An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/156485/ManageEngine-EventLog-Analyzer-10.0-Information-Disclosure.html | Exploit Third Party Advisory VDB Entry |
https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9381765cfc7fe39 | Third Party Advisory |
https://www.manageengine.com/products/eventlog/features-new.html#release | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-12-13T18:00:22
Updated: 2020-02-24T10:06:09
Reserved: 2019-12-12T00:00:00
Link: CVE-2019-19774
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-12-13T18:15:11.340
Modified: 2023-02-15T02:32:17.053
Link: CVE-2019-19774
JSON object: View
Redhat Information
No data.
CWE