Exploit the possiblities

ManageEngine OpManager 11.5 Hardcoded Credential / SQL Bypass

ManageEngine OpManager 11.5 Hardcoded Credential / SQL Bypass
Posted Sep 16, 2015
Authored by xistence

ManageEngine OpManager versions 11.5 and below suffer from SQL query protection bypass and has hard-coded credentials.

tags | exploit
MD5 | 588a76a8c2bf1619c2305abf7d437cd4

ManageEngine OpManager 11.5 Hardcoded Credential / SQL Bypass

Change Mirror Download
Exploit Title: ManageEngine OpManager multiple vulnerabilities
Product: ManageEngine OpManager
Vulnerable Versions: v11.5 and previous versions
Tested Version: v11.5 (Windows)
Advisory Publication: 14/09/2015
Vulnerability Type: hardcoded credentials, SQL query protection bypass
Credit: xistence <xistence[at]0x90.nl>


Product Description
-------------------

ManageEngine OpManager is a network, server, and virtualization monitoring
software that helps SMEs, large enterprises and service providers manage
their data centers and IT infrastructure efficiently and cost effectively.
Automated workflows, intelligent alerting engines, configurable discovery
rules, and extendable templates enable IT teams to setup a 24x7 monitoring
system within hours of installation.
Do-it-yourself plug-ins extend the scope of management to include network
change and configuration management and IP address management as well as
monitoring of networks, applications, databases, virtualization and
NetFlow-based bandwidth.


Vulnerability Details
---------------------

ManageEngine OpManager ships with a default account "IntegrationUser" with
the password "plugin". This account is hidden from the user interface and
will never show up in the user management. Also changing the password for
this account is not possible by default. The account however is assigned
Administrator privileges and logging in with this account is possible via
the web interface.

Below you can see the account in the PostgreSQL database after a fresh
installation:

C:\ManageEngine\OpManager\pgsql\bin>psql.exe -h 127.0.0.1 -p 13306 -U
postgres -d OpManagerDB
psql (9.2.4)

OpManagerDB=# select * from userpasswordtable where userid = 2;
userid | username | password | ownername | domainname | sipenabled
--------+-----------------+-----------+-----------+------------+------------
2 | IntegrationUser | d7962CgyJ | NULL | NULL | false
(1 row)

The above password decrypted is "plugin".

Any account that has access to the web interface with Administrator rights
can use a web form (/api/json/admin/SubmitQuery) to execute SQL queries on
the backend PostgreSQL instance.
By default restrictions apply and queries that start with
INSERT/UPDATE/DELETE are not allowed to be executed, this is however very
easy to bypass by using something like "INSERT/**/INTO...". The "/**/"
comment will create a space and the function is not detected by OpManager's
protection and will be executed.

The PostgreSQL environment runs as SYSTEM under Windows. By writing a WAR
payload to the "tomcat/webroot" directory, the WAR payload will be deployed
automatically and will give a shell with SYSTEM privileges.

A metasploit module will be release shortly.


Solution
--------

ManageEngine has provided a patch to fix this issue:
https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability


Advisory Timeline
-----------------

05/17/2015 - Discovery and vendor notification
05/22/2015 - ManageEngine acknowledged issue
07/10/2015 - Requested status update
07/17/2015 - ManageEngine supplied fix
07/24/2015 - ManageEngine provied definitive fix at
https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability
09/14/2015 - Public disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close