ManageEngine EventLog Analyser Privilege Escalation (CVE-2020-10815)

Perspective Risk Discovers Vulnerability in Popular SIEM Product
EventLog Analyser is log management, auditing and compliance software. During our internal security engagements, we frequently encounter ManageEngine products which are often used to enumerate a great deal of information. Historically, ManageEngine’s product offering has suffered from some serious vulnerabilities, which is evident by the number of CVEs (common vulnerabilities and exposures) assigned.
As a low privileged user, it is possible to take advantage of the “Import Log Data” function and import a file containing LogAnalyser user authentication hashes. Directory Traversal within the application is not limited to the ManageEngine installation directory; instead, arbitrary locations can be specified, such as SSH “authorized_keys” or even a shadow file – as the default installation runs with root/system- level privileges. This would potentially allow malicious threat actors not only to elevate application privileges but to compromise the underlying operating system as well.
The following HTTP Request demonstrates a vulnerable path:

After importing “auth-conf.xml” it is automatically parsed by EventLog Analyzer, making it difficult to obtain and view the file in its raw format; however, searching for “MD5” string will reveal usernames and hashes along with hash salts.

User hashes are stored as MD5, Base64 encoded hashes. The user password salt values are also disclosed, making it trivial to reverse and brute force. This issue was discovered in EventLog Analyzer 12.1.2 (the latest version at the time of discovery); however, older versions could also be vulnerable. The vendor has issued a patch (12.1.25). This patch is publicly available and can be downloaded from here (ManageEngine’s EventLog Analyzer).
Vulnerability Disclosure Timeline
04/02/2020 – Vulnerability found and disclosed to the vendor
04/02/2020 – Vendor acknowledgement
20/03/2020 – Patch released – 12.1.25
20/03/2020 – Bug Closed by ManageEngine
26/03/2020 – Vulnerability Published