CVE-2019-19034 Manage Engine Asset Explorer - Authenticated Command Execution Vulnerability

22 Dec 2019

ManageEngine Asset Explorer application does not validate SCCM Database Username when dynamically generating command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

Identifiers

CVE-2019-19034

CVSSv3 score

7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Vendor

Manage Engine - https://www.manageengine.com/products/asset-explorer/

Product

ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM) software that helps you monitor and manage assets in your network from Planning phase to Disposal phase. AssetExplorer provides you with a number of ways to ensure discovery of all the assets in your network. You can manage software & hardware assets, ensure software license compliance and track purchase orders & contracts - the whole nine yards! AssetExplorer is very easy to install and works right out of the box.

Affected versions

All versions prior to 6.5 (6503)

Vulnerability summary

Technical details

The username is concatenated to the system command on line 143 and 144 of SccmTask.java from AdventNetAsset.jar package, before being executed through the exec() method from java.lang.Runtime class on line 147 or 149.

Following code snippet shows the vulnerable souce code:

/*
Package Name: AdventNetAsset.jar
FileName: SccmTask.java
*/
       prop.setProperty("hostName", sccmHostName);
       prop.setProperty("databaseName", sccmDbName);
       prop.setProperty("domain", "-".equals(sccmDomain) ? "" : sccmDomain);
       prop.setProperty("username", sccmUserName);
       prop.setProperty("port", sccmPortNum);
       prop.setProperty("password", Encoder.convertFromBase(sccmPassword));
       
       DBConnectorUtil connectionTester = new DBConnectorUtil(prop, false);
       
       HashMap<String, Object> auditStart = new HashMap();
       auditStart.put("sccmId", sccmConfigId);
       auditStart.put("sccmName", sccmName);
       auditStart.put("startTime", new Timestamp(startTime.longValue()));
       auditStart.put("auditToken", auditId);
       SCCMUtil.updateSCCMScanStartAudit(auditStart);
       
       if (connectionTester.testConnection()) 
       {
         logger.log(Level.INFO, "Connection has been established with the required SCCM");
         String runSccmWindows = "SCCMScheduler.bat " + sccmDomain + " " + sccmPortNum + " " + sccmDbName + " " + sccmHostName + " " + sccmUserName + " " + sccmPassword + " " + sccmConfigId.toString() + " " + auditId + " " + siteId + " " + auditURL;
         String runSccmLinux = "sh SCCMScheduler.sh " + sccmDomain + " " + sccmPortNum + " " + sccmDbName + " " + sccmHostName + " " + sccmUserName + " " + sccmPassword + " " + sccmConfigId.toString() + " " + auditId + " " + siteId + " " + auditURL;
         if (System.getProperty("os.name").indexOf("Windows") != -1)
         {
           Runtime.getRuntime().exec(runSccmWindows);
         } else {
           Runtime.getRuntime().exec(runSccmLinux);
         }
         logger.log(Level.INFO, "SCCM Scanner is lauched. Log file is created in directory: ROOT/logs/SCCMLogs/");
       }

Proof of concept

Set the | cal.exe & as a username of one of the databases of SCCM DB Server.
Login to the application with Admin credentials and navigate to Admin > Discovery > Crdential Library.
Add one SCCM credential with authentication mode as SQL and username as | calc.exe & and password for SCCM DB server.
Navigate to SCCM integration, fill in the required parameters and select the credentials added in step 3 and schedule a scan.
Observe that the application executes calc.exe with NT AUTHORITY/SYSTEM privileges.