Over six months ago, the team at Xiphos Research found a critical vulnerability with the ManageEngine Asset Explorer Agent produced by Zoho Corporation. Since reporting the vulnerability (and providing technical assistance and proof of concept code) Zoho have seemingly steadfastly ignored the vulnerability discovered and issued a number of product releases and updates that have left it unaddressed. Owing to the absence of vendor response (and seemingly understanding) we have taken the decision to publish details in the hope that users of Zoho ManageEngine can be aware of the threat and mitigate against it.
The ManageEngine Asset Explorer Agent accepts by default commands via TCP port 9000. Additionally it has the hard coded authentication of ‘bala’ (Spanish for bullet hence the snappy title of this post). Once authenticated to the Asset Explorer Agent an attacker can launch the version of ZohoMeeting.exe that is used by Asset Explorer for remote control as SYSTEM, which accepts connections on port 10443. The ZohoMeeting executable which is bundled with Asset Explorer is riddled with stack overflow conditions, and attackers can trivially exploit these to take control of affected systems.
Using the vulnerabilities detailed, Xiphos were able to give one of our clients quite a bad day, but since their discovery in May of this year, we have unfortunately endured a few ourselves, which in honesty is also a motivator for this post. Now the first thing to make apparent, is that Zoho Corp are not a small vendor. They have been active in one way or another since 1996, and their own website boasts that ManageEngine is utilised by over 120,000 global customers (a full list of which they publish at https://www.manageengine.com/customers.html). Depending upon the configuration of their customers estate, the use of ManageEngine may well be placing them in jeopardy. We have attempted since discovery of this vulnerability to work with Zoho to help them protect their customer base. Seemingly Zoho have better things to do. We however, do not.
If you use ManageEngine Asset Explorer Agent lock down your firewalls on port 9000. If you absolutely must use the ZohoMeeting executable (and allow it to be invoked by third party program components) lock down TCP port 10443. We sadly cannot rectify the use of hard coded authentication and code quality that is less than robust, and neither can Zoho Corporations users. One potential solution may be to add Asset Explorer to a list of programs for which non-executable stacks are enforced. You can however hopefully enact those changes on your estate and minimise the impact of this vulnerability.
One challenge that has presented itself when pursuing this vulnerability with Zoho is their lack of contact over protracted periods of time. Zoho Corp has published bug bounty programs with Open Bug Bounty and indeed has one of their own as listed on their website via https://www.zoho.com/security/bug-bounty.html). A number of researchers have provided details of vulnerabilities within Zoho’s software suites however the majority of these appear to be based around cross site scripting (XSS). Although Zoho were approached directly with a critical vulnerability that allow for remote code execution in May of this year, they didn’t mention any bug bounty scheme and it was up to us to find it out. Thankfully, we are a bit odd, and don’t find vulnerabilities for profit, so we have never mentioned it to them. Conversely as highlighted, Zoho have never in six months of communication deigned to discuss this program, which may be indicative either of a lack of internal communication, shoddy management, or more cynically, providing the illusion of concern about security and openness.
According to Zoho’s own blurb on their bug bounty “at Zoho, keeping customers' data secure is our number one priority” however, based on our experience with them this is not seemingly the case. Since this vulnerability was reported in May, Zoho have pushed a number of updates to both ZohoMeeting and ManageEngine Asset Explorer Agent none of which address the flaws reported. Credentials are still hard coded, commands can still be issued, stack overflows can still be created. There has seemingly been either an internal breakdown of gargantuan proportions, or the priorities of this particular vendor have shifted considerably.
Now, some of you reading this may think that this smacks somewhat of a research company (namely us) whining. This really isn’t the case. If the impact of this vulnerability was not so critical, there would actually be humour in this. After all, a SYSTEM level RCE that can lead to complete ownership of an impacted host is not worthy for a bug bounty but reflected XSS is? What our experience does show is that Zoho Corp seemingly care more about mouthing reassuring platitudes than they do in actually assuring the integrity and security of their customers data. As highlighted in this post (and indeed in many others) we at Xiphos however do care about assurance. It is actually massively disingenuous and cynical to knowingly expose customers to risk and not provide a fix. This is why following the posting of the vulnerability and publication of this post, we will be contacting as many of Zoho’s customers as we can and letting them know the risks they face when choosing to utilise ManageEngine Asset Explorer Agent and more importantly what they can do about it. Not for a bounty. Not for a fee. But because we (seemingly unlike this particular vendor) have a moral imperative to assist with improving security as best we can.
More details of the vulnerabilities discovered and a working PoC can be found via our company GitHub at: https://github.com/XiphosResearch/exploits/tree/AssetExploder/AssetExploder
PS: As with the vulnerability we disclosed in LifeSize, those impacting Zoho were deemed beyond CVE assignation by MITRE too. It seems that unless vulnerabilities can be found in their supported products, no CVE is presently being assigned regardless of the scale, impact, or seriousness of them. Which is fun.