exploit the possibilities

Password Manager Pro SQL Injection

Password Manager Pro SQL Injection
Posted Nov 9, 2014
Authored by Pedro Ribeiro

Password Manager Pro versions prior to 7.1 build 7105 suffer from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
advisories | CVE-2014-8498, CVE-2014-8499
MD5 | 1b0c6ed0b281e61d6116908394be6637

Password Manager Pro SQL Injection

Change Mirror Download

This is part 7 of the ManageOwnage series. For previous parts, see [1].

Today we have a blind SQL injection in Password Manager Pro (PMP) that
can be abused to escalate privileges for a low privileged user (like a
guest) to the "super administrator". Using our new powers we can then
dump the whole password database in cleartext.

Unlike in part 6, this time ManageEngine have been responsible and
released an update. It actually took them less than a month to fix it
- so props to the PMP development team.

I have also produces a Metasploit module that performs the injection,
escalates privileges and dumps the password database. It has been
proposed for merging and hopefully should be integrated in the next
few days:

Details and full advisory text is below. A copy of this advisory can
be obtained from my repo [2].


>> Authenticated blind SQL injection in Password Manager Pro / Pro MSP
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
Disclosure: 08/11/2014 / Last updated: 08/11/2014

>> Background on the affected products:
"Password Manager Pro (PMP) is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises."

>> Technical details:
PMP has a SQL injection vulnerability in its search function. A valid
user account is required to exploit the injection, however a low
privileged guest account is enough.

The application uses different database backends by default depending
on its version: versions < 6.8 use the MySQL backend and versions >=
6.8 use PostgreSQL. Single quotes are escaped with backslashes at the
injection point, but this can be somewhat avoided by double escaping
the slashes (\\'). In addition, injected strings are all modified to
uppercase. These two unintended "protections" make it difficult to
exploit the injection to achieve remote code execution.
However the injection can be abused in creative ways - for example to
escalate the current user privileges to "Super Administrator", which
has access to all the passwords in the system in unencrypted format.
This can be achieved by injecting the following queries: "update
AaaAuthorizedRole set role_id=1 where account_id=<userId>;insert into
ptrx_superadmin values (<userId>,true);".

A Metasploit module has been released that creates a new "Super
Administrator" account and exports PMP's password database in CSV
format. All passwords are exported unencrypted.

Vulnerability: Blind SQL injection in SEARCH_ALL parameter (multiple
pages affected)
Constraints: authentication needed (guest / low privileged user account)

POST /BulkEditSearchResult.cc
Affected versions: Unknown, at least v7 build 7001 to vX build XXX

POST /SQLAdvancedALSearchResult.cc
POST /AdvancedSearchResult.cc
Affected versions: Unknown, at least v6.5 to vX build XXX

COUNT=1&USERID=1&SEARCH_ALL=<injection here>

>> Fix:
Upgrade to version 7.1 build 7105


Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    19 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By