exploit the possibilities

ManageEngine OpManager 12.3 Privilege Escalation

ManageEngine OpManager 12.3 Privilege Escalation
Posted Jan 22, 2019
Authored by Humberto Cabrera | Site zeroscience.mk

ManageEngine OpManager version 12.3 suffers from a weak permissions issue in which an attacker can replace the service binary with a binary of his choice. This service runs as Localsystem thus allowing for a privilege escalation vector.

tags | exploit
MD5 | eee20374da2b5419d53f9eda05f63110

ManageEngine OpManager 12.3 Privilege Escalation

Change Mirror Download

ManageEngine OpManager Privilege Escalation


Vendor: Zoho Corporation Pvt. Ltd.
Product web page: https://www.manageengine.com
Affected version: 12.3

Summary: OpManager offers comprehensive network monitoring capabilities
that help you monitor network performance, detect network faults in real
time, troubleshoot errors, and prevent downtime. Being a powerful network
monitor, it supports multi-vendor IT environments and can scale to fit your
network, regardless of its size. Monitor your devices and network to gain
complete visibility and control over your entire network infrastructure.
It allows you to monitor critical performance metrics like availability,
CPU, disk space, and memory utilization across physical and virtual servers.

Description: The OpManager Monitoring service suffers from a weak permissions
issue in which an attacker can replace the service binary with a binary of his
choice. This service runs as Localsystem thus allowing for a privilege escalation
vector.

Tested on: Microsoft Windows 7 x64


Vulnerability discovered by Humberto Cabrera
@zeroscience


Advisory ID: ZSL-2019-5504
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5504.php

14.01.2019

--


C:\Users\User>sc qc opmanager
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: opmanager
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\ManageEngine\OpManager\bin\wrapper.exe -s C:\ManageEngine\OpManager\conf\wrapper.conf
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ManageEngine OpManager
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


C:\ManageEngine\OpManager\bin>icacls wrapper.exe
wrapper.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M) <==- Weak Permissions allowing the modification of the service binary

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    2 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close