SSD Advisory – ManageEngine Code Execution

Vulnerability Summary
The following advisory describes Unrestricted File Upload vulnerability that leads to Code Execution found in ManageEngine Firewall Analyzer and ManageEngine OpManager.
ManageEngine Firewall Analyzer is a browser-based firewall/VPN/proxy server reporting solution that uses a built-in syslog server to store, analyze, and report on these logs. Firewall Analyzer provides daily, weekly, monthly, and yearly reports on firewall traffic, security breaches, and more. This helps network administrators to proactively secure networks before security threats arise, avoid network abuses, manage bandwidth requirements, monitor web site visits, and ensure appropriate usage of networks by employees.
ManageEngine OpManager is a comprehensive network monitoring software that provides the network administrators with an integrated console for managing routers, firewalls, servers, switches, and printers. OpManager offers extensive fault management and performance management functionality. It provides handy but powerful Customizable Dashboards and CCTV views that display the immediate status of your devices, at-a-glance reports, business views etc. OpManager also provides a lot of out-of-the-box graphs and reports, which give a wealth of information to the network administrators about the health of their networks, servers and applications.
Credit
An independent security researcher, Yasser Ali (https://yasserali.com), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
ManageEngine has released patches to address these vulnerabilities and issued the following advisory: https://desk.zoho.com/portal/manageengine/kb/articles/latest-consolidated-patch

Vulnerability Details
Firewall Analyzer is vulnerable to unrestricted File Upload vulnerability found in “Group Chat” section. The purpose “Group Chat” is for team members to share their ideas and chat with each other, that section has an upload functionality to enable team members to upload attachments such as screenshots, etc.
The upload functionality allows any user to upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context
Firewall Analyzer Group Chat

Proof of Concept
An attacker can send the following POST request with crafted executable:

The server will respond with the following massage:

The Firewall Analyzer has a client side implementation as shown below:

Which generates the following HTML5 code:
<a href=”/itplus/FileStorage/302/shell.jsp” target=”_blank” download=”shell.jsp”>shell.jsp(0KB)</a>
Upon accessing this URL, an attacker will cause the server to render the php file (run it):

Checking our current privileges, from within the php script shell, shows that the current user is root