ManageEngine products Service Desk Plus, Asset Explorer, Support Center, and IT360 suffer from file upload and directory traversal vulnerabilities.
b54ee8abb80c4bd0609677cf861ed3705c479b3f720f286b5441144adbe04dd3
This Metasploit module exploits a directory traversal vulnerability found in ManageEngine DeviceExperts ScheduleResultViewer Servlet. This is done by using "..\..\..\..\..\..\..\..\..\..\" in the path in order to retrieve a file on a vulnerable machine. Please note that the SSL option is required in order to send HTTP requests.
ead6620e60a1e33962bc1a629b7991560b6ad340faaa6fcdaf3b569e03e10a00
This Metasploit module exploits a directory traversal flaw found in ManageEngine SecurityManager Plus 5.5 or less. When handling a file download request, the DownloadServlet class fails to properly check the f parameter, which can be abused to read any file outside the virtual directory.
98b90060e56e53ae955e5807e913d453feb2e176f2c8a1d9bd2e96baeda6e4c2
This Metasploit module extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior. This Metasploit module has been tested successfully on DeviceExpert version 5.9.7 build 5970.
79fe4ba92356fc084ff5c7845a61a883366dba4b943255ae8ace8a852e28608c
This Metasploit module exploits a directory listing information disclosure vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It makes a recursive listing, so it will list the whole drive if you ask it to list / in Linux or C:\ in Windows. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This Metasploit module will attempt to login using the default credentials for the administrator and guest accounts; alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the OpManager instance (usually 8300). This Metasploit module has been tested on both Windows and Linux with several different versions. Windows paths have to be escaped with 4 backslashes on the command line. There is a companion module that allows for arbitrary file download. This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.
1f5d0f7e10dd5b6c09b90cd5d4d3fca387739cf0db6fa4fe7cb1b52448b0be88
ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CSV format. PMP can use both MySQL and PostgreSQL databases but this module only exploits the latter as MySQL does not support stacked queries with Java. PostgreSQL is the default database in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, so a higher version does not guarantee exploitability. This Metasploit module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in v7.1 build 7105 and above.
3bb1458e9aceabbc6baaf58c805fc36d04c4e787a9a2a98f33a3d697bff053f3
This Metasploit module exploits an arbitrary file download vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This Metasploit module will attempt to login using the default credentials for the administrator and guest accounts; alternatively you can provide a pre-authenticated cookie or a username and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually 8300). This Metasploit module has been tested on both Windows and Linux with several different versions. Windows paths have to be escaped with 4 backslashes on the command line. There is a companion module that allows the recursive listing of any directory. This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.
ab1da9467d95d26cb5271376592036167d2ec0d3ad01d9799864c1393dc93294
This Metasploit module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011) in order to dump the contents of Xnode data repositories (tables), which may contain (a limited amount of) Active Directory information including domain names, host names, usernames and SIDs. This Metasploit module can also be used against patched DataSecurity Plus versions if the correct credentials are provided. By default, this module dumps only the data repositories and fields (columns) specified in the configuration file (set via the CONFIG_FILE option). The configuration file is also used to add labels to the values sent by Xnode in response to a query. It is also possible to use the DUMP_ALL option to obtain all data in all known data repositories without specifying data field names. However, note that when using the DUMP_ALL option, the data wont be labeled. This Metasploit module has been successfully tested against ManageEngine DataSecurity Plus 6.0.1 (6010) running on Windows Server 2012 R2.
de6dde1377442590c48c5335bbcb930b72408e67a27d24ee356f1ed71693b573
This Metasploit module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 (6032) in order to dump the contents of Xnode data repositories (tables), which may contain (a limited amount of) Active Directory information including domain names, host names, usernames and SIDs. This Metasploit module can also be used against patched ADAudit Plus versions if the correct credentials are provided. By default, this module dumps only the data repositories and fields (columns) specified in the configuration file (set via the CONFIG_FILE option). The configuration file is also used to add labels to the values sent by Xnode in response to a query. It is also possible to use the DUMP_ALL option to obtain all data in all known data repositories without specifying data field names. However, note that when using the DUMP_ALL option, the data wont be labeled. This Metasploit module has been successfully tested against ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2 and ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.
c2de94555ba89596372ca6b2811a8375a6619a106be79a7871fbd24fd83c6b11
ManageEngine ADManager Plus versions prior to build 7181 are vulnerable to an authenticated command injection vulnerability due to insufficient validation of user input when performing the ChangePasswordAction function before passing it into a string that is later used as an OS command to execute.
b012514570e1f62ac98660fc2a609bf47f1a2401018b3b718ba15c2ec88e1b20
This Metasploit module exploits security issues in ManageEngine ADAudit Plus versions prior to 7006 that allow authenticated users to execute arbitrary code by creating a custom alert profile and leveraging its custom alert script component. The module first runs a few checks to test the provided credentials, retrieve the configured domain(s) and obtain the build number of the target ADAudit Plus server. If the credentials are valid and the target is vulnerable, the module creates an alert profile that will be triggered for any failed login attempt to the configured domain. For versions prior to build 7004, the payload is directly inserted in the custom alert script component of the alert profile. For versions 7004 and 7005, the module leverages an arbitrary file write vulnerability (CVE-2021-42847) to create a Powershell script in the alert_scripts directory that contains the payload. The name of this script is then provided as the value for the custom alert script component of the alert profile. This module requires valid credentials for an account with the privileges to create alert scripts. It has been successfully tested against ManageEngine ADAudit Plus builds 7003 and 7005 running on Windows Server 2012 R2. Successful exploitation will result in remote code execution as the user running ManageEngine ADAudit Plus, which will typically be the local administrator.
c657579ebd79808c3357c4b5e393fc900557895dc6dcc36170079d336c637eba
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the Endpoint Central SAML endpoint. Note that the target is only vulnerable if it is configured with SAML-based SSO, and the service should be active.
71109ad0ad4b5ae831f696edf7fd6c48b5fba5f7665fd0d7e73697da0de10222
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below. Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
d8eddc86e85e280575b3c444dc67513d0413d6724e92fd8d3128dd9cc8bc1a4b
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
4fbf903ff9fa864b803fbd7d746a0b2a59de1e2222a5e9821f7d2bf7760f7166
This Metasploit module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060. They include a path traversal in the /cewolf endpoint along with a blind XML external entity injection vulnerability to upload and execute a file.
19ca84f8e53083cacedb632dc26e16f78047ee8e6573a717d22be7336e613cdb
This Metasploit module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain remote command execution as the SYSTEM user.
ed156b4196a5a0b6a6fd8e554208ebb6ce6da15417fc57d837d2b7e65c35c174
This Metasploit module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided "admin" account to insert the malicious payload into the custom script fields. When a user resets their password or unlocks their account, the payload in the custom script will be executed. The payload will be executed as SYSTEM if ADSelfService Plus is installed as a service, which we believe is the normal operational behavior. This is a passive module because user interaction is required to trigger the payload. This module also does not automatically remove the malicious code from the remote target. Use the "TARGET_RESET" operation to remove the malicious custom script when you are done.
d91150e34529bee9dd92e87b3f063460c0b5e994a412c286b68d6cb26a58d358
This Metasploit module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build.
244ae2538bc9ec8f90e308561999a95ddf997764203cb31dbd2e32b039b73273
This Metasploit module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.
258a080b77eaface80577b4886f47493eafef016bf16d63a1567107d6f5b76cd
ManageEngine ADSelfService Plus version 6.1 suffers from a CSV injection vulnerability.
685e14de90f446d314247608c72480994fb1618eb955e9fa368d505ba1cfb3f7
ManageEngine Service Desk version 10.0 suffers from a cross site scripting vulnerability.
469e92a043840addd4c43d4eb114c7ef988c00069a831c8b52bc518e495ec1e9
This is a whitepaper tutorial that describes steps taken to identify post-authentication remote code execution vulnerabilities in ManageEngine version 14.
55f884e3a3e6704c111f4ff046bd4931087255499a9ead8d4d9832ca49c77691
This Metasploit module exploits SQL injection and command injection vulnerabilities in the ManageEngine Application Manager versions 14.2 and below.
e517b45142b3447dbab8ec2a891e10876f6c09291a138de7f5a84363ffe2c8c1
This Metasploit module exploits SQL injection and command injection vulnerability in the OpManager versions 12.4.034 and below.
fc57c3cfc093c3e5df0726909ea0618e1444102b4b8d154f2216ed157bc46225
This Metasploit module bypasses the user password requirement in the OpManager versions 12.4.034 and below. It performs authentication bypass and executes commands on the server.
0b10df1665aeb6bf150dfd60da9fbbcaa339ab52f578cd7f8af7b97ef10ca2a8
This Metasploit module exploits SQL injection and command injection vulnerabilities in ManageEngine AM 14 and prior versions. An unauthenticated user can gain the authority of "system" on the server due to the SQL injection vulnerability. The exploit allows the writing of the desired file to the system using the postgresql structure. The module is written over the payload by selecting a file with the extension ".vbs" that is used for monitoring by the ManageEngine which working with "system" authority. In addition, it dumps the users and passwords from the database for us. After the harmful ".vbs" file is written, the shell session may be a bit late.
95106466679de2024b9e4469f4bb9b8acabf974bb4ab6e9e3cbc9623f7471fd4