X-Industry

Multiple Vulnerabilities - ManageEngine Applications Manager

Posted by Aureanna Hakenson on March 28, 2018 at 1:08pm

TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-086-001
Countries: IN, CN
Report Date: 20180327

Multiple Vulnerabilities - ManageEngine Applications Manager

Two critical vulnerabilities have been identified in the ManageEngine Applications manager which permit attackers to perform unauthenticated SQL injection and unauthenticated remote code execution.

Impact

Multiple vulnerabilities have been identified which include an unauthenticated SQL injection and unauthenticated Remote Code Execution vulnerability.

  1. Unauthenticated SQL Injection

The vulnerability allows remote unauthenticated SQL injection. The vulnerability exists in the following class:

To trigger this section of the class, the following request was sent:

The following response was received:

To trigger the vulnerability, the following payload was sent:

http://xyz:9090/jsonfeed.do?method=getParentGroups&haid=10000055%27%22%3C%3E

Using various payloads on the parameter named “haid”, you can execute the vulnerability.

  1. Unauthenticated Remote Code Execution

The second vulnerability allows an attacker to remotely execute code and remotely gain control of a target system.  The vulnerability is labelled as CVE-2018-7890.[1]  The issue is initiated in the following class:

The username and password are then passed to the PowerShell command without proper sanitization.  This results in execution of malicious input.  The request to trigger the issue is as follows:

A metasploit module regarding this application is also developed and is available at https://www.exploit-db.com/exploits/44274/ [2]

Prevention and Mitigation Strategies

ManageEngine issued an advisory and has developed a patch.  It can be found at https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager.

Our customers are advised to install this patch and upgrade to the latest version of their software.

For questions or comments regarding this report or additional research, please contact the lab directly at 603-606-1246 or feedback@wapacklabs.com

 

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7890

[2] https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/

Views: 34
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!