ManageEngine Disclosure #2

By Fortra's Digital Defense

Digital Defense is disclosing multiple additional vulnerabilities identified on various ManageEngine applications discovered by our Vulnerability Research Team (VRT).  We commend ManageEngine for their prompt response to the identified flaws and their engineering team’s work with VRT to provide fixes for these cyber security issues.

ManageEngine has provided patches for each of the vulnerabilities identified on the applications. The patched applications can be downloaded from ManageEngine’s website.

Clients who currently use Digital Defense’s Frontline Vulnerability Manager™ platform can sweep for the presence of these issues via Vulnerability Management: performing a full vulnerability assessment scan or selecting CVC’s  ManageEngine Applications Manager Multiple Vulnerabilities (123566) and ManageEngine EventLog Analyzer Remote Code Execution (123571).

Details of the vulnerabilities are as follows:

 

Summary:

DDI-VRT-2018-10 - Unauthenticated File Upload Remote Code Execution via /agentUpload

DDI-VRT-2018-11 - Unauthenticated Blind SQL Injection via /servlet/aam_servercmd

DDI-VRT-2018-12 - Multiple Unauthenticated Blind SQL Injections via /servlet/SyncEventServlet

DDI-VRT-2018-13 - Unauthenticated Local File Inclusion via /servlet/FailOverHelperServlet

DDI-VRT-2018-14 - Unauthenticated Blind SQL Injection via /servlet/MenuHandlerServlet

DDI-VRT-2018-15 - Unauthenticated API Key Disclosure via /servlet/OPMRequestHandlerServlet

 

Details:

Vulnerability: Unauthenticated File Upload Remote Code Execution via /agentUpload

Impact: Remote code execution with the same privileges as the user that started the Eventlog.

Application/Version Affected:

EventLog Analyzer 11.8 (Build 11080)

Log360 5.3 (Build 5036)

 

Details: The com.adventnet.sa.agent.UploadHandlerServlet class can be accessed via POST requests to /agentUpload. The servlet expects a multipart POST request containing a zip file and a "chksum" parameter containing an encrypted MD5 checksum of the uploaded zip file. The servlet decrypts the "chksum" parameter using the "decrypt" method of the EnDecryptImpl class. After decrypting the user supplied MD5 checksum, the servlet generates its own MD5 checksum of the uploaded zip file and compares the two values. If the comparison fails, the uploaded file is deleted. If the comparison is successful the uploaded filename is processed by the com.adventnet.sa.server.agent.DataProcessor class.

The "unzipFile" method of the DataProcessor class extracts the zip file and checks to see if at least one string from a set of strings is in the filename before writing the file. The list of strings used for the comparison is related to the types of files the class expects to be processing. No authentication is required to access the UploadHandlerServlet via /agentUpload, the "chksum" parameter is encrypted using a static key and no sanitation is done on the filenames in the uploaded zip before extracting them. This can all be leveraged to upload a JSP web shell with a filename containing a directory traversal sequence which will cause the web shell to be written to the web root when extracted by the DataProcessor class.

 

Vulnerability: Unauthenticated Blind SQL Injection via /servlet/aam_servercmd

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: The com.adventnet.appmanager.servlets.comm.AAMRequestProcessor servlet can be accessed via a GET or POST request to /servlet/aam_servercmd without authentication. The AAMRequestProcessor servlet first checks to see if the build number supplied via the "bn" request parameter matches the build number of the current installation of Applications Manager. The build number of the targeted Applications Manager application can be found at the bottom of the login page at /index.do. AAMRequestProcessor also checks that the "time_stamp" and "port" request parameters are numbers. To get to the "addMAS" method of CommDBUtil, the "command" parameter should be set to "Register_Me_MAS" and the Applications Manager server should be configured as an admin server. The request parameters are converted to a Map and passed as an argument to the "addMAS" method of CommDBUtil where the "globalrange" request parameter is used directly in a SQL query without validation.

 

Vulnerability: Multiple Unauthenticated Blind SQL Injections via /servlet/SyncEventServlet

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: The SyncEventServlet class can be accessed by either a GET or POST request to /servlet/SyncEventServlet. If the installation of Applications Manager is running as an admin server and the "operation" request parameter is set to "checkEventSynch", then the "entity" request parameter will be used directly in a SQL query, without sanitization. Additionally, if Applications Manager is running as a managed server and the "operation" request parameter is set to "setPushModelStatus", then the "EventID" request parameter will be used directly in a SQL query without sanitization.

 

Vulnerability: Unauthenticated Local File Inclusion via /servlet/FailOverHelperServlet

Impact: Sensitive information disclosure.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: The FailOverHelperServlet class can be accessed by sending a POST request to /servlet/FailOverHelperServlet, no authentication required. If the "operation" request parameter is set to "copyfile", the servlet will pass the value of the "fileName" request parameter to the copyFile method. The copyFile method performs some basic filtering on the value of the "fileName" request parameter, including checking for directory traversal sequences and limiting the path to the "working" subdirectory of the Applications Manager install directory. Additionally, it will only retrieve the file if it's been modified since the last time it was downloaded. However, the working directory can contain interesting files, such as the Postgresql database data files, when configured to use the built-in Postgres database. Additionally, there is a "listdirectory" operation in this servlet that will return a list of files and directories in the "working" directory, making it relatively easy to find potentially interesting files to download.

 

Vulnerability: Unauthenticated Blind SQL Injection via /servlet/MenuHandlerServlet

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: The MenuHandlerServlet servlet can be accessed via a GET or POST request to /servlet/MenuHandlerServlet without authentication. If the "action" request parameter is set to "verticalmenulist" the value of the "config_id" request parameter will be passed to the "getVerticalMenus" method. The "getVerticalMenus" method uses the value of "config_id" directly in a SQL query without fully validating it.

 

Vulnerability: Unauthenticated API Key Disclosure via /servlet/OPMRequestHandlerServlet

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Application/Version Affected:

Applications Manager 13 (Build 13420)

Details: A GET request to /servlet/OPMRequestHandlerServlet where the "OPERATION_TYPE" request parameter is set to "APM_API_KEY_REQUEST" and the "USERNAME" request parameter is set to any valid user will return that user's API key. Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it.

Share This