On 19 Aug 2014 17:55, "Pedro Ribeiro" <[email protected]> wrote: > > TL;DR > CVE-2014-3996 / CVE-2014-3997 > Blind SQL injection in ManageEngine Desktop Central, Password Manager > Pro and IT360 (including MSP versions) > Scroll to the bottom for the Metasploit module link; the module will > be submitted to Metasploit proper in a pull request in the next few > days. > > ========================================================================== > >> Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions) > >> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security > ========================================================================== > > >> Background on the affected products: > "Desktop Central is an integrated desktop & mobile device management > software that helps in managing the servers, laptops, desktops, > smartphones and tablets from a central point. It automates your > regular desktop management routines like installing patches, > distributing software, managing your IT Assets, managing software > licenses, monitoring software usage statistics, managing USB device > usage, taking control of remote desktops, and more." > > "Password Manager Pro is a secure vault for storing and managing > shared sensitive information such as passwords, documents and digital > identities of enterprises." > > "Managing mission critical business applications is now made easy > through ManageEngine IT360. With agentless monitoring methodology, > monitor your applications, servers and databases with ease. Agentless > monitoring of your business applications enables you high ROI and low > TOC. With integrated network monitoring and bandwidth utilization, > quickly troubleshoot any performance related issue with your network > and assign issues automatically with ITIL based ServiceDesk > integration." > > These products have managed service providers (MSP) versions which are > used to control the desktops and smartphones of several clients. > Quoting the author of the Internet Census 2012: "As a rule of thumb, > if you believe that "nobody would connect that to the Internet, really > nobody", there are at least 1000 people who did." > These vulnerabilities can be abused to achieve remote code execution > as SYSTEM in Windows or as the user in Linux. Needless to say, owning > a Desktop Central / IT360 box will give you control of all the > computers and smartphones it manages, while owning Password Manager > Pro will give you a treasure trove of passwords. > > >> Technical details: > The two blind SQL injections described below have been present in > Desktop Central, Password Manager Pro and IT360 in all releases since > 2006. They can only be triggered via a GET request, which means you > can only inject around 8000 characters at a time. > > #1 > Vulnerability: > Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP > / authenticated on IT360) > CVE-2014-3996 > > Affected products / versions: > - ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to > v9 build 90033 > - ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 > to version 7 build 7002 > - ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110 > This affects all versions of the products released since 19-Apr-2006. > Other ManageEngine products might be affected. > > Constraints: > - DC: no authentication or any other information needed > - PMP: no authentication or any other information needed > - IT360: valid user account needed > > Proof of concept: > > DC / PMP: > GET /LinkViewFetchServlet.dat?sv=[SQLi] > > IT360: > GET /console/LinkViewFetchServlet.dat?sv=[SQLi] > > > #2 > Vulnerability: > Blind SQL injection in MetadataServlet (unauthenticated on PMP / > authenticated on IT360) > CVE-2014-3997 > > Affected products / versions: > - ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 > to version 7 build 7003 > - ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110 > This affects all versions of the products released since 03-Apr-2008. > Other ManageEngine products might be affected. > > Constraints: > - PMP: no authentication or any other information needed > - IT360: valid user account needed > > Proof of concept: > > PMP: > GET /MetadataServlet.dat?sv=[SQLi] > > IT360: > GET /console/MetadataServlet.dat?sv=[SQLi] > > ========================================================================== > A full text version of this advisory can be found in my repo: > https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt > > A Metasploit module that exploits this vulnerability can also be found > in my repo: > https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb > > Regards, > Pedro
I realised the advisory is not explicit as to what the fixed versions are, so here it is: Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330 The advisory in my repo has also been updated: https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt Regards Pedro _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
