{"id":7975,"date":"2017-06-16T14:19:31","date_gmt":"2017-06-16T22:19:31","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/16\/news-1756\/"},"modified":"2017-06-16T14:19:31","modified_gmt":"2017-06-16T22:19:31","slug":"news-1756","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/06\/16\/news-1756\/","title":{"rendered":"SSD Advisory \u2013  ManageEngine Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Fri, 16 Jun 2017 18:46:58 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3228\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3228');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes Unrestricted File Upload vulnerability that leads to Code Execution found in ManageEngine Firewall Analyzer and ManageEngine OpManager.<\/p>\n<p>ManageEngine Firewall Analyzer is a browser-based firewall\/VPN\/proxy server reporting solution that uses a built-in syslog server to store, analyze, and report on these logs. Firewall Analyzer provides daily, weekly, monthly, and yearly reports on firewall traffic, security breaches, and more. This helps network administrators to proactively secure networks before security threats arise, avoid network abuses, manage bandwidth requirements, monitor web site visits, and ensure appropriate usage of networks by employees.<\/p>\n<p>ManageEngine OpManager is a comprehensive network monitoring software that provides the network administrators with an integrated console for managing routers, firewalls, servers, switches, and printers. OpManager offers extensive fault management and performance management functionality. It provides handy but powerful Customizable Dashboards and CCTV views that display the immediate status of your devices, at-a-glance reports, business views etc. OpManager also provides a lot of out-of-the-box graphs and reports, which give a wealth of information to the network administrators about the health of their networks, servers and applications.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Yasser Ali (<a href=\"https:\/\/yasserali.com\" target=\"_blank\">https:\/\/yasserali.com<\/a>), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> ManageEngine has released patches to address these vulnerabilities and issued the following advisory: <a href=\"https:\/\/desk.zoho.com\/portal\/manageengine\/kb\/articles\/latest-consolidated-patch\" target=\"_blank\">https:\/\/desk.zoho.com\/portal\/manageengine\/kb\/articles\/latest-consolidated-patch<\/a><\/p>\n<p><span id=\"more-3228\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> Firewall Analyzer is vulnerable to unrestricted File Upload vulnerability found in \u201cGroup Chat\u201d section. The purpose \u201cGroup Chat\u201d is for team members to share their ideas and chat with each other, that section has an upload functionality to enable team members to upload attachments such as screenshots, etc.<\/p>\n<p>The upload functionality allows any user to upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context<\/p>\n<p>Firewall Analyzer Group Chat<br \/> <a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Chat-Group-page-interface.jpg\" data-slb-active=\"1\" data-slb-asset=\"1070633190\" data-slb-internal=\"0\" data-slb-group=\"3228\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Chat-Group-page-interface-300x196.jpg\" alt=\"\" width=\"300\" height=\"196\" class=\"alignnone size-medium wp-image-3230\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Chat-Group-page-interface-300x196.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Chat-Group-page-interface.jpg 642w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Proof of Concept<\/strong><br \/> An attacker can send the following POST request with crafted executable:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-2.jpg\" data-slb-active=\"1\" data-slb-asset=\"450916939\" data-slb-internal=\"0\" data-slb-group=\"3228\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-2-300x167.jpg\" alt=\"\" width=\"300\" height=\"167\" class=\"alignnone size-medium wp-image-3231\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-2-300x167.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-2.jpg 679w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The server will respond with the following massage:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-3.jpg\" data-slb-active=\"1\" data-slb-asset=\"1679461074\" data-slb-internal=\"0\" data-slb-group=\"3228\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-3-300x142.jpg\" alt=\"\" width=\"300\" height=\"142\" class=\"alignnone size-medium wp-image-3232\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-3-300x142.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-3.jpg 665w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The Firewall Analyzer has a client side implementation as shown below:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-4.jpg\" data-slb-active=\"1\" data-slb-asset=\"1980108385\" data-slb-internal=\"0\" data-slb-group=\"3228\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-4-300x128.jpg\" alt=\"\" width=\"300\" height=\"128\" class=\"alignnone size-medium wp-image-3233\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-4-300x128.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-4.jpg 642w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Which generates the following HTML5 code:<br \/>  &lt;a href=&#8221;\/itplus\/FileStorage\/302\/shell.jsp&#8221; target=&#8221;_blank&#8221; download=&#8221;shell.jsp&#8221;>shell.jsp(0KB)&lt;\/a><\/p>\n<p>Upon accessing this URL, an attacker will cause the server to render the php file (run it):<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-5.jpg\" data-slb-active=\"1\" data-slb-asset=\"629961681\" data-slb-internal=\"0\" data-slb-group=\"3228\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-5-300x102.jpg\" alt=\"\" width=\"300\" height=\"102\" class=\"alignnone size-medium wp-image-3234\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-5-300x102.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-5.jpg 569w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Checking our current privileges, from within the php script shell, shows that the current user is root<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-6.jpg\" data-slb-active=\"1\" data-slb-asset=\"227040676\" data-slb-internal=\"0\" data-slb-group=\"3228\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-6-300x80.jpg\" alt=\"\" width=\"300\" height=\"80\" class=\"alignnone size-medium wp-image-3235\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-6-300x80.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Figure-6.jpg 586w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3228\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/05\/ManageEngine-Chat-Group-page-interface-300x196.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Fri, 16 Jun 2017 18:46:58 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes Unrestricted File Upload vulnerability that leads to Code Execution found in ManageEngine Firewall Analyzer and ManageEngine OpManager. ManageEngine Firewall Analyzer is a browser-based firewall\/VPN\/proxy server reporting solution that uses a built-in syslog server to store, analyze, and report on these logs. Firewall Analyzer provides daily, weekly, monthly, and yearly &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3228\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013  ManageEngine Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11909,10757,12686],"class_list":["post-7975","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-code-execution","tag-securiteam-secure-disclosure","tag-unrestricted-file-upload"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7975"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7975\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7975"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}