Password Manager Pro / Pro MSP - Blind SQL Injection

🗓️ 13 Nov 2014 00:00:00Reported by RootType

Password Manager Pro / Pro MSP - Blind SQL Injection, Authenticated, Low Privilege Account, Unauthorized Access, Super Administrator Privileges

Reporter	Title	Published	Views	Family All 19
0day.today	Password Manager Pro / Pro MSP - Blind SQL Injection Vulnerability	10 Nov 201400:00	–	zdt
0day.today	ManageEngine Password Manager Pro SQL Injection Exploit	14 Nov 201400:00	–	zdt
Circl	CVE-2014-8499	29 May 201815:50	–	circl
CVE	CVE-2014-8498	17 Nov 201416:00	–	cve
CVE	CVE-2014-8499	17 Nov 201416:00	–	cve
Cvelist	CVE-2014-8498	17 Nov 201416:00	–	cvelist
Cvelist	CVE-2014-8499	17 Nov 201416:00	–	cvelist
Exploit DB	Password Manager Pro / Pro MSP - Blind SQL Injection	10 Nov 201400:00	–	exploitdb
EUVD	EUVD-2014-8335	7 Oct 202500:30	–	euvd
exploitpack	Password Manager Pro Pro MSP - Blind SQL Injection	10 Nov 201400:00	–	exploitpack


                                                &gt;&gt; Authenticated blind SQL injection in Password Manager Pro / Pro MSP
&gt;&gt; Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
==========================================================================
Disclosure: 08/11/2014 / Last updated: 08/11/2014
 
&gt;&gt; Background on the affected products:
&quot;Password Manager Pro (PMP) is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises.&quot;
 
 
&gt;&gt; Technical details:
PMP has a SQL injection vulnerability in its search function. A valid
user account is required to exploit the injection, however a low
privileged guest account is enough.
 
The application uses different database backends by default depending
on its version: versions &lt; 6.8 use the MySQL backend and versions &gt;=
6.8 use PostgreSQL. Single quotes are escaped with backslashes at the
injection point, but this can be somewhat avoided by double escaping
the slashes (\\'). In addition, injected strings are all modified to
uppercase. These two unintended &quot;protections&quot; make it difficult to
exploit the injection to achieve remote code execution.
However the injection can be abused in creative ways - for example to
escalate the current user privileges to &quot;Super Administrator&quot;, which
has access to all the passwords in the system in unencrypted format.
This can be achieved by injecting the following queries: &quot;update
AaaAuthorizedRole set role_id=1 where account_id=&lt;userId&gt;;insert into
ptrx_superadmin values (&lt;userId&gt;,true);&quot;.
 
A Metasploit module has been released that creates a new &quot;Super
Administrator&quot; account and exports PMP's password database in CSV
format. All passwords are exported unencrypted.
 
 
Vulnerability: Blind SQL injection in SEARCH_ALL parameter (multiple
pages affected)
Constraints: authentication needed (guest / low privileged user account)
 
CVE-2014-8498
POST /BulkEditSearchResult.cc
Affected versions: Unknown, at least v7 build 7001 to vX build XXX
 
CVE-2014-8499
POST /SQLAdvancedALSearchResult.cc
POST /AdvancedSearchResult.cc
Affected versions: Unknown, at least v6.5 to vX build XXX
 
COUNT=1&amp;USERID=1&amp;SEARCH_ALL=&lt;injection here&gt;
 
 
&gt;&gt; Fix:
Upgrade to version 7.1 build 7105
 
 
[1]
http://seclists.org/fulldisclosure/2014/Aug/55
http://seclists.org/fulldisclosure/2014/Aug/75
http://seclists.org/fulldisclosure/2014/Aug/88
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/110
http://seclists.org/fulldisclosure/2014/Nov/12
 
[2]
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt

13 Nov 2014 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.74916