Product & Vendor Context
ManageEngine which is a division in Zoho Corp. creates IT management software and tools. The company is a major player in IT management with over 90 tools, and 3 million users served in over 190 countries.
Two of ManageEngine's popular products are it's network firewall analyzer and network monitoring software respectively named ManageEngine Firewall Analyzer and ManageEngine OpManager. Vulnerability CVE-2019-17421 affects both (and possibly more) of these products.
After I set these programs as my research targets, I installed their free trial version, and began mapping out the attack surface. The first thing I noticed is that the program runs as root. This is great for our purposes as this means any local vulnerability will lead to LPE (Local Privilege Escalation). To achieve my goal of finding a security bug, I am no longer limited to only the remotely accessible attack surface.
Next, I found the program defaultly installs its files to
/opt/ManageEngine/OpManager/. I checked the file permissions on files in that specific folder and found they are appropriately set: only root can modify them, but anyone can run them.
I could have continued on to the next attack surface, however I didn’t want to leave any stone unturned. Maybe there was a file hiding away in a folder or even two levels of folders that is writable by a non-root user. I ran a simple recursive query to find all the files writable from my current (non root) user.
Wow, we found files that are writable by non-root users! After examining
/opt/ManageEngine/OpManager/Nipper/nipper I realized that not only is the file writable by any user, it is also an executable file! This is a severe security bug since this means when the OpManger/Firewall Analyzer runs as root and executes nipper from this file, the file will also run as root - if we insert malicious code into the file, we now have our malicious code running as root!
The exploit is very straightforward - we simply write our malicious payload to
/opt/ManageEngine/OpManager/Nipper/nipper and wait for nipper to be executed. This happens when nipper is used in OpManager’s or Firewall Analyzer’s “network audit” functionality which can be triggered manually or on a preset schedule.
Sept. 8 - I disclose bug to Zoho Sept. 9 - Zoho confirms bug disclosure received Sept. 25 - I ask for an update Sept. 25 - Zoho updates they have confirmed bug and are working on a fix Oct. 10 - I update Zoho’s bug ticket with CVE-2019-17421 Oct. 31 - Zoho updates they have published a fix in the latest release, documented it in the readme (build 124099), and award me 20 BugBounty points