Experts shared PoC exploit code for RCE in Zoho ManageEngine ADAudit Plus tool

Researchers shared technical details and proof-of-concept exploit code for the CVE-2022-28219 flaw in Zoho ManageEngine ADAudit Plus tool.

Security researchers from Horizon3.ai have published technical details and proof-of-concept exploit code for a critical vulnerability, tracked as CVE-2022-28219 (CVSS 9.8 out of 10), in the Zoho ManageEngine ADAudit Plus tool.

The tool allows monitoring activities of Active Directory and produces alerts and reporting for one or more desired Active Directory change events. The tool is very attractive to threat actors because of the privileged access they have to Active Directory.

The unauthenticated remote code execution vulnerability was discovered by security researcher Naveen Sunkavally at Horizon3.ai and addressed by the vendor in March.

The issue was discovered while investigating an endpoint managed by the CewolfRenderer servlet in the third-party Cewolf charting library.

The vulnerability includes three issues: untrusted Java deserialization, path traversal, and a blind XML External Entities (XXE) injection.

“One of the first things that stood out, and we were surprised to see, was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library. This is the same vulnerable endpoint from CVE-2020-10189, reported by @steventseeley against ManageEngine Desktop Central.” reads the post published by the experts. “The FileStorage class in this library was abused for remote code execution via untrusted Java deserialization.”

The analysis of the library code revealed that the software deserializes untrusted code and doesn’t sanitize input file paths. The experts were able to use the img parameter to deserialize a Java payload anywhere on the disk.

Once achieved the remote code execution capability, the experts focus on discovering a way to upload a Java payload anywhere on disk. The experts noticed a feature in the ADAudit Plus which collects security events from agents running on other machines in the domain. The experts discovered that some of the endpoints that agents use to upload events to ADAudit Plus were unauthenticated

“One of the features of ADAudit Plus is the ability to collect security events from agents running on other machines in the domain. To our surprise, we found that a few of the endpoints that agents use to upload events to ADAudit Plus were unauthenticated. This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file upload vector, we found a path to trigger a blind XXE vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.” continues the analysis. “This class was using the dangerous default version of Java’s DocumentBuilderFactory class, which permits external entity resolution and is vulnerable to XXE injection.”

The experts discovered a blind XXE vulnerability in the ProcessTrackingListener class, they noticed that Blind XXE vulnerabilities in Java are usually hard to exploit, but in this case, they were aided by the old Java runtime bundled with ADAudit Plus. By default ADAudit Plus ships with Java 8u051.

The old Java runtime allowed the researchers to exploit the blind XXE to exfiltrate files over FTP, get directory listings over FTP, and upload files.

The experts demonstrated how to exploit CVE-2022-28219 in ManageEngine ADAudit Plus to execute the calculator app.

The experts discovered XXE vulnerabilities in Java and in Windows that can be exploited to capture and relay the NTLM hashes of the user account under which the application is running. The root cause is that the Java HTTP client will attempt to authenticate over NTLM if it connects to a server requiring NTLM to authenticate.

“This is especially useful for an attacker if the ADAudit Plus application is running under a privileged account.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zoho ManageEngine ADAudit Plus)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.