Security Advisory - Zoho ManageEngine ADAudit Plus bug gets public RCE exploit
Updated: Dec 28, 2022
Technical information and proof-of-concept exploit code for CVE-2022-28219, a serious vulnerability in the Zoho ManageEngine ADAudit Plus utility for tracking Active Directory activity, have been made public by security researchers.
The flaw enables remote code execution and account compromise for unauthenticated attackers against Active Directory. It has a 9.8 out of 10 critical severity rating.
The problem was fixed by Zoho at the end of March in ADAudit Plus release 7060 when Horizon3.ai security researcher Naveen Sunkavally alerted the firm to it.
Executing Code Remotely
The technical details of CVE-2022-28219 were explained in a blog post earlier this week by Horizon3.ai, along with proof-of-concept exploit code that illustrates the discoveries.
Untrusted Java deserialization, path exploration, and a blind XML External Entities (XXE) injection are the three problems that make up the vulnerability that can all result in remote code execution without authentication. After discovering an endpoint controlled by the CewolfRenderer servlet in the independent Cewolf charting library, the researcher began the inquiry.
“This is the same vulnerable endpoint from CVE-2020-10189, reported by @steventseeley against ManageEngine Desktop Central. The FileStorage class in this library was abused for remote code execution via untrusted Java deserialization” - Naveen Sunkavally
A closer examination of the library revealed that it did not sanitise input paths, leaving open the possibility of deserializing a Java payload in any place on the disc.
Bypassing Authentication, Stealing Logins
Sunkavally began searching for ways to upload files without authentication after discovering a technique to remotely execute malware. He discovered that some ADAudit Plus endpoints used by agents running on the machine to post security events did not require authentication.
“This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events” - Naveen Sunkavally
The ProcessTrackingListener class, which is in charge of handling events containing Windows scheduled task XML content, is where the researcher next discovered a technique to exploit a blind XXE vulnerability.
While blind XXE vulnerabilities in Java can be challenging to exploit, Sunkavally points out. However, ADAudit Plus came with an older Java runtime, which made it possible for him to upload files as well as transfer files and list folders over FTP. This simplified his task.
The researcher claims that Java 8u051 is the default runtime for ADAudit Plus, but he discovered that in 75% of installations, this is not the case. Sunkavally's work also showed that independent of the Java runtime version or XXE vulnerabilities, an attacker could gather and send NTLM hashes on Windows machines.
This is due to the Java HTTP client's effort to use NTLM for authentication if it connects to a server that requires it, according to Sunkavally. The calculator app is executed in Windows using code that Horizon3.ai disclosed that exploits CVE-2022-28219 in ManageEngine ADAudit Plus releases prior to 7060.
In addition to obtaining credentials for the Active Directory, a hacker who targets a weak ADAudit Plus instance could utilise this access to spread malware throughout the entire network. The researcher claims that, despite the fact that ADAudit Plus stores the credentials in an encrypted form, "it is easy to reverse the encryption to obtain these credentials in the clear."
Since many users start their ADAudit Plus auditing sessions using their Domain Admin credentials, a threat actor might steal those logins and utilise them to intensify their attack. Although this is a simpler option, setting up distinct service accounts with restricted access is a more secure one.