# ExploitTitle:ADManagerPlus7122-RemoteCodeExecution(RCE)
# ExploitAuthor:ChanNyeinWai&ThuraMoeMyint
# VendorHomepage: https://www.manageengine.com/products/ad-manager/
# SoftwareLink: https://www.manageengine.com/products/ad-manager/download.html
# Version:AdManagerPlusBefore7122
# Tested on:Windows
# CVE:CVE-2021-44228
# GithubRepo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md
### DescriptionIn the summer of 2022,I have been doing security engagement on SynackRedTeam in the collaboration withmy good friend (ThuraMoeMyint).At that time,Log4j was already widespread on the internet. ManageEngine had already patched the AdManagerPlustoprevent it from
being affected by the Log4jvulnerability. They had mentioned that
Log4j was not affected by AdManagerPlus. However, we determined that
the AdManagerPlus was running on our target and managed toexploit
the Log4j vulnerability.
### ExploitationFirst,Let’s make a login request usingproxy.
Inject the following payload in the ```methodToCall``` parameter in
the ```ADSearch.cc``` request.
Then you will get the dns callback withusername in your burp collabrator.
### NotesWhen we initially reported this vulnerability toSynack, we only
managed toget a DNS callback and our report was marked as LDAPinjection. However, we attempted togain full RCE on the host but were
not successful. Later, we discovered that AdManagerPlus was running
on another target, so we tried toget full RCE on that target. We
realized that there was a firewall and an anti-virus running on the
machine, so most of our payloads wouldn't work. After spending a
considerable amount of time , we eventually managed tobypass the
firewall and anti-virus, and achieve full RCE.
### ConclusionWe had already informed Zoho about the log4j vulnerability, and even
after it was fixed, they decided toreward us witha bonus bounty for
our report.
### MitigationUpdatingtoa version of AdManagerPlus higher than 7122 should
resolve the issue.
