Title: Multiple issues in OpManager
Author: Michael Heydon
Product: OpManager
Tested Versions: 12100 & 12200
Vendor: Zoho ManageEngine
Vendor Notified: 2016-08-14
Disclosure Date: 2016-11-20

Product Description:
====================
  OpManager is a web-based network monitoring system. It is used primarily by
  IT staff and it stores credentials in order to log in to systems which are
  to be monitored. According to ManageEngine it is "Trusted by over a Million
  administrators worldwide".


*******************************************************************************

Issue: DoS
======

Description
===========
  The EncryptPassword API is susceptible to a denial of service attack. When
  certain characters are in the EncryptPassword value the server process will
  go into an infinite loop.

  This is caused by the use of a "while (1) {search; if (found) break}"
  algorithm in the baseConvertor function. An input value that is not present
  within the lookup table will cause the function to loop indefinitely.

  By sending a relatively small number of these requests the service can be
  overloaded (in testing approx. 500 requests will make OpManager practically
  unresponsive until someone logs in to the server and restarts the service).

Steps to Reproduce
==================
  wget -O /dev/null --quiet --post-data='EncryptPassword=%10' http://opmanagerurl.example.com/servlets/SettingsServlet?requestType=AJAX

Notes
=====
  This could be used to disrupt monitoring infrastructure while an attack is
  in progress against a monitored system.

  A similar algorithm is used in the baseDeconvertor function used to
  "decrypt" passwords. Consequently it is likely that a similar issue can be
  triggered by attempting to log in with a specially crafted cookie set
  however this has not been tested.

*******************************************************************************

Issue: Stored XSS
======

Description
===========
  The User Defined DNS Names table in System Settings -> DNS fails to sanitize
  user input.

Steps to Reproduce
==================
  Log in to OpManager as an administrator. Browse to the DNS settings page.

  Add an entry with the following data:
  IP Address: 1.2.3.4
  DNS Name: <script>alert('XSS');</script>example.com

  Any user browsing to the DNS settings page will receive an alert.

*******************************************************************************

Issue: Reflected XSS
======

Description
===========
  The ping and traceroute buttons on the MonitoringDevice page fail to sanitize the name of the host being monitored.

Steps to Reproduce
==================
  Browse to:
  http://opmanagerurl.example.net/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/xssdemo%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E

  Click on either the Ping or Traceroute buttons.

  You will receive an alert.

Notes
=====
  As the specified device does not exist, the page does not render correctly.
  This makes it less likely that the attacker will be able to convince the
  victim to click on the buttons.

*******************************************************************************

Issue: Reflected XSS
======

Description
===========
  The packet loss graph and response time graph pages fail to adequately
  sanitize the name of the host being monitored.

  This issue has been partially mitigated in version 12200. The original non-
  interactive examples no longer work, however XSS is still possible with user
  interaction.

Steps to Reproduce (v12100)
===========================
  Browse to:
  http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A')"%20onfocus=alert('XSS');%20autofocus%20x='/PerfGraph/packetLoss/packetLoss
  or
  http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A')"%20onfocus=alert('XSS');%20autofocus%20x='/PerfGraph/responseTime/responseTime

  You will receive an alert.

Notes (v12100)
==============
  As this exploit is triggered by an "onfocus" event and generates an alert
  (which takes focus when it opens and returns focus when it is closed) these
  examples will continually generate alerts.

Steps to Reproduce (12200)
===========================
  Browse to:
  http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A');%20alert('XSS');nop('/PerfGraph/packetLoss/packetLoss
  or
  http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A');%20alert('XSS');nop('/PerfGraph/responseTime/responseTime

  Click on any of the fixed Time Period buttons.

  You will receive an alert.

Notes (v12200)
==============
  Under 12200 this exploit presents a similar risk to the ping/traceroute
  issue. It requires the victim to click on a malformed page and it is
  therefore somewhat harder for an attacker to convince the victim to trigger
  the payload.

*******************************************************************************

Issue: Insecure Storage of User Credentials
=====

Description
===========
  When the "Keep me signed in" checkbox on the login page is ticked, the
  user's password is saved in a cookie in (obfuscated) plaintext.

Steps to Reproduce
==================
  Log in to OpManager with the "Keep me signed in" checkbox selected. Inspect
  cookies. The "encryptPassForAutomaticSignin" value contains the user's
  password obfuscated using a caesar shift and a form of base59 encoding.

  Javascript code to read and decode the login cookies can be found at:
  https://mheydon.net/Projects/Security/OpManager/ompw-js.txt

Notes
=====
  The cookie is not HTTPOnly.

*******************************************************************************

Disclosure Timeline
====================
  2016-08-15 - Reported to ManageEngine (ME)
  2016-08-17 - Received acknowledgement
  2016-09-17 - Requested status update
  2016-09-17 - Received reply that fixes were underway, suggested "12100
               consolidated fix"
  2016-09-19 - Sent clarification that testing was against 12100. Requested
               link to consolidated fix
  2016-09-20 - Received link for 12000 to 12100 update
  2016-09-20 - Advised that the linked patch would not install, repeated that
               testing was against 12100
  2016-09-20 - Received link to NCM/NF patch
  2016-09-20 - Tested & informed ME that patch does not resolve any issues
  2016-11-15 - OpManager 12200 released.
  2016-11-18 - Retested & contacted ME confirming that Performance Graph XSS
               is harder to trigger, but otherwise all issues remain in latest
               version. Reminded ME that 90 days had passed and that details
               would be made public.
  2016-11-18 - Received acknowledgement
  2016-11-20 - Public disclosure