ManageEngine AssetExplorer Authenticated Command Execution

`XL-2020-004 - Asset Explorer (Windows & Linux) - Authenticated Command Execution  
  
===============================================================================  
  
  
  
Identifiers  
  
-------------------------------------------------  
  
* CVE-2019-19034  
  
* XL-20-004  
  
  
  
CVSSv3 score  
  
-------------------------------------------------  
  
7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)  
  
  
  
Vendor  
  
-------------------------------------------------  
  
ManageEngine - [https://www.manageengine.com/products/asset-explorer/](https://www.manageengine.com/products/asset-explorer/)  
  
  
  
Product  
  
-------------------------------------------------  
  
ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM) software that helps you monitor and manage assets in your network from Planning phase to Disposal phase. AssetExplorer provides you with a number of ways to ensure discovery of all the assets in your network. You can manage software & hardware assets, ensure software license compliance and track purchase orders & contracts - the whole nine yards! AssetExplorer is very easy to install and works right out of the box.  
  
  
  
Affected versions  
  
-------------------------------------------------  
  
- All versions prior to 6.5 (6503)  
  
  
  
Credit  
  
-------------------------------------------------  
  
Sahil Dhar - xen1thLabs - Software Labs  
  
  
  
Vulnerability summary  
  
-------------------------------------------------  
  
ManageEngine Asset Explorer application does not validate System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. The vulnerability allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.  
  
  
  
Technical details  
  
-------------------------------------------------  
  
The username is concatenated to the system command on line `143` and `144` of `SccmTask.java` from `AdventNetAsset.jar` package, before being executed through the `exec()` method from `java.lang.Runtime` class on line `147` or `149`.  
  
  
  
The following code snippet displays the vulnerable souce code:  
  
  
  
```java  
  
/*  
  
Package Name: AdventNetAsset.jar  
  
FileName: SccmTask.java  
  
*/  
  
123: prop.setProperty("hostName", sccmHostName);  
  
124: prop.setProperty("databaseName", sccmDbName);  
  
125: prop.setProperty("domain", "-".equals(sccmDomain) ? "" : sccmDomain);  
  
126: prop.setProperty("username", sccmUserName);  
  
127: prop.setProperty("port", sccmPortNum);  
  
128: prop.setProperty("password", Encoder.convertFromBase(sccmPassword));  
  
129:  
  
130: DBConnectorUtil connectionTester = new DBConnectorUtil(prop, false);  
  
131:  
  
132: HashMap<String, Object> auditStart = new HashMap();  
  
133: auditStart.put("sccmId", sccmConfigId);  
  
134: auditStart.put("sccmName", sccmName);  
  
135: auditStart.put("startTime", new Timestamp(startTime.longValue()));  
  
136: auditStart.put("auditToken", auditId);  
  
137: SCCMUtil.updateSCCMScanStartAudit(auditStart);  
  
138:  
  
140: if (connectionTester.testConnection())  
  
141: {  
  
142: logger.log(Level.INFO, "Connection has been established with the required SCCM");  
  
143: String runSccmWindows = "SCCMScheduler.bat " + sccmDomain + " " + sccmPortNum + " " + sccmDbName + " " + sccmHostName + " " + sccmUserName + " " + sccmPassword + " " + sccmConfigId.toString() + " " + auditId + " " + siteId + " " + auditURL;  
  
144: String runSccmLinux = "sh SCCMScheduler.sh " + sccmDomain + " " + sccmPortNum + " " + sccmDbName + " " + sccmHostName + " " + sccmUserName + " " + sccmPassword + " " + sccmConfigId.toString() + " " + auditId + " " + siteId + " " + auditURL;  
  
145: if (System.getProperty("os.name").indexOf("Windows") != -1)  
  
146: {  
  
147: Runtime.getRuntime().exec(runSccmWindows);  
  
148: } else {  
  
149: Runtime.getRuntime().exec(runSccmLinux);  
  
150: }  
  
151: logger.log(Level.INFO, "SCCM Scanner is lauched. Log file is created in directory: ROOT/logs/SCCMLogs/");  
  
152: }  
  
```  
  
  
  
Proof of concept  
  
-------------------------------------------------  
  
1. Set `| calc.exe &` as a username of one of the databases of the SCCM database server.  
  
2. Authenticate to the application with Administrator credentials and navigate to Admin > Discovery > Crdential Library.  
  
3. Add one SCCM credential with authentication mode as SQL and username as `| calc.exe &` and password for SCCM database server.  
  
4. Navigate to SCCM integration, fill in the required parameters and select the credentials added in `step 3` and schedule a scan.  
  
5. Observe that the application executes `calc.exe` with NT AUTHORITY/SYSTEM privileges.  
  
  
  
  
  
Solution  
  
-------------------------------------------------  
  
This issue is fixed in ManageEngine AssetExplorer 6.6 version.  
  
  
  
  
  
Timeline  
  
-------------------------------------------------  
  
15-09-2019 - Reported to vendor  
  
17-09-2019 - Vendor acknowledgement  
  
21-11-2019 - Patch released  
  
13-05-2020 - xen1thLabs public disclosure  
  
  
  
  
  
`