Title: Multiple issues in OpManager Author: Michael Heydon Product: OpManager Tested Versions: 12100 & 12200 Vendor: Zoho ManageEngine Vendor Notified: 2016-08-14 Disclosure Date: 2016-11-20 Product Description: ==================== OpManager is a web-based network monitoring system. It is used primarily by IT staff and it stores credentials in order to log in to systems which are to be monitored. According to ManageEngine it is "Trusted by over a Million administrators worldwide". ******************************************************************************* Issue: DoS ====== Description =========== The EncryptPassword API is susceptible to a denial of service attack. When certain characters are in the EncryptPassword value the server process will go into an infinite loop. This is caused by the use of a "while (1) {search; if (found) break}" algorithm in the baseConvertor function. An input value that is not present within the lookup table will cause the function to loop indefinitely. By sending a relatively small number of these requests the service can be overloaded (in testing approx. 500 requests will make OpManager practically unresponsive until someone logs in to the server and restarts the service). Steps to Reproduce ================== wget -O /dev/null --quiet --post-data='EncryptPassword=%10' http://opmanagerurl.example.com/servlets/SettingsServlet?requestType=AJAX Notes ===== This could be used to disrupt monitoring infrastructure while an attack is in progress against a monitored system. A similar algorithm is used in the baseDeconvertor function used to "decrypt" passwords. Consequently it is likely that a similar issue can be triggered by attempting to log in with a specially crafted cookie set however this has not been tested. ******************************************************************************* Issue: Stored XSS ====== Description =========== The User Defined DNS Names table in System Settings -> DNS fails to sanitize user input. Steps to Reproduce ================== Log in to OpManager as an administrator. Browse to the DNS settings page. Add an entry with the following data: IP Address: 1.2.3.4 DNS Name: <script>alert('XSS');</script>example.com Any user browsing to the DNS settings page will receive an alert. ******************************************************************************* Issue: Reflected XSS ====== Description =========== The ping and traceroute buttons on the MonitoringDevice page fail to sanitize the name of the host being monitored. Steps to Reproduce ================== Browse to: http://opmanagerurl.example.net/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/xssdemo%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E Click on either the Ping or Traceroute buttons. You will receive an alert. Notes ===== As the specified device does not exist, the page does not render correctly. This makes it less likely that the attacker will be able to convince the victim to click on the buttons. ******************************************************************************* Issue: Reflected XSS ====== Description =========== The packet loss graph and response time graph pages fail to adequately sanitize the name of the host being monitored. This issue has been partially mitigated in version 12200. The original non- interactive examples no longer work, however XSS is still possible with user interaction. Steps to Reproduce (v12100) =========================== Browse to: http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A')"%20onfocus=alert('XSS');%20autofocus%20x='/PerfGraph/packetLoss/packetLoss or http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A')"%20onfocus=alert('XSS');%20autofocus%20x='/PerfGraph/responseTime/responseTime You will receive an alert. Notes (v12100) ============== As this exploit is triggered by an "onfocus" event and generates an alert (which takes focus when it opens and returns focus when it is closed) these examples will continually generate alerts. Steps to Reproduce (12200) =========================== Browse to: http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A');%20alert('XSS');nop('/PerfGraph/packetLoss/packetLoss or http://opmanagerurl.example.com/apiclient/ember/index.jsp#/Inventory/Snapshot/MonitoringDevice/A');%20alert('XSS');nop('/PerfGraph/responseTime/responseTime Click on any of the fixed Time Period buttons. You will receive an alert. Notes (v12200) ============== Under 12200 this exploit presents a similar risk to the ping/traceroute issue. It requires the victim to click on a malformed page and it is therefore somewhat harder for an attacker to convince the victim to trigger the payload. ******************************************************************************* Issue: Insecure Storage of User Credentials ===== Description =========== When the "Keep me signed in" checkbox on the login page is ticked, the user's password is saved in a cookie in (obfuscated) plaintext. Steps to Reproduce ================== Log in to OpManager with the "Keep me signed in" checkbox selected. Inspect cookies. The "encryptPassForAutomaticSignin" value contains the user's password obfuscated using a caesar shift and a form of base59 encoding. Javascript code to read and decode the login cookies can be found at: https://mheydon.net/Projects/Security/OpManager/ompw-js.txt Notes ===== The cookie is not HTTPOnly. ******************************************************************************* Disclosure Timeline ==================== 2016-08-15 - Reported to ManageEngine (ME) 2016-08-17 - Received acknowledgement 2016-09-17 - Requested status update 2016-09-17 - Received reply that fixes were underway, suggested "12100 consolidated fix" 2016-09-19 - Sent clarification that testing was against 12100. Requested link to consolidated fix 2016-09-20 - Received link for 12000 to 12100 update 2016-09-20 - Advised that the linked patch would not install, repeated that testing was against 12100 2016-09-20 - Received link to NCM/NF patch 2016-09-20 - Tested & informed ME that patch does not resolve any issues 2016-11-15 - OpManager 12200 released. 2016-11-18 - Retested & contacted ME confirming that Performance Graph XSS is harder to trigger, but otherwise all issues remain in latest version. Reminded ME that 90 days had passed and that details would be made public. 2016-11-18 - Received acknowledgement 2016-11-20 - Public disclosure