what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine EventLog Analyzer 9.9 Authorization / Code Execution

ManageEngine EventLog Analyzer 9.9 Authorization / Code Execution
Posted Sep 1, 2014
Authored by Hans-Martin Muench

ManageEngine EventLog Analyzer version 9.9 suffers from unauthenticated remote code execution via shell upload and authorization vulnerabilities.

tags | exploit, remote, shell, vulnerability, code execution
advisories | CVE-2014-6037
SHA-256 | a0c98cac5f5fd141c8b87fb1b8f63391779ddd21923531556150cd799b862ef7

ManageEngine EventLog Analyzer 9.9 Authorization / Code Execution

Change Mirror Download
Mogwai Security Advisory MSA-2014-01
----------------------------------------------------------------------
Title:              ManageEngine EventLog Analyzer Multiple Vulnerabilities
Product:            ManageEngine EventLog Analyzer   
Affected versions:  EventLog Analyzer 9.9 (Build 9002) on Windows/Linux
Impact:             critical
Remote:             yes
Product link:       https://www.manageengine.com/products/eventlog/
Reported:           18/04/2013
by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)


Vendor's Description of the Software:
----------------------------------------------------------------------
EventLog Analyzer provides the most cost-effective Security Information and
Event Management (SIEM) software on the market. Using this Log Analyzer
software, organizations can automate the entire process of managing terabytes
of machine generated logs by collecting, analyzing, searching, reporting,
and archiving from one central location. This event log analyzer software
helps to mitigate internal threats, conduct log forensics analysis, monitor
privileged users and comply to different compliance regulatory bodies
by intelligently analyzing your logs and instantly generating a variety of
reports like user activity reports, regulatory compliance reports,
historical trend reports, and more.


Business recommendation:
----------------------------------------------------------------------
During a penetration test, multiple vulnerabilities have been identified
that are based on severe design/implementation flaws in the application.
It is highly recommended not to use this software until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability description:
----------------------------------------------------------------------
1) Unauthenticated remote code execution
ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents
to send log data as zip files to the central server. Files can be uploaded
without
authentication and are stored/decompressed in the "data" subdirectory.

As the decompress procedure is handling the file names in the ZIP file in a
insecure way it is possible to store files in the web root of server. This can
be used to upload/execute code with the rights of the application server.

2) Authorization issues
The EventLog Analyzer web interface does not check if an authenticated has
sufficient permissions to access certain parts of the application. A low
privileged
user (for example guest) can therefore access critical sections of the web
interface,
by directly calling the corresponding URLs. This can be used to access the
database
browser of the application which gives the attacker full access to the database.


Proof of concept:
----------------------------------------------------------------------
1) Unauthenticated remote code execution


- Create a malicious zip archive with the help of evilarc[1]
evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp
- Send the malicious archive to the agentUpload servlet
curl -F "payload=@evil.zip" https://172.16.37.131:8400/agentUpload
- Enjoy your shell
https://172.16.37.131:8400/cmdshell.jsp

A working Metasploit module will be released next week.


2) Authorization issues
- Log in as a low privileged user (for example guest/guest)
- Directly call the URL of the database browser
https://xxx.xxx.xxx.xxx:8400/event/runQuery.do


Vulnerable / tested versions:
----------------------------------------------------------------------
EventLog Analyzer 8.2 (Build 8020) (Windows)
EventLog Analyzer 8.2 (Build 8020) (Linux)
EventLog Analyzer 9.0 (Build 9002) (Windows)
EventLog Analyzer 9.0 (Build 9002) (Linux)

Other versions might also be vulnerable.


Disclosure timeline:
----------------------------------------------------------------------
14/04/2013: Vulnerability discovery
18/04/2013: Informed vendor via ManageEngine Security Response Center (MESRC)
Form
23/04/2013: Second try to contact MESRC, as we didn't receive any response from
the first try.
23/04/2013: Response from vendor, they wait on some feedback from the
development team
10/05/2013: Response from vendor, saying that this is rather a issue than a
vulnerability, will fix it anyway
13/05/2013: Technical details including a working proof of concept send
ManageEngine.
13/05/2013: Vendor response, say that they forward it to the development team
24/05/2013: Vendor response, saying that they will fix it in 2013 as they are
"tightly scheduled on other priorities"
24/05/2013: Response from us, asking if we will be informed when the
vulnerability is fixed
28/05/2013: Response from ManageEngine, saying that we must subscribe to their
newsletter for release information
05/09/2013: Verification that exploit is still working with the current version
30/08/2014: Verification that exploit is still working with the current version
31/08/2014: Public release

Solution:
----------------------------------------------------------------------
No known solution

Workaround:
----------------------------------------------------------------------
1) Unauthenticated remote code execution
If agents are not used to collect log information, access to the servlet
can be disabled by commenting out the following lines in the web.xml file
(webapps/event/WEB-INF/web.xml) and restart the service.


agentUpload
com.adventnet.sa.agent.UploadHandlerServlet


agentUpload
/agentUpload



2) Authorization issues
No workaround, reduce the attack surface by disabling unused low privileged
accounts like "guest".


Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/en/lab/advisories/


References
----------------------------------------------------------------------
[1] evilarc
https://github.com/ptoomey3/evilarc

----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

info@mogwaisecurity.de


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close