCM");

143:          String runSccmWindows = "SCCMScheduler.bat " + sccmDomain + " " + sccmPortNum + " " + sccmDbName + " " + sccmHostName + " " + sccmUserName + " " + sccmPassword + " " + sccmConfigId.toString() + " " + auditId + " " + siteId + " " + auditURL;

144:          String runSccmLinux = "sh SCCMScheduler.sh " + sccmDomain + " " + sccmPortNum + " " + sccmDbName + " " + sccmHostName + " " + sccmUserName + " " + sccmPassword + " " + sccmConfigId.toString() + " " + auditId + " " + siteId + " " + auditURL;

145:          if (System.getProperty("os.name").indexOf("Windows") != -1)

146:          {

147:            Runtime.getRuntime().exec(runSccmWindows);

148:          } else {

149:            Runtime.getRuntime().exec(runSccmLinux);

150:          }

151:          logger.log(Level.INFO, "SCCM Scanner is lauched. Log file is created in directory: ROOT/logs/SCCMLogs/");

152:        }

```



Proof of concept

-------------------------------------------------

1. Set `| calc.exe &` as a username of one of the databases of the SCCM database server.

2. Authenticate to the application with Administrator credentials and navigate to Admin > Discovery > Crdential Library.

3. Add one SCCM credential with authentication mode as SQL and username as `| calc.exe &` and password for SCCM database server.

4. Navigate to SCCM integration, fill in the required parameters and select the credentials added in `step 3` and schedule a scan.

5. Observe that the application executes `calc.exe` with NT AUTHORITY/SYSTEM privileges.





Solution

-------------------------------------------------

This issue is fixed in ManageEngine AssetExplorer 6.6 version.





Timeline

-------------------------------------------------

    15-09-2019 - Reported to vendor

    17-09-2019 - Vendor acknowledgement

    21-11-2019 - Patch released

    13-05-2020 - xen1thLabs public disclosure




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists