ManageEngine File Download / Content Disclosure / SQL Injection
Posted on 30 January 2015
Hi, This is part 12 of the ManageOwnage series. For previous parts, see [1]. This time we have an arbitrary file download, directory content disclosure and blind SQL injection vulnerabilities in ManageEngine OpManager, Applications Manager and IT360. I've pushed two new Metasploit modules into the framework that exploit the file download and the content disclosure [2], these should hopefully be accepted soon. The full advisory text is below, and as always you can get a copy from my repo [3]. Regards, Pedro >> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ========================================================================== Disclosure: 28/01/2014 / Last updated: 28/01/2014 >> Background on the affected products: "ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation." "ManageEngine Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort." "Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration." >> Technical details: The affected servlet is the "FailOverHelperServlet" (affectionately called FailServlet). There are definitely more vulnerabilities than the ones identified below - for example it is possible to hijack the failover operation completely. The ones listed below as the easy ones to find and exploit. #1 Vulnerability: Arbitrary file download CVE-2014-7863 Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360 Affected versions: ManageEngine Applications Manager v? to v11.Y bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5 POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\boot.ini #2 Vulnerability: Information disclosure - list all files in a directory and its children CVE-2014-7863 (same as #1) Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360 Affected versions: ManageEngine Applications Manager v? to v11.Y bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5 POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\ #3 Vulnerability: Blind SQL injection CVE-2014-7864 Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5 Constraints: unauthenticated in OpManager; authenticated in IT360 POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2] POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a >> Fix: For Applications Manager, upgrade to version 11.9 b11912. For OpManager, install the patch for v11.4 and 11.5: https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet Version 11.6 will be released with the patch. These vulnerabilities remain UNFIXED in IT360. [1] http://seclists.org/fulldisclosure/2014/Aug/55 http://seclists.org/fulldisclosure/2014/Aug/75 http://seclists.org/fulldisclosure/2014/Aug/88 http://seclists.org/fulldisclosure/2014/Sep/1 http://seclists.org/fulldisclosure/2014/Sep/110 http://seclists.org/fulldisclosure/2014/Nov/12 http://seclists.org/fulldisclosure/2014/Nov/18 http://seclists.org/fulldisclosure/2014/Nov/21 http://seclists.org/fulldisclosure/2014/Dec/9 http://seclists.org/fulldisclosure/2015/Jan/2 http://seclists.org/fulldisclosure/2015/Jan/5 [2] https://github.com/rapid7/metasploit-framework/pull/4658 https://github.com/rapid7/metasploit-framework/pull/4659 [3] https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt
