Full Report
Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents, and digital identities of enterprises. A user can access the web console via three different services. When making a request to add a resource, there is a partially built SQL statement. With this statement, it uses a find and replace functionality to add in the resource from the request. Since this does not do any verification on the text, this creates a SQL injection issue on future calls. This vulnerability is an authenticated issue but does lead to arbitrary SQL code using as SYSTEM on Windows. Overall, the bug explanation is okay... they seem to go too deep on things that don't matter, like the specifics of the HTTP protocol. Fun bug though! SQL injection is alive and well is 2022!
Analysis Summary
# Vulnerability: SQL Injection in ManageEngine Privileged Access Management Software
## CVE Details
- CVE ID: CVE-2022-40300
- CVSS Score: Not explicitly provided, but exploitation leads to arbitrary SQL execution as SYSTEM.
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
## Affected Systems
- Products: Password Manager Pro, PAM360, Access Manager Plus
- Versions: Versions patched in September 2022 (Specific pre-patch versions not listed, but required immediate patching).
- Configurations: Authenticated access required (User with admin privileges to access the web console).
## Vulnerability Description
The vulnerability is an authenticated SQL Injection flaw existing within the `AutoLogonHelperUtil` class across multiple ManageEngine products. When an authenticated user attempts to add or edit a resource type via the web interface (POSTing to endpoints like `AddResourceType.ve`), the input for the resource name (carried in the `resourceType` parameter of a `multipart/form-data` request) is used directly to build a partial SQL statement within the `getOSTypeCriteria()` method. This partial statement is intended to look like `PTRX_OSTYPE in (, , ..., )`. Because there is no proper sanitization or verification on the input text, an attacker can inject arbitrary SQL code, leading to database compromise.
## Exploitation
- Status: PoC available (Implied by detailed analysis, though not explicitly stated if public PoC exists, the researchers detail the mechanism thoroughly).
- Complexity: Medium (Requires authentication and knowledge of the internal request structure and vulnerable endpoint).
- Attack Vector: Network (Authenticated over HTTPS web console).
## Impact
- Confidentiality: High (Arbitrary SQL execution can lead to sensitive data exfiltration).
- Integrity: High (Arbitrary SQL execution can lead to data modification or corruption).
- Availability: High (Database compromise can lead to service unavailability).
**Note**: Successful exploitation executes arbitrary SQL code with the privileges of the database service, which runs as **SYSTEM** on Windows, significantly elevating the severity of the impact.
## Remediation
### Patches
- Patches were released by ManageEngine in September 2022 for Password Manager Pro, PAM360, and Access Manager Plus. Users must apply the relevant vendor updates.
### Workarounds
- The vendor offers no alternative workarounds; applying the updates is the only way to fully protect against these bugs.
## Detection
- Indicators of compromise: Presence of unexpected SQL syntax (e.g., single quotes, UNIONs, or command execution keywords) within database query logs corresponding to resource type creation/editing endpoints.
- Detection methods and tools: Network monitoring or WAF rules designed to detect unsanitized input containing SQL keywords being sent to application endpoints responsible for configuration changes (`AddResourceType.ve`, etc.). Special attention must be paid to HTTP requests using `multipart/form-data` encoding targeted at view/update controllers.
## References
- Vendor Advisory: manageengine dot com/products/passwordmanagerpro/advisory/cve-2022-40300 dot html
- Vulnerability Report: https://www.zerodayinitiative.com/advisories/published/2022/11/23/cve-2022-40300-sql-injection-in-manageengine-privileged-access-management