Update March 21, 2018: Added additional vulnerabilities disclosed to ManageEngine that were excluded from the original blog post affecting several additional ManageEngine applications.
Digital Defense is disclosing multiple vulnerabilities identified on various ManageEngine applications discovered by our Vulnerability Research Team (VRT). We commend ManageEngine for their prompt response to the identified flaws and their engineering team’s work with VRT to provide fixes for these security issues.
ManageEngine has provided patches for each of the vulnerabilities identified on the applications. The patched applications can be downloaded from ManageEngine’s website.
Clients who currently use the Fortra Vulnerability Management, a cloud-based SaaS platform, can sweep for the presence of these issues by performing a full vulnerability assessment scan or selecting CVC’s ManageEngine OpManager Multiple Vulnerabilities (123568) and
ManageEngine ServiceDesk Plus Remote Code Execution (123594).
Details of the vulnerabilities are as follows:
Summary:
DDI-VRT-2018-01 – Unauthenticated File Upload via /servlets/CmClientUtilServlet
DDI-VRT-2018-02 – Unauthenticated Blind SQL Injection via /servlets/RegisterAgent
DDI-VRT-2018-03 – Unauthenticated Blind SQL Injection via /servlets/StatusUpdateServlet and /servlets/AgentActionServlet
DDI-VRT-2018-04 – Multiple Unauthenticated Blind SQL Injections via /embedWidget
DDI-VRT-2018-05 – Unauthenticated XML External Entity Injection via /SNMPDiscoveryURL
DDI-VRT-2018-06 – Unauthenticated Blind SQL Injection via /unauthenticatedservlets/ELARequestHandler and /unauthenticatedservlets/NPMRequestHandler
DDI-VRT-2018-07 – User Enumeration via /servlets/ConfServlet
Details:
Vulnerability: Unauthenticated File Upload via /servlets/CmClientUtilServlet
Impact: Remote code execution as SYSTEM, when running on Windows, full host compromise.
Application/Version Affected:
ServiceDesk Plus MSP 9.3 (Build 9302)
ServiceDesk Plus 9.3 (Build 9328)
Details: CmClientUtilServlet can be accessed without authentication. If the “command” request parameter is set to “addAttachmentInfo”, the “addAttachmentInfo” method will be called. This method doesn’t check if the “TYPE” request parameter contains a directory traversal sequence before using it in the path when creating a new file. The value of this parameter is also passed to “addAttachments” method of the com.adventnet.servicedesk.kbase.util.AttachmentUtil class which calls the “moveAttachments” method of AttachmentUtil. When the “moveAttachments” method is called, it will use the value of the “TYPE” request parameter in the destination path, which can be leveraged to write the uploaded file to a remotely accessible directory. Additionally, since none of these methods checked the file extension, this can be leveraged to upload a JSP web shell, that can be used to run commands as SYSTEM, fully compromising the host running the ServiceDeskPlus application.
Vulnerability: Unauthenticated Blind SQL Injection via /servlets/RegisterAgent
Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.
Application/Version Affected:
OpManager 12.3 (Build 123002)
Firewall Analyzer 12.3 (Build 12.3.008)
Network Configuration Manager 12.3 (Build 12.3.008)
OpUtils 12.3 (Build 12.3.005)
NetFlow Analyzer 12.3 (Build 12.3.009)
Details: The com.manageengine.opmanager.agent.servlets.RegisterAgent class passes the GET request parameters to the doRegister method of the com.manageengine.opmanager.agent.RegisterAgentImpl class. The doRegister method passes the monagentID parameter to the getAgentKeyForHostName method of the com.manageengine.opmanager.agent.utils.AgentDetailsUtil class. The getAgentKeyForHostName method inserts the user controlled value of monagentID directly into a SQL query without any sanitization.
Vulnerability: Unauthenticated Blind SQL Injection via /servlets/StatusUpdateServlet and /servlets/AgentActionServlet
Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.
Application/Version Affected:
OpManager 12.3 (Build 123002)
Firewall Analyzer 12.3 (Build 12.3.008)
Network Configuration Manager 12.3 (Build 12.3.008)
OpUtils 12.3 (Build 12.3.005)
NetFlow Analyzer 12.3 (Build 12.3.009)
Details: The com.manageengine.opmanager.agent.servlets.StatusUpdateServlet class passes the GET parameters to the updateAgentStatus method of the com.manageengine.opmanager.agent.AgentStatusHandler class. This method passes the agentKey GET parameter to the getDeviceNameForAgentKey method of the com.manageengine.opmanager.agent.utils.AgentDetailsUtil class which uses it directly in a SQL query without any sanitization. The getDeviceNameForAgentKey method can also be exploited via the com.manageengine.opmanager.agent.servlets.AgentActionServlet class if the “operation” request parameter is set to triggerFileMonitoringAlert.
Vulnerability: User Enumeration via /servlets/ConfServlet
Impact: Username and information disclosure.
Application/Version Affected:
OpManager 12.3 (Build 123002)
Firewall Analyzer 12.3 (Build 12.3.008)
Network Configuration Manager 12.3 (Build 12.3.008)
OpUtils 12.3 (Build 12.3.005)
NetFlow Analyzer 12.3 (Build 12.3.009)
Details: The ConfServlet class can be accessed via requests sent to /servlets/ConfServlet. If the DATA_REG query parameter is set to NOCUSER, the handleNocUserDetail method is called and will return a serialized Java HashMap containing local authentication user information, such as usernames, email addresses and phone numbers.
Vulnerability: Multiple Unauthenticated Blind SQL Injections via /embedWidget
Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.
Application/Version Affected:
OpManager 12.3 (Build 123002)
Firewall Analyzer 12.3 (Build 12.3.008)
Network Configuration Manager 12.3 (Build 12.3.008)
OpUtils 12.3 (Build 12.3.005)
NetFlow Analyzer 12.3 (Build 12.3.009)
Details: The com.manageengine.opmanager.servlet.EmbedAPIServlet class handles requests sent to /embedWidget and calls different classes and methods depending on the value of the methodCall HTTP request parameter. If the methodCall parameter is set to getBusinessViewDeviceList, EmbedAPIServlet will call the getBusinessViewDeviceList method of the com.adventnet.me.opmanager.server.api.handler.BusinessViewApiHandler class. This method then passes the value of the bvName request parameter to the getDeviceListByBV method of the APIDBUtil class where it’s used in a SQL query. If the methodCall parameter is set to getWidgetDeviceListForVendor, EmbedAPIServlet will call the getWidgetDeviceListForVendor method of the com.adventnet.me.opmanager.server.api.handler.DashboardApiHandler class. The getWidgetDeviceListForVendor method passes the value of the vendorid request parameter to the getWidgetDeviceListForVendor method of the APIDBUtil class where it’s used in a SQL query. If the methodCall parameter is set to GMapDetails, EmbedAPIServlet will call the GMapDetails method of the MapsApiHandler class. The GMapDetails method passes the value of the deviceType and deviceName request parameters to the getGMapObjects method of the APIDBUtil class where they’re used in a SQL query. No sanitization is performed on the vulnerable parameters before they’re used directly in a SQL query.
Vulnerability: Unauthenticated XML External Entity Injection via /SNMPDiscoveryURL
Impact: Information disclosure.
Application/Version Affected:
OpManager 12.3 (Build 123002)
Firewall Analyzer 12.3 (Build 12.3.008)
Network Configuration Manager 12.3 (Build 12.3.008)
OpUtils 12.3 (Build 12.3.005)
NetFlow Analyzer 12.3 (Build 12.3.009)
Details: The SNMPDiscoveryServlet accepts POST requests where the body is expected to be XML. The POST requests are handled by the doGet method which reads in the body of the POST request and attempts to parse it with the DocumentBuilderFactory class without first disabling doctypes. Not disallowing doctypes can allow an attacker to retrieve contents of files on the host running ManageEngine OpManager.
Vulnerability: Unauthenticated Blind SQL Injection via /unauthenticatedservlets/ELARequestHandler and /unauthenticatedservlets/NPMRequestHandler
Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.
Application/Version Affected:
OpManager 12.3 (Build 123002)
Firewall Analyzer 12.3 (Build 12.3.008)
Network Configuration Manager 12.3 (Build 12.3.008)
OpUtils 12.3 (Build 12.3.005)
NetFlow Analyzer 12.3 (Build 12.3.009)
Details: The com.adventnet.me.eventlog.ELARequestHandler servlet will call the getThemeForUser method when the “action” parameter is set to getTheme. The getThemeForUser method will then call the getThemeForUserName method of the OpManagerDBUtil class and pass it the value of the userName parameter from the GET request. The getThemeForUserName will then use the value of userName directly in a SQL query. The same path to getThemeForUserName is also available via /unauthenticatedservlets/NPMRequestHandler.
UPDATE:
Two additional vulnerabilities disclosed to ManageEngine in January were excluded from the blog post.
Clients who currently use the Fortra VM cloud-based SaaS platform can sweep for the presence of these issues by performing a full vulnerability assessment scan or selecting CVC’s ManageEngine Desktop Central and Patch Manager Plus Remote Code Execution (123564) and ManageEngine Multiple Products Sensitive Information Disclosure (123573).
ManageEngine has provided patches for each of the vulnerabilities identified on the applications. The patched applications can be downloaded from ManageEngine’s website.
Details of the vulnerabilities are below.
Summary:
DDI-VRT-2018-08 - Unauthenticated File Upload Remote Code Execution in FileUploadServlet
DDI-VRT-2018-09 - Unauthenticated Sensitive Information Disclosure via /logs/access_log.txt
Vulnerability: Unauthenticated Sensitive Information Disclosure via /logs/access_log.txt
Impact: Sensitive information disclosure, including valid HTTP session IDs. This information can be used to fully compromise the web application.
Application/Version Affected:
Exchange Reporter Plus 5.2 (Build 5204)
AD360 4.1 (Build 4116)
Cloud Security Plus 4.0 (Build 4006)
Details: The access_log.txt file contains basic HTTP request information for requests sent to the web application, including the session ID. If a privileged user has logged into the application recently, this information could be used by an attacker to hijack the privileged user's session and compromise the web application.
Vulnerability: Unauthenticated File Upload Remote Code Execution in FileUploadServlet
Impact: Arbitrary code execution as SYSTEM and full compromise of the host running Desktop Central. This can then be leveraged to compromise connected assets via the remote management functionality in Desktop Central.
Application/Version Affected:
Desktop Central 10 (Build 10.0.139)
Desktop Central MSP 10 (Build 10.0.147)
Patch Manager Plus 10 (Build 10.0.123)
Details: The FileUploadServlet can be accessed via a POST request to /fileupload. If the value of the "action" request parameter is set to "Registry_Upload" the remoteRegistryUpload method will be called to handle the upload of a zip file. The uploaded zip file is extracted to a predictable path that can be accessed without authentication and the contents of the zip file are not validated. This can be leveraged to upload a zip file containing a JSP web shell which can run commands with SYSTEM privileges.