OpManager 12100 / 12200 Cross Site Scripting / Denial Of Service

2016-11-20T00:00:00
ID PACKETSTORM:139833
Type packetstorm
Reporter Michael Heydon
Modified 2016-11-20T00:00:00

Description

                                        
                                            `Title: Multiple issues in OpManager  
Author: Michael Heydon  
Product: OpManager  
Tested Versions: 12100 & 12200  
Vendor: Zoho ManageEngine  
Vendor Notified: 2016-08-14  
Disclosure Date: 2016-11-20  
  
Product Description:  
====================  
OpManager is a web-based network monitoring system. It is used primarily by  
IT staff and it stores credentials in order to log in to systems which are  
to be monitored. According to ManageEngine it is "Trusted by over a Million  
administrators worldwide".  
  
  
*******************************************************************************  
  
Issue: DoS  
======  
  
Description  
===========  
The EncryptPassword API is susceptible to a denial of service attack. When  
certain characters are in the EncryptPassword value the server process will  
go into an infinite loop.  
  
This is caused by the use of a "while (1) {search; if (found) break}"  
algorithm in the baseConvertor function. An input value that is not present  
within the lookup table will cause the function to loop indefinitely.  
  
By sending a relatively small number of these requests the service can be  
overloaded (in testing approx. 500 requests will make OpManager practically  
unresponsive until someone logs in to the server and restarts the service).  
  
Steps to Reproduce  
==================  
wget -O /dev/null --quiet --post-data='EncryptPassword=%10' http://opmanagerurl.example.com/servlets/SettingsServlet?requestType=AJAX  
  
Notes  
=====  
This could be used to disrupt monitoring infrastructure while an attack is  
in progress against a monitored system.  
  
A similar algorithm is used in the baseDeconvertor function used to  
"decrypt" passwords. Consequently it is likely that a similar issue can be  
triggered by attempting to log in with a specially crafted cookie set  
however this has not been tested.  
  
*******************************************************************************  
  
Issue: Stored XSS  
======  
  
Description  
===========  
The User Defined DNS Names table in System Settings -> DNS fails to sanitize  
user input.  
  
Steps to Reproduce  
==================  
Log in to OpManager as an administrator. Browse to the DNS settings page.  
  
Add an entry with the following data:  
IP Address: 1.2.3.4  
DNS Name: <script>alert('XSS');</script>example.com  
  
Any user browsing to the DNS settings page will receive an alert.  
  
*******************************************************************************  
  
Issue: Reflected XSS  
======  
  
Description  
===========  
The ping and traceroute buttons on the MonitoringDevice page fail to sanitize the name of the host being monitored.  
  
Steps to Reproduce  
==================  
Browse to:  
http://opmanagerurl.example.net/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/xssdemo%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E  
  
Click on either the Ping or Traceroute buttons.  
  
You will receive an alert.  
  
Notes  
=====  
As the specified device does not exist, the page does not render correctly.  
This makes it less likely that the attacker will be able to convince the  
victim to click on the buttons.  
  
*******************************************************************************  
  
Issue: Reflected XSS  
======  
  
Description  
===========  
The packet loss graph and response time graph pages fail to adequately  
sanitize the name of the host being monitored.  
  
This issue has been partially mitigated in version 12200. The original non-  
interactive examples no longer work, however XSS is still possible with user  
interaction.  
  
Steps to Reproduce (v12100)  
===========================  
Browse to:  
http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A')"%20onfocus=alert('XSS');%20autofocus%20x='/PerfGraph/packetLoss/packetLoss  
or  
http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A')"%20onfocus=alert('XSS');%20autofocus%20x='/PerfGraph/responseTime/responseTime  
  
You will receive an alert.  
  
Notes (v12100)  
==============  
As this exploit is triggered by an "onfocus" event and generates an alert  
(which takes focus when it opens and returns focus when it is closed) these  
examples will continually generate alerts.  
  
Steps to Reproduce (12200)  
===========================  
Browse to:  
http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A');%20alert('XSS');nop('/PerfGraph/packetLoss/packetLoss  
or  
http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A');%20alert('XSS');nop('/PerfGraph/responseTime/responseTime  
  
Click on any of the fixed Time Period buttons.  
  
You will receive an alert.  
  
Notes (v12200)  
==============  
Under 12200 this exploit presents a similar risk to the ping/traceroute  
issue. It requires the victim to click on a malformed page and it is  
therefore somewhat harder for an attacker to convince the victim to trigger  
the payload.  
  
*******************************************************************************  
  
Issue: Insecure Storage of User Credentials  
=====  
  
Description  
===========  
When the "Keep me signed in" checkbox on the login page is ticked, the  
user's password is saved in a cookie in (obfuscated) plaintext.  
  
Steps to Reproduce  
==================  
Log in to OpManager with the "Keep me signed in" checkbox selected. Inspect  
cookies. The "encryptPassForAutomaticSignin" value contains the user's  
password obfuscated using a caesar shift and a form of base59 encoding.  
  
Javascript code to read and decode the login cookies can be found at:  
https://mheydon.net/Projects/Security/OpManager/ompw-js.txt  
  
Notes  
=====  
The cookie is not HTTPOnly.  
  
*******************************************************************************  
  
Disclosure Timeline  
====================  
2016-08-15 - Reported to ManageEngine (ME)  
2016-08-17 - Received acknowledgement  
2016-09-17 - Requested status update  
2016-09-17 - Received reply that fixes were underway, suggested "12100  
consolidated fix"  
2016-09-19 - Sent clarification that testing was against 12100. Requested  
link to consolidated fix  
2016-09-20 - Received link for 12000 to 12100 update  
2016-09-20 - Advised that the linked patch would not install, repeated that  
testing was against 12100  
2016-09-20 - Received link to NCM/NF patch  
2016-09-20 - Tested & informed ME that patch does not resolve any issues  
2016-11-15 - OpManager 12200 released.  
2016-11-18 - Retested & contacted ME confirming that Performance Graph XSS  
is harder to trigger, but otherwise all issues remain in latest  
version. Reminded ME that 90 days had passed and that details  
would be made public.  
2016-11-18 - Received acknowledgement  
2016-11-20 - Public disclosure  
`