[R2] ManageEngine OpManager / Service Desk Multiple Vulnerabilities

#1: CVE-2016-82014: Operations Manager - An SQL injection flaw was reported to ManageEngine on 2014/08/19 by Andrea Micalizzi (rgod), affecting version 11.3 and 11.4 of ManageEngine OpManager, and said to be patched in version 11.5 on 2014/11/10. This issue was assigned CVE-2014-7867, summarized as "ManageEngine OpManager /servlet/APMBVHandler OPM_BVNAME Parameter SQL Injection". While working on detection plugins for the Nessus vulnerability scanner, one of our research engineers discovered that the patch for this issue does not fully mitigate the problem. The other two SQL injection issues reported at the same time appear to be fully patched now in version 11.5.

The issue is due to the patch being a direct response to the original exploit string:

POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+

The patch to the getDevicesInBusinessView() function in DeviceDetailsUtil.class of OpManagerServerClasses.jar was modified as such:

        System.out.println("update view:" + bool);
        if (str1.toLowerCase().indexOf("create table") != -1) {
          try
          {
            paramHttpServletResponse.sendError(403, "Probe name to be added/updated is not a valid one");
            return;
          }
          catch (Exception localException2) {}

Thus, if an exploit is crafted that uses SQL syntax other than 'create table', it still works.

#2: CVE-2016-82015: Operations Manager - During internal testing of our detection plugin, the same engineer noticed that there is a reflected cross-site scripting (XSS) vulnerability in the OPM_BVNAME parameter of the APMBVHandler servlet, that displays the injected content without filtering in the ViewName property. This affects versions 11.3, 11.4, and 11.5 of ManageEngine OpManager, but the patch provided for the SQL injection issues also fixes this, and version 11.5 is not affected when the patch is applied.

#3: Service Desk - On January 23, 2015, two enumeration issues were reported to be fixed in ManageEngine Service Desk:

117583 2015-01-23 ManageEngine Service Desk /servlet/AJaxServlet Multiple Action Remote Username Enumeration
117584 2015-01-23 ManageEngine Service Desk /domainServlet/AJaxDomainServlet searchLocalAuthDomain Action Remote User / Domain Enumeration

These were reported to be fixed in version 9.0 Build 9031. However, internal testing by one of our engineers indicates that in versions 9.0 Build 9031 and 9.0 Build 9045, the AjaxDomainServlet issue is not patched. It appears that the fix removes the JavaScript that auto-fills out the domain on the login form, but the public facing servlet is left in place. This allows a remote attacker to invoke the servlet directly to enumerate a user and their domain.