lab.mogwaisecurity.de because sharing is caring...

ManageEngine EventLog Analyzer Multiple Vulnerabilities

Title ManageEngine EventLog Analyzer Multiple Vulnerabilities
Id MSA-2014-01
CVE CVE-2014-7200 (XSS), CVE-2014-7201 (SQLi)
Product dmmjobcontrol (Typo3 Extension)
Affected versions 2.14.0
Impact high
Remote yes
Product link http://typo3.org/extensions/repository/view/dmmjobcontrol
Reported 05/09/2014
By Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)

Vendor's Description of the Software:

EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, searching, reporting, and archiving from one central location. This event log analyzer software helps to mitigate internal threats, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, regulatory compliance reports, historical trend reports, and more.

Business recommendation:

During a penetration test, multiple vulnerabilities have been identified that are based on severe design/implementation flaws in the application. It is highly recommended not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved.

CVSS2 Rating (for CVE-2014-7201 - SQL Injection)

CVSS Base Score 7.8
Impact Subscore 6.9
Exploitability Subscore 10
CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Vulnerability description

1) Unauthenticated remote code execution
ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents to send log data as zip files to the central server. Files can be uploaded without authentication and are stored/decompressed in the "data" subdirectory.

As the decompress procedure is handling the file names in the ZIP file in a insecure way it is possible to store files in the web root of server. This can be used to upload/execute code with the rights of the application server.

2) Authorization issues
The EventLog Analyzer web interface does not check if an authenticated has sufficient permissions to access certain parts of the application. A low privileged user (for example guest) can therefore access critical sections of the web interface, by directly calling the corresponding URLs. This can be used to access the database browser of the application which gives the attacker full access to the database.

Proof of concept:

The following PoC Python script can be used to download PHP files from a attacker controlled host.

1) Unauthenticated Blind SQL Injection
The following PoC shows blind based SQL injection on the sector parameter, other
parameters are also vulnerable
http://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20

2) Reflected Cross Site Scripting (XSS)
http://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D="><script>alert(1);</script>

Disclosure timeline:

05/09/2014 Reporting to the Typo3 Security team
05/09/2014 Response from Typo3 Security team that they received the mail
24/09/2014 Mail to Typo3 Security team, asking for the current status
25/09/2014 Response from Typo3 Security Team that they released an advisory[1]
25/09/2014 Release of public advisory

Workaround (use on your own responsiblity):

In the file: typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php

To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the following PHP code:

$markerArray['###KEYWORD_VALUE###'] = htmlspecialchars($session['search']['keyword'], ENT_QUOTES);

To fix the SQL Injection vulnerability, replace line 257 with the following PHP code:

$whereAdd[] = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND ('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=', intval($value)).')';

References:

[1] TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl (dmmjobcontrol) http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012

Advisory URL: https://www.mogwaisecurity.de/#lab

Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

info@mogwaisecurity.de