ManageEngine ADSelfService Build prior to 6003 – Remote Code Execution (Unauthenticated)

• Exploit Database
• 15 阅读

• 作者： Bhadresh Patel
  日期： 2020-08-10
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/48739/

• # Exploit Title: ManageEngine ADSelfService Plus 6000 – Unauthenticated Remote Code Execution
  # Date: 2020-08-08
  # Exploit Author: Bhadresh Patel
  # Vendor link: https://www.manageengine.com/company.html
  # Version: ADSelfService Plus build < 6003
  # CVE : CVE-2020-11552
  
  This is an article with PoC exploit video of ManageEngine ADSelfService
  Plus – Unauthenticated Remote Code Execution Vulnerability
  
  -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  Title:
  ====
  ManageEngine ADSelfService Plus – Unauthenticated Remote Code Execution
  Vulnerability
  
  CVE ID:
  =======
  
  CVE-2020-11552
  
  Date:
  ====
  08/08/2020 (dd/mm/yyyy)
  
  Vendor:
  ======
  As the IT management division of Zoho Corporation, ManageEngine prioritizes
  flexible solutions that work for all businesses, regardless of size or
  budget.
  
  ManageEngine crafts comprehensive IT management software with a focus on
  making your job easier. Our 90+ products and free tools cover everything
  your IT needs, at prices you can afford.
  
  From network and device management to security and service desk software,
  we're bringing IT together for an integrated, overarching approach to
  optimize your IT.
  
  Vendor link: https://www.manageengine.com/company.html
  
  
  Vulnerable Product:
  ==============
  ManageEngine ADSelfService Plus is an integrated self-service password
  management and single sign on solution. This solution helps domain users
  perform self-service password reset, self-service account unlock, employee
  self-update of personal details (e.g., mobile numbers and photos) in
  Microsoft Windows Active Directory. ADSelfService Plus also provides users
  with secure, one-click access to all SAML-supported enterprise
  applications, including Office 365, Salesforce, and G Suite, through Active
  Directory-based single sign-on (SSO). For improved security, ADSelfService
  Plus offers Windows two-factor authentication for all remote and local
  logins. Administrators find it easy to automate password resets, account
  unlocks while optimizing IT expenses associated with help desk calls.
  
  Product link:
  https://www.manageengine.com/products/self-service-password/?meadsol
  
  Abstract:
  =======
  A remote code execution vulnerability exists in ManageEngine ADSelfService
  Plus Software when it does not properly enforce user privileges associated
  with Windows Certificate Dialog.
  This vulnerability could allow an unauthenticated attacker to remotely
  execute commands with system level privileges on target windows host. An
  attacker does not require any privilege on the target system in order to
  exploit this vulnerability.
  
  Report-Timeline:
  =============
  27/02/2020: Vendor notified
  27/02/2020: Vendor response
  28/02/2020: Marked duplicate
  11/03/2020: Patch released
  23/03/2020: Vendor responded regarding patch release update
  26/03/2020: Patch tested and found that it partially fixed the issue.
  Reported back to the vendor.
  18/04/2020: Shared updated report with new PoC
  22/04/2020: Vendor acknowledged the issue
  24/07/2020: Patch released (
  https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support
  )
  08/08/2020: Public disclosure
  
  
  Affected Software Version:
  =============
  < ADSelfService Plus build 6003
  
  Exploitation-Technique:
  ===================
  Remote
  
  Severity Rating (CVSS):
  ===================
  9.8 (Critical) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  
  Details:
  =======
  A remote code execution vulnerability exists in ManageEngine ADSelfService
  Plus Software when it does not properly enforce user privileges associated
  with Windows Certificate Dialog.
  
  This vulnerability could allow an unauthenticated attacker to remotely
  execute commands with system level privileges on target windows host. An
  attacker does not require any privilege on the target system in order to
  exploit this vulnerability.
  
  ManageEngine ADSelfService Plus thick client enables a user to perform
  self-service like password reset, self-service account unlock, etc by using
  self-service option on windows login screen.
  
  Upon selecting this option, ManageEngine ADSelfService Plus thick client
  software will be launched which will connect to a remote ADSelfServicePlus
  server to facilitate the self-service operations.
  
  A security alert can/will be triggered when “an unauthenticated attacker
  having physical access to the host issues a self-signed SSL certificate to
  the client”. Or, “a (default) self-signed SSL certificate is configured on
  ADSelfService Plus server”.
  
  “View Certificate” option from the security alert will allow an attacker
  with physical access or a remote attacker with RDP access, to export a
  displayed certificate to a file. This will further cascade to the standard
  dialog/wizard which will open file explorer as SYSTEM.
  
  By navigating file explorer through “C:\windows\system32\”, a cmd.exe can
  be launched as a SYSTEM.
  
  *PoC Video:* https://www.youtube.com/watch?v=slZRXffswnQ
  
  01:00 to 05:30 : Setup the environment
  05:30 to 06:34 : Exploitation
  
  Credits:
  =======
  Bhadresh Patel
  
  -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  Regards,
  -Bhadresh