what you don't know can hurt you

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting
Posted Dec 4, 2012
Authored by Cartel

ManageEngine MSPCentral version 9 suffers from cross site request forgery, insecure session cookies, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | a6b249d821b0d77e77659a38b9618210

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
--------------------------------------------------------------
REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED
ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY
--------------------------------------------------------------

RA004: Multiple vulnerabilities in ManageEngine MSPCentral 9
------------------------------------------------------------
Background
----------

At Kiwicon 6 in my talk "Managed Service Pwnage", I demonstrated
trivial flaws in Kaseya, ManageEngine and N-Central that could
all be used to gain admin access. In accordance with responsible
disclosure policy, no exploit code was released.

The intention of these demonstrations was to get the MSP industry as a
whole to wake up and take security seriously. It's evident from my
cursory research that nobody in this industry does, as none of the
flaws demonstrated would have been present.


RA004-1: Reflected XSS Injection in Search Form
------------------------------------------------

The Search box present on all web pages does not properly encode input.
As a result, entering a javascript block such as

<script>alert('xss');</script>

into the test form will cause the code to be executed within the
context of the MSPCentral DOM.
This can be leveraged to obtain the cookie of the logged in user which
can be replayed to
obtain access to the system with the privilege of the logged in user.

RA004-2: Insecure Session Cookies
----------------------------------

It was noted that the Session Cookie in use did not have the HTTPOnly
flag set. This is what allows
the cookie to be stolen and replayed as above. Enabling HTTPOnly and
disabling HTTP TRACE on the server
would eliminate this issue.

RA004-3: Persistent XSS injection via spoofing Agent Signup
------------------------------------------------------------

A persistent XSS injection vector was found in the agent signup process.
The following GET request to the MSPCentral server is sufficient to
inject a spoofed 'machine' into the MSPCentral
console, with a javascript payload.

GET /servlets/RegisterAgent?custID=1&monagentID=hack<script>alert('xss');</script>er\
&monagentKey=MSPCENTER&IpAddress=255.255.255.255&osName=Windows20XP&\
agentUniqueID=1352698611&category=Workstation&monagentDNS=hacker&updateStatus=yes\&agentVersion=9.0.5&isMasterAgent=NO&MACAddress=08:00:0h:ax:0r:zz&timeStamp=1352698569

It was noted that there was no signuature checking, HMAC or any type
of authentication whatsoever in the agent signup process.

RA004-4: No CSRF Protection
----------------------------

It was noted that critical forms such as the Add User form lacked any
kind of CSRF token.



Disclosure Timeline
-------------------

September 2012: vulnerabilities discovered.
November 17, 2012: vulnerabilities demonstrated at Kiwicon 6.
November 20, 2012: Details disclosed to ZOHO Security.
December 4, 2012: Response from vendor:

"We do accept the vulnerabilities that you have exposed are present in
MSP Center Plus.
However, we cannot fix those issues because we have frozen the development.
In fact, we are planning to withdraw the product from the market shortly.
Versions up to 9 were EOL-ed last year and we continued with just the
v9 which is now
being EOL-ed as we speak. But thanks for your help we appreciate that
very much and
we would also be very careful in our agent developments in future which have a
similar development model."

December 4, 2012: Advisory posted to Full Disclosure, as well as posted at the
following URL:

http://www.redacted.co.nz/a/c3b0979389e131258ea14b7a6d9346a9a5a0700b5056f8d95be75da3abd20f43


Suggested Reading
-----------------

For the ManageEngine dev team :-)

OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Web App Hackers Handbook: http://mdsec.net/wahh/


About REDACTED
--------------

;)


Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close