exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting
Posted Dec 4, 2012
Authored by Cartel

ManageEngine MSPCentral version 9 suffers from cross site request forgery, insecure session cookies, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | b983739d5c9e6e3348d2323d71a796d500798b6a460b49fa2b179cee9582484f

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
--------------------------------------------------------------
REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED
ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY
--------------------------------------------------------------

RA004: Multiple vulnerabilities in ManageEngine MSPCentral 9
------------------------------------------------------------
Background
----------

At Kiwicon 6 in my talk "Managed Service Pwnage", I demonstrated
trivial flaws in Kaseya, ManageEngine and N-Central that could
all be used to gain admin access. In accordance with responsible
disclosure policy, no exploit code was released.

The intention of these demonstrations was to get the MSP industry as a
whole to wake up and take security seriously. It's evident from my
cursory research that nobody in this industry does, as none of the
flaws demonstrated would have been present.


RA004-1: Reflected XSS Injection in Search Form
------------------------------------------------

The Search box present on all web pages does not properly encode input.
As a result, entering a javascript block such as

<script>alert('xss');</script>

into the test form will cause the code to be executed within the
context of the MSPCentral DOM.
This can be leveraged to obtain the cookie of the logged in user which
can be replayed to
obtain access to the system with the privilege of the logged in user.

RA004-2: Insecure Session Cookies
----------------------------------

It was noted that the Session Cookie in use did not have the HTTPOnly
flag set. This is what allows
the cookie to be stolen and replayed as above. Enabling HTTPOnly and
disabling HTTP TRACE on the server
would eliminate this issue.

RA004-3: Persistent XSS injection via spoofing Agent Signup
------------------------------------------------------------

A persistent XSS injection vector was found in the agent signup process.
The following GET request to the MSPCentral server is sufficient to
inject a spoofed 'machine' into the MSPCentral
console, with a javascript payload.

GET /servlets/RegisterAgent?custID=1&monagentID=hack<script>alert('xss');</script>er\
&monagentKey=MSPCENTER&IpAddress=255.255.255.255&osName=Windows20XP&\
agentUniqueID=1352698611&category=Workstation&monagentDNS=hacker&updateStatus=yes\&agentVersion=9.0.5&isMasterAgent=NO&MACAddress=08:00:0h:ax:0r:zz&timeStamp=1352698569

It was noted that there was no signuature checking, HMAC or any type
of authentication whatsoever in the agent signup process.

RA004-4: No CSRF Protection
----------------------------

It was noted that critical forms such as the Add User form lacked any
kind of CSRF token.



Disclosure Timeline
-------------------

September 2012: vulnerabilities discovered.
November 17, 2012: vulnerabilities demonstrated at Kiwicon 6.
November 20, 2012: Details disclosed to ZOHO Security.
December 4, 2012: Response from vendor:

"We do accept the vulnerabilities that you have exposed are present in
MSP Center Plus.
However, we cannot fix those issues because we have frozen the development.
In fact, we are planning to withdraw the product from the market shortly.
Versions up to 9 were EOL-ed last year and we continued with just the
v9 which is now
being EOL-ed as we speak. But thanks for your help we appreciate that
very much and
we would also be very careful in our agent developments in future which have a
similar development model."

December 4, 2012: Advisory posted to Full Disclosure, as well as posted at the
following URL:

http://www.redacted.co.nz/a/c3b0979389e131258ea14b7a6d9346a9a5a0700b5056f8d95be75da3abd20f43


Suggested Reading
-----------------

For the ManageEngine dev team :-)

OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Web App Hackers Handbook: http://mdsec.net/wahh/


About REDACTED
--------------

;)


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close