Twenty Year Anniversary

Password Manager Pro SQL Injection

Password Manager Pro SQL Injection
Posted Nov 9, 2014
Authored by Pedro Ribeiro

Password Manager Pro versions prior to 7.1 build 7105 suffer from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
advisories | CVE-2014-8498, CVE-2014-8499
MD5 | 1b0c6ed0b281e61d6116908394be6637

Password Manager Pro SQL Injection

Change Mirror Download
Hi,

This is part 7 of the ManageOwnage series. For previous parts, see [1].

Today we have a blind SQL injection in Password Manager Pro (PMP) that
can be abused to escalate privileges for a low privileged user (like a
guest) to the "super administrator". Using our new powers we can then
dump the whole password database in cleartext.

Unlike in part 6, this time ManageEngine have been responsible and
released an update. It actually took them less than a month to fix it
- so props to the PMP development team.

I have also produces a Metasploit module that performs the injection,
escalates privileges and dumps the password database. It has been
proposed for merging and hopefully should be integrated in the next
few days:
https://github.com/rapid7/metasploit-framework/pull/4155

Details and full advisory text is below. A copy of this advisory can
be obtained from my repo [2].

Regards,
Pedro


>> Authenticated blind SQL injection in Password Manager Pro / Pro MSP
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 08/11/2014 / Last updated: 08/11/2014

>> Background on the affected products:
"Password Manager Pro (PMP) is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises."


>> Technical details:
PMP has a SQL injection vulnerability in its search function. A valid
user account is required to exploit the injection, however a low
privileged guest account is enough.

The application uses different database backends by default depending
on its version: versions < 6.8 use the MySQL backend and versions >=
6.8 use PostgreSQL. Single quotes are escaped with backslashes at the
injection point, but this can be somewhat avoided by double escaping
the slashes (\\'). In addition, injected strings are all modified to
uppercase. These two unintended "protections" make it difficult to
exploit the injection to achieve remote code execution.
However the injection can be abused in creative ways - for example to
escalate the current user privileges to "Super Administrator", which
has access to all the passwords in the system in unencrypted format.
This can be achieved by injecting the following queries: "update
AaaAuthorizedRole set role_id=1 where account_id=<userId>;insert into
ptrx_superadmin values (<userId>,true);".

A Metasploit module has been released that creates a new "Super
Administrator" account and exports PMP's password database in CSV
format. All passwords are exported unencrypted.


Vulnerability: Blind SQL injection in SEARCH_ALL parameter (multiple
pages affected)
Constraints: authentication needed (guest / low privileged user account)

CVE-2014-8498
POST /BulkEditSearchResult.cc
Affected versions: Unknown, at least v7 build 7001 to vX build XXX

CVE-2014-8499
POST /SQLAdvancedALSearchResult.cc
POST /AdvancedSearchResult.cc
Affected versions: Unknown, at least v6.5 to vX build XXX

COUNT=1&USERID=1&SEARCH_ALL=<injection here>


>> Fix:
Upgrade to version 7.1 build 7105


[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12

[2]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    4 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close