exploit the possibilities

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting
Posted Dec 4, 2012
Authored by Cartel

ManageEngine MSPCentral version 9 suffers from cross site request forgery, insecure session cookies, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | a6b249d821b0d77e77659a38b9618210

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
--------------------------------------------------------------
REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED
ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY
--------------------------------------------------------------

RA004: Multiple vulnerabilities in ManageEngine MSPCentral 9
------------------------------------------------------------
Background
----------

At Kiwicon 6 in my talk "Managed Service Pwnage", I demonstrated
trivial flaws in Kaseya, ManageEngine and N-Central that could
all be used to gain admin access. In accordance with responsible
disclosure policy, no exploit code was released.

The intention of these demonstrations was to get the MSP industry as a
whole to wake up and take security seriously. It's evident from my
cursory research that nobody in this industry does, as none of the
flaws demonstrated would have been present.


RA004-1: Reflected XSS Injection in Search Form
------------------------------------------------

The Search box present on all web pages does not properly encode input.
As a result, entering a javascript block such as

<script>alert('xss');</script>

into the test form will cause the code to be executed within the
context of the MSPCentral DOM.
This can be leveraged to obtain the cookie of the logged in user which
can be replayed to
obtain access to the system with the privilege of the logged in user.

RA004-2: Insecure Session Cookies
----------------------------------

It was noted that the Session Cookie in use did not have the HTTPOnly
flag set. This is what allows
the cookie to be stolen and replayed as above. Enabling HTTPOnly and
disabling HTTP TRACE on the server
would eliminate this issue.

RA004-3: Persistent XSS injection via spoofing Agent Signup
------------------------------------------------------------

A persistent XSS injection vector was found in the agent signup process.
The following GET request to the MSPCentral server is sufficient to
inject a spoofed 'machine' into the MSPCentral
console, with a javascript payload.

GET /servlets/RegisterAgent?custID=1&monagentID=hack<script>alert('xss');</script>er\
&monagentKey=MSPCENTER&IpAddress=255.255.255.255&osName=Windows20XP&\
agentUniqueID=1352698611&category=Workstation&monagentDNS=hacker&updateStatus=yes\&agentVersion=9.0.5&isMasterAgent=NO&MACAddress=08:00:0h:ax:0r:zz&timeStamp=1352698569

It was noted that there was no signuature checking, HMAC or any type
of authentication whatsoever in the agent signup process.

RA004-4: No CSRF Protection
----------------------------

It was noted that critical forms such as the Add User form lacked any
kind of CSRF token.



Disclosure Timeline
-------------------

September 2012: vulnerabilities discovered.
November 17, 2012: vulnerabilities demonstrated at Kiwicon 6.
November 20, 2012: Details disclosed to ZOHO Security.
December 4, 2012: Response from vendor:

"We do accept the vulnerabilities that you have exposed are present in
MSP Center Plus.
However, we cannot fix those issues because we have frozen the development.
In fact, we are planning to withdraw the product from the market shortly.
Versions up to 9 were EOL-ed last year and we continued with just the
v9 which is now
being EOL-ed as we speak. But thanks for your help we appreciate that
very much and
we would also be very careful in our agent developments in future which have a
similar development model."

December 4, 2012: Advisory posted to Full Disclosure, as well as posted at the
following URL:

http://www.redacted.co.nz/a/c3b0979389e131258ea14b7a6d9346a9a5a0700b5056f8d95be75da3abd20f43


Suggested Reading
-----------------

For the ManageEngine dev team :-)

OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Web App Hackers Handbook: http://mdsec.net/wahh/


About REDACTED
--------------

;)


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close