Target 🎯

Vendor 🏭

Products 💿

Vulnerability ⚡

/opt/ManageEngine/OpManager/

File permissions appropriately set - everyone can execute but only root can modify

Finding an inadequately protected file

/opt

/ManageEngine/OpManager/ Nipper/nipper

nipper is a world writable executable file

Exploit 🐱‍💻

/opt

/ManageEngine/OpManager/ Nipper/nipper

Timeline 📅

ManageEngine which is a division in Zoho Corp. creates IT management software and tools. The company is a major player in IT management with over 90 tools, and 3 million users served in over 190 countries.Two of ManageEngine's popular products are it's network firewall analyzer and network monitoring software respectively named ManageEngine Firewall Analyzer and ManageEngine OpManager. Vulnerability CVE-2019-17421 affects both (and possibly more) of these products.After I set these programs as my research targets, I installed their free trial version, and began mapping out the attack surface. The first thing I noticed is that the program runs as root. This is great for our purposes as this means any local vulnerability will lead to LPE (Local Privilege Escalation). To achieve my goal of finding a security bug, I am no longer limited to only the remotely accessible attack surface.Next, I found the program defaultly installs its files to. I checked the file permissions on files in that specific folder and found they are appropriately set: only root can modify them, but anyone can run them.I could have continued on to the next attack surface, however I didn't want to leave any stone unturned. Maybe there was a file hiding away in a folder or even two levels of folders that is writable by a non-root user. I ran a simple recursive query to find all the files writable from my current (non root) user.Wow, we found files that are writable by non-root users! After examiningI realized that not only is the file writable by any user, it is also an executable file 🙉. This is a severe security bug since this means when the OpManger/Firewall Analyzer runs as root and executes nipper from this file, the file will also run as root - if we insert malicious code into the file, we now have our malicious code running as root!The exploit is very straightforward - we simply write our malicious payload toand wait for nipper to be executed. This happens when nipper is used in OpManager's or Firewall Analyzer's "network audit" functionality which can be triggered manually or on a preset schedule.Sept. 8 - I disclose bug to ZohoSept. 9 - Zoho confirms bug disclosure receivedSept. 25 - I ask for an updateSept. 25 - Zoho updates they have confirmed bug and are working on a fixOct. 10 - I update Zoho's bug ticket with CVE-2019-17421Oct. 31 - Zoho updates they have published a fix in the latest release, documented it in the readme (build 124099), and award me 20 BugBounty points