ManageEngine AssetExplorer Authenticated Command Execution

ManageEngine AssetExplorer versions prior to 6.5 (6503) suffer from an authenticated remote command execution vulnerability.


MD5 | 7b8d9baa42ea19829e2e131700345178

XL-2020-004 - Asset Explorer (Windows & Linux) - Authenticated Command Execution

===============================================================================



Identifiers

-------------------------------------------------

* CVE-2019-19034

* XL-20-004



CVSSv3 score

-------------------------------------------------

7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)



Vendor

-------------------------------------------------

ManageEngine - [https://www.manageengine.com/products/asset-explorer/](https://www.manageengine.com/products/asset-explorer/)



Product

-------------------------------------------------

ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM) software that helps you monitor and manage assets in your network from Planning phase to Disposal phase. AssetExplorer provides you with a number of ways to ensure discovery of all the assets in your network. You can manage software & hardware assets, ensure software license compliance and track purchase orders & contracts - the whole nine yards! AssetExplorer is very easy to install and works right out of the box.



Affected versions

-------------------------------------------------

- All versions prior to 6.5 (6503)



Credit

-------------------------------------------------

Sahil Dhar - xen1thLabs - Software Labs



Vulnerability summary

-------------------------------------------------

ManageEngine Asset Explorer application does not validate System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. The vulnerability allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.



Technical details

-------------------------------------------------

The username is concatenated to the system command on line `143` and `144` of `SccmTask.java` from `AdventNetAsset.jar` package, before being executed through the `exec()` method from `java.lang.Runtime` class on line `147` or `149`.



The following code snippet displays the vulnerable souce code:



```java

/*

Package Name: AdventNetAsset.jar

FileName: SccmTask.java

*/

123: prop.setProperty("hostName", sccmHostName);

124: prop.setProperty("databaseName", sccmDbName);

125: prop.setProperty("domain", "-".equals(sccmDomain) ? "" : sccmDomain);

126: prop.setProperty("username", sccmUserName);

127: prop.setProperty("port", sccmPortNum);

128: prop.setProperty("password", Encoder.convertFromBase(sccmPassword));

129:

130: DBConnectorUtil connectionTester = new DBConnectorUtil(prop, false);

131:

132: HashMap<String, Object> auditStart = new HashMap();

133: auditStart.put("sccmId", sccmConfigId);

134: auditStart.put("sccmName", sccmName);

135: auditStart.put("startTime", new Timestamp(startTime.longValue()));

136: auditStart.put("auditToken", auditId);

137: SCCMUtil.updateSCCMScanStartAudit(auditStart);

138:

140: if (connectionTester.testConnection())

141: {

142: logger.log(Level.INFO, "Connection has been established with the required SCCM");

143: String runSccmWindows = "SCCMScheduler.bat " + sccmDomain + " " + sccmPortNum + " " + sccmDbName + " " + sccmHostName + " " + sccmUserName + " " + sccmPassword + " " + sccmConfigId.toString() + " " + auditId + " " + siteId + " " + auditURL;

144: String runSccmLinux = "sh SCCMScheduler.sh " + sccmDomain + " " + sccmPortNum + " " + sccmDbName + " " + sccmHostName + " " + sccmUserName + " " + sccmPassword + " " + sccmConfigId.toString() + " " + auditId + " " + siteId + " " + auditURL;

145: if (System.getProperty("os.name").indexOf("Windows") != -1)

146: {

147: Runtime.getRuntime().exec(runSccmWindows);

148: } else {

149: Runtime.getRuntime().exec(runSccmLinux);

150: }

151: logger.log(Level.INFO, "SCCM Scanner is lauched. Log file is created in directory: ROOT/logs/SCCMLogs/");

152: }

```



Proof of concept

-------------------------------------------------

1. Set `| calc.exe &` as a username of one of the databases of the SCCM database server.

2. Authenticate to the application with Administrator credentials and navigate to Admin > Discovery > Crdential Library.

3. Add one SCCM credential with authentication mode as SQL and username as `| calc.exe &` and password for SCCM database server.

4. Navigate to SCCM integration, fill in the required parameters and select the credentials added in `step 3` and schedule a scan.

5. Observe that the application executes `calc.exe` with NT AUTHORITY/SYSTEM privileges.





Solution

-------------------------------------------------

This issue is fixed in ManageEngine AssetExplorer 6.6 version.





Timeline

-------------------------------------------------

15-09-2019 - Reported to vendor

17-09-2019 - Vendor acknowledgement

21-11-2019 - Patch released

13-05-2020 - xen1thLabs public disclosure






Related Posts