Security researchers from Horizon3.ai have published technical details and proof-of-concept exploit code for a critical vulnerability, tracked as CVE-2022-28219 (CVSS 9.8 out of 10), in the Zoho ManageEngine ADAudit Plus tool.
The tool allows monitoring activities of Active Directory and produces alerts and reporting for one or more desired Active Directory change events. The tool is very attractive to threat actors because of the privileged access they have to Active Directory.
The unauthenticated remote code execution vulnerability was discovered by security researcher Naveen Sunkavally at Horizon3.ai and addressed by the vendor in March.
The issue was discovered while investigating an endpoint managed by the CewolfRenderer servlet in the third-party Cewolf charting library.
The vulnerability includes three issues: untrusted Java deserialization, path traversal, and a blind XML External Entities (XXE) injection.
“One of the first things that stood out, and we were surprised to see, was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library. This is the same vulnerable endpoint from CVE-2020-10189, reported by @steventseeley against ManageEngine Desktop Central.” reads the post published by the experts. “The FileStorage class in this library was abused for remote code execution via untrusted Java deserialization.”
The analysis of the library code revealed that the software deserializes untrusted code and doesn’t sanitize input file paths. The experts were able to use the img parameter to deserialize a Java payload anywhere on the disk.
Once achieved the remote code execution capability, the experts focus on discovering a way to upload a Java payload anywhere on disk. The experts noticed a feature in the ADAudit Plus which collects security events from agents running on other machines in the domain. The experts discovered that some of the endpoints that agents use to upload events to ADAudit Plus were unauthenticated
“One of the features of ADAudit Plus is the ability to collect security events from agents running on other machines in the domain. To our surprise, we found that a few of the endpoints that agents use to upload events to ADAudit Plus were unauthenticated. This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file upload vector, we found a path to trigger a blind XXE vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.” continues the analysis. “This class was using the dangerous default version of Java’s DocumentBuilderFactory class, which permits external entity resolution and is vulnerable to XXE injection.”
The experts discovered a blind XXE vulnerability in the ProcessTrackingListener class, they noticed that Blind XXE vulnerabilities in Java are usually hard to exploit, but in this case, they were aided by the old Java runtime bundled with ADAudit Plus. By default ADAudit Plus ships with Java 8u051.
The old Java runtime allowed the researchers to exploit the blind XXE to exfiltrate files over FTP, get directory listings over FTP, and upload files.
The experts demonstrated how to exploit CVE-2022-28219 in ManageEngine ADAudit Plus to execute the calculator app.
The experts discovered XXE vulnerabilities in Java and in Windows that can be exploited to capture and relay the NTLM hashes of the user account under which the application is running. The root cause is that the Java HTTP client will attempt to authenticate over NTLM if it connects to a server requiring NTLM to authenticate.
“This is especially useful for an attacker if the ADAudit Plus application is running under a privileged account.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Zoho ManageEngine ADAudit Plus)
[adrotate banner=”5″]
[adrotate banner=”13″]