what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AD Manager Plus 7122 Remote Code Execution

AD Manager Plus 7122 Remote Code Execution
Posted Apr 3, 2023
Authored by Chan Nyein Wai, Thura Moe Myint

ADManager Plus version 7122 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2021-44228
SHA-256 | f79c90f12ca249e76d4868e357b605604f3234c5ab59fa3da2bb92e0275a4d71
Download | Favorite | View

AD Manager Plus 7122 Remote Code Execution

Change Mirror Download
# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE)
# Exploit Author: Chan Nyein Wai & Thura Moe Myint
# Vendor Homepage: https://www.manageengine.com/products/ad-manager/
# Software Link: https://www.manageengine.com/products/ad-manager/download.html
# Version: Ad Manager Plus Before 7122
# Tested on: Windows
# CVE : CVE-2021-44228
# Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md

### Description

In the summer of 2022, I have been doing security engagement on Synack
Red Team in the collaboration with my good friend (Thura Moe Myint).
At that time, Log4j was already widespread on the internet. Manage
Engine had already patched the Ad Manager Plus to prevent it from
being affected by the Log4j vulnerability. They had mentioned that
Log4j was not affected by Ad Manager Plus. However, we determined that
the Ad Manager Plus was running on our target and managed to exploit
the Log4j vulnerability.

### Exploitation

First, Let’s make a login request using  proxy.

Inject the following payload in the ```methodToCall``` parameter in
the ```ADSearch.cc``` request.

Then you will get the dns callback with username in your burp collabrator.




### Notes

When we initially reported this vulnerability to Synack, we only
managed to get a DNS callback and our report was marked as LDAP
injection. However, we attempted to gain full RCE on the host but were
not successful. Later, we discovered that Ad Manager Plus was running
on another target, so we tried to get full RCE on that target. We
realized that there was a firewall and an anti-virus running on the
machine, so most of our payloads wouldn't work. After spending a
considerable amount of time , we eventually managed to  bypass the
firewall and anti-virus, and achieve full RCE.

### Conclusion

We had already informed Zoho about the log4j vulnerability, and even
after it was fixed, they decided to reward us with a bonus bounty for
our report.

### Mitigation

Updating to a version of Ad Manager Plus higher than 7122 should
resolve the issue.

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close