Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.MANAGEENGINE_OPMANAGER_DEFAULT_CREDS.NASL
HistoryFeb 16, 2015 - 12:00 a.m.

ManageEngine OpManager Default Credentials

2015-02-1600:00:00
This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1146

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS

0.897

Percentile

98.8%

JSON

The remote ManageEngine OpManager web administration interface uses a known set of hard-coded default credentials. An attacker can use these to gain administrative access to the remote host.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(81380);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2015-7765");
  script_xref(name:"EDB-ID", value:"38174");
  script_xref(name:"EDB-ID", value:"38221");

  script_name(english:"ManageEngine OpManager Default Credentials");
  script_summary(english:"Attempts to login with default credentials.");

  script_set_attribute(attribute:"synopsis", value:
"The application hosted on the remote web server uses a default set of
known credentials.");
  script_set_attribute(attribute:"description", value:
"The remote ManageEngine OpManager web administration interface uses a
known set of hard-coded default credentials. An attacker can use these
to gain administrative access to the remote host.");
  # https://pitstop.manageengine.com/portal/kb/articles/pgsql-submitquery-do-vulnerability
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cab0ef7c");
  # https://packetstormsecurity.com/files/133582/ManageEngine-OpManager-11.5-Hardcoded-Credential-SQL-Bypass.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5f76ba3d");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2015/Sep/66");
  script_set_attribute(attribute:"solution", value:
"Apply the patch referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7765");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"ManageEngine OpManager SQL Injection");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'ManageEngine OpManager Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:zohocorp:manageengine_opmanager");
  script_set_attribute(attribute:"default_account", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("manageengine_opmanager_detect.nbin");
  script_require_keys("installed_sw/ManageEngine OpManager");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");

function check_login(user,pass,port)
{
  local_var res,post;
  clear_cookiejar();

  post = 'clienttype=html&'+
         'isCookieADAuth=&'+
         'domainName=NULL&'+
         'authType=localUserLogin&'+
         'webstart=&'+
         'ScreenWidth=1672&'+
         'ScreenHeight=502&'+
         'userName='+user+'&'+
         'password='+pass+'&'+
         'signInAutomatically=off&'+
         'uname=';

  res = http_send_recv3(
    port         : port,
    method       : 'POST',
    item         : "/jsp/Login.do",
    data         : post,
    content_type : "application/x-www-form-urlencoded",
    exit_on_fail : TRUE
  );

  # We're authenticated now, get about page
  res = http_send_recv3(
    method       : "GET",
    port         : port,
    item         : "/licenseInfo.do?methodCall=showAboutPage",
    exit_on_fail : TRUE
  );

  if (empty_or_null(res) || "403" >< res[0]) return FALSE;
  #Confirm
  if("Build Number" >< res[2] && "License Type" >< res[2]) return TRUE;
  return FALSE;
}

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

app = "ManageEngine OpManager";
get_install_count(app_name:app, exit_if_zero:TRUE);
port     = get_http_port(default:80);
install  = get_single_install(app_name:app,port:port);

url      = build_url(port:port, qs:install["path"]);
creds    = make_array("admin","admin", "IntegrationUser","plugin");
logincgi = "/jsp/Login.do";
report = "";

# Check each potential credential
foreach cred (keys(creds))
{
  if (check_login(user:cred,pass:creds[cred],port:port))
  {
    report += '\n  Username : ' + cred +
              '\n  Password : ' + creds[cred] ;
    if (cred == "IntegrationUser")
    {
      report += '\n  Fix: Contact the vendor for a patch.' ;
    }
    report +=   '\n';
  }
}
if (report != "")
{
  if (report_verbosity > 0)
  {
    header  = 'Nessus was able to gain access using the following URL';
    trailer = 'and the following set of credentials :\n' + report;
    report  = get_vuln_report(
      items   : logincgi,
      port    : port,
      header  : header,
      trailer : trailer
    );
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);

Related

nvd 1
cve 1
prion 1
cvelist 1
metasploit 1
checkpoint_advisories 1
openvas 1
dsquare 1
exploitdb 1
nvd
nvd
CVE-2015-7765
2015-10-09 14:59:06
cve
cve
CVE-2015-7765
2015-10-09 14:59:06
prion
prion
Hardcoded credentials
2015-10-09 14:59:00
cvelist
cvelist
CVE-2015-7765
2015-10-09 14:00:00
metasploit
metasploit
ManageEngine OpManager Remote Code Execution
2015-09-16 16:43:09
checkpoint_advisories
checkpoint_advisories
ManageEngine OpManager SubmitQuery IntegrationUser SQL Code Execution (CVE-2015-7765; CVE-2015-7766)
2015-11-24 00:00:00
openvas
openvas
ManageEngine OpManager <= 11.6 Multiple Vulnerabilities - Active Check
2015-09-16 00:00:00
dsquare
dsquare
ManageEngine OpManager SQL Injection
2018-02-22 00:00:00
exploitdb
exploitdb
ManageEngine OpManager - Remote Code Execution (Metasploit)
2015-09-17 00:00:00

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS

0.897

Percentile

98.8%

JSON
Related for MANAGEENGINE_OPMANAGER_DEFAULT_CREDS.NASL
nvd1cve1prion1cvelist1metasploit1checkpoint_advisories1openvas1dsquare1exploitdb1