what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting
Posted Dec 4, 2012
Authored by Cartel

ManageEngine MSPCentral version 9 suffers from cross site request forgery, insecure session cookies, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | b983739d5c9e6e3348d2323d71a796d500798b6a460b49fa2b179cee9582484f

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
--------------------------------------------------------------
REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED
ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY
--------------------------------------------------------------

RA004: Multiple vulnerabilities in ManageEngine MSPCentral 9
------------------------------------------------------------
Background
----------

At Kiwicon 6 in my talk "Managed Service Pwnage", I demonstrated
trivial flaws in Kaseya, ManageEngine and N-Central that could
all be used to gain admin access. In accordance with responsible
disclosure policy, no exploit code was released.

The intention of these demonstrations was to get the MSP industry as a
whole to wake up and take security seriously. It's evident from my
cursory research that nobody in this industry does, as none of the
flaws demonstrated would have been present.


RA004-1: Reflected XSS Injection in Search Form
------------------------------------------------

The Search box present on all web pages does not properly encode input.
As a result, entering a javascript block such as

<script>alert('xss');</script>

into the test form will cause the code to be executed within the
context of the MSPCentral DOM.
This can be leveraged to obtain the cookie of the logged in user which
can be replayed to
obtain access to the system with the privilege of the logged in user.

RA004-2: Insecure Session Cookies
----------------------------------

It was noted that the Session Cookie in use did not have the HTTPOnly
flag set. This is what allows
the cookie to be stolen and replayed as above. Enabling HTTPOnly and
disabling HTTP TRACE on the server
would eliminate this issue.

RA004-3: Persistent XSS injection via spoofing Agent Signup
------------------------------------------------------------

A persistent XSS injection vector was found in the agent signup process.
The following GET request to the MSPCentral server is sufficient to
inject a spoofed 'machine' into the MSPCentral
console, with a javascript payload.

GET /servlets/RegisterAgent?custID=1&monagentID=hack<script>alert('xss');</script>er\
&monagentKey=MSPCENTER&IpAddress=255.255.255.255&osName=Windows20XP&\
agentUniqueID=1352698611&category=Workstation&monagentDNS=hacker&updateStatus=yes\&agentVersion=9.0.5&isMasterAgent=NO&MACAddress=08:00:0h:ax:0r:zz&timeStamp=1352698569

It was noted that there was no signuature checking, HMAC or any type
of authentication whatsoever in the agent signup process.

RA004-4: No CSRF Protection
----------------------------

It was noted that critical forms such as the Add User form lacked any
kind of CSRF token.



Disclosure Timeline
-------------------

September 2012: vulnerabilities discovered.
November 17, 2012: vulnerabilities demonstrated at Kiwicon 6.
November 20, 2012: Details disclosed to ZOHO Security.
December 4, 2012: Response from vendor:

"We do accept the vulnerabilities that you have exposed are present in
MSP Center Plus.
However, we cannot fix those issues because we have frozen the development.
In fact, we are planning to withdraw the product from the market shortly.
Versions up to 9 were EOL-ed last year and we continued with just the
v9 which is now
being EOL-ed as we speak. But thanks for your help we appreciate that
very much and
we would also be very careful in our agent developments in future which have a
similar development model."

December 4, 2012: Advisory posted to Full Disclosure, as well as posted at the
following URL:

http://www.redacted.co.nz/a/c3b0979389e131258ea14b7a6d9346a9a5a0700b5056f8d95be75da3abd20f43


Suggested Reading
-----------------

For the ManageEngine dev team :-)

OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Web App Hackers Handbook: http://mdsec.net/wahh/


About REDACTED
--------------

;)


Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close