Tag: Manageengine

  • CVE-2022-26653 & CVE-2022-26777: ManageEngine Remote Access Plus Guest User Insecure Direct Object References

    CVE-2022-26653 & CVE-2022-26777: ManageEngine Remote Access Plus Guest User Insecure Direct Object References


    I’m Matt Dunn, lead penetration tester at Raxis, and I’ve uncovered a couple more ManageEngine vulnerabilities you should know about if your company is using the platform.

    Summary

    I discovered two instances in ManageEngine Remote Access Plus where a user with Guest permissions can access administrative details of the installation. In each case, an authenticated ‘Guest’ user can make a direct request to the /dcapi/ API endpoint to retrieve information. This allows the ‘Guest’ user to discover information about the connected Domains as well as the License information for the installation.

    Proof of Concept

    The two vulnerabilities are similar in that they allow a user with ‘Guest’ level permissions to access details about the installation. Each CVE refers to a specific piece of information that the user can retrieve, as detailed below:

    CVE-2022-26653 – The ‘Guest’ user can retrieve details of connected Domains.

    CVE-2022-26777 – The ‘Guest’ user can retrieve details about the installation’s License.

    The user with ‘Guest’ permissions can access all the Domain’s details, including the connected Domain Controller, the account used for authentication, and when it was last updated, as shown here:

    Guest User Can Access All Domain Details

    Similarly, the ‘Guest’ user can access all the License information, including the amount of users, amount of managed systems, who the license is for, and the exact build number, as shown below:

    Guest User Can Access All License Details

    Affected Versions

    Raxis discovered these vulnerabilities on ManageEngine Remote Access Plus version 10.1.2137.6.

    Remediation

    Upgrade ManageEngine Remote Access Plus to Version 10 Build 10.1.2137.15 or later which can be found here:

    Disclosure Timeline

    • February 16, 2022 – Vulnerabilities reported to Zoho
    • February 17, 2022 – Zoho begins investigation into reports
    • March 8, 2022 – CVE-2022-26653 is assigned to the Domain Details vulnerability
    • March 9, 2022 – CVE-2022-26777 is assigned to the License Details vulnerability
    • April 8, 2022 – Zoho releases fixed version 11 Build 10.1.2137.15 that addresses both vulnerabilities
    CVE Links

    CVE-2022-26653

    CVE-2022-26777

     

  • CVE-2022-25373: ManageEngine Support Center Plus Stored Cross-Site Scripting (XSS)

    CVE-2022-25373: ManageEngine Support Center Plus Stored Cross-Site Scripting (XSS)


    I’m Matt Dunn, lead penetration tester at Raxis. Recently, I discovered a stored XSS in Support Center Plus. Here’s how a malicious actor might exploit it — and what you can do to prevent it.

    Summary

    A low-privileged user (e.g., the default guest user) can inject arbitrary JavaScript into the description of a new Request. When another user (including a high privileged user) views that request’s edit history, the payload is executed in the context of that new user’s browser. This can cause privilege escalation or other payload execution from low privileged users to other, possibly higher privileged users.

    Proof of Concept

    The vulnerability can be triggered by inserting html content in the description field of a new request. The payload I inserted as a guest user was:

    "><img src=x onerror="alert(document.cookie)"/>

    This payload being inserted is shown here:

    Payload Inserted as Guest User

    When another user (in this case an admin) views that request’s edit history, the JavaScript is executed in the context of the new user’s browser, as shown here:

    Payload Execution in Admin User Session

    This vulnerability allows any low privileged user to execute JavaScript on higher privileged or other low privilege user’s browsers once they view a request’s edit history. While the payload used here launches an alert box with the page’s cookie values, more dangerous payloads could be executed in this context as well.

    Affected Versions

    Raxis discovered this vulnerability on Manage Engine Support Center 11.0 Build 11019.

    Remediation

    Upgrade ManageEngine AD Support Center Plus to Version 11.0 Build 11020 or later immediately which can be found here:

    Disclosure Timeline
    • February 2, 2022 – Vulnerability reported to Zoho
    • February 14, 2022 – Zoho begins investigation into report
    • February 21, 2022 CVE-2022-25373 is assigned to this vulnerability
    • March 22, 2022 – Zoho releases fixed version 11.0 Build 11020

    CVE Links

     

  • CVE-2022-25245: ManageEngine Asset Explorer Information Leakage

    CVE-2022-25245: ManageEngine Asset Explorer Information Leakage

    I’m Matt Dunn, a lead penetration tester at Raxis. Recently, I discovered an information leakage in ManageEngine Asset Explorer. This is a relatively minor information leakage, as it only leaks the currency that a current vendor uses. Though minor, it could lead to other inferred information such as vendor location based on their currency.

    Proof of Concept

    The information leakage occurs in the AJaxDomainServlet when given the action of getVendorCurrency. This servlet action does not require authentication, allowing a user to obtain a vendor’s currency with a GET request to a URL similar to the following:

    http://192.168.148.128:8011/domainServlet/AJaxDomainServlet?action=getVendorCurrency&vendorId=3

    In this example URL, we request the currency for the vendor with the specified vendorId. If the vendor doesn’t have an assigned currency, the dollar symbol is returned. If it does, the vendor’s specific currency identifier is returned, as shown here:

    Vendor Currency Revealed in Unauthenticated Request
    Affected Versions

    Raxis discovered this vulnerability on Manage Engine Asset Explorer Plus 6.9 Build 6970.

    Remediation

    Upgrade ManageEngine Asset Explorer to Version 6.9 Build 6971 or later, which can be found here:

    Disclosure Timeline
    • February 14, 2022 – Vulnerability reported to Zoho
    • February 15, 2022 – Zoho begins investigation into report
    • February 16, 2022 CVE-2022-25245 is assigned to this vulnerability
    • March 9, 2022 – Zoho releases fixed version 6.9 Build 6971
    CVE Links

     

  • CVE-2022-24681: ManageEngine AD SelfService Plus Stored Cross-Site Scripting (XSS)

    CVE-2022-24681: ManageEngine AD SelfService Plus Stored Cross-Site Scripting (XSS)

    I’m Matt Dunn, a lead penetration tester here at Raxis. Recently, I discovered a stored Cross-Site Scripting vulnerability in Zoho’s ManageEngine AD SelfService Plus.

    Summary

    The vulnerability exists in the /accounts/authVerify page, which is used for the forgot password, change password, and unlock account functionalities.

    Proof of Concept

    The vulnerability can be triggered by inserting html content, specifically tags that support JavaScript, into the first or last name of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

    <img src=x onerror=”alert(document.cookie)”/>

    An example of this in the Last Name field of one such user is shown here:

    Stored XSS Payload

    The next time that user forgets, attempts to change, or is locked out of their account and they load the authVerify page, their name is presented without being sanitized. The unescaped HTML as loaded can be seen in Figure 2:

    Unescaped JavaScript Tags

    After the user attempts to reset their password, the malicious content is executed, as shown in Figure 3:

    JavaScript Execution to Display User's Cookie in an Alert Box

    If the user must change their password on login, the malicious content is executed, as shown in Figure 4:

    Payload Execution on Change Password Page

    If the user attempts to unlock their account, the malicious content is executed, as shown in Figure 5:

    Payload Execution on Account Unlock
    Affected Versions

    Raxis discovered this vulnerability on Manage Engine AD SelfService Plus 6.1 Build 6119.

    Remediation

    Upgrade ManageEngine AD SelfService Plus to Version 6.1 Build 6121 or later immediately:

    Disclosure Timeline
    • January 22, 2022 – Vulnerability reported to Zoho
    • January 22, 2022 – Zoho begins investigation into report
    • February 9, 2022 CVE-2022-24681 is assigned to this vulnerability
    • March 7, 2022 – Zoho releases fixed version 6.1 Build 6121
    CVE Links

     

  • ManageEngine Key Manager Plus Cross-Site Scripting Vulnerability (CVE-2021-28382)

    ManageEngine Key Manager Plus Cross-Site Scripting Vulnerability (CVE-2021-28382)

    I’m Matt Dunn, lead penetration tester here at Raxis. This is a summary of the second stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the Key Manager Plus Version 6000.

    Summary

    Recently I discovered a stored Cross-Site Scripting vulnerability in the Zoho-owned ManageEngine Key Manager Plus for Version 6000 (CVE-2021-28382). The vulnerability exists in any of a user’s details fields when they are imported from Active Directory. This can be performed in one of the name fields or the email field, and is executed when visiting the /apiclient/index.jsp#/Settings/UserManagement page. After this page loads, the user’s details are loaded with unescaped content, allowing for malicious JavaScript to be reflected back to users.

    Proof of Concept

    The vulnerability can be triggered by inserting html content, specifically script tags, into the first name, last name, or email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

    <script>alert(document.cookie)</script>

    An example of this in the Last Name field of one such user can be seen here:

    Stored XSS Payload

    After that user’s details load on the UserManagement page, the HTML is then presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML, as loaded, can be seen here:

    Unescaped JavaScript Tags

    After loading the UserManagement page, the malicious content is executed, as shown below:

    XSS Execution Displaying the User's Cookie

    Affected Versions

    Raxis discovered this vulnerability on Manage Engine Key Manager Plus 6000 (6.0.0), but any version below 6001 could be vulnerable when importing users from Active Directory.

    Remediation

    Upgrade ManageEngine Key Manager Plus to version 6001 or later immediately. Version 6001 can be found here: https://www.manageengine.com/key-manager/release-notes.html#6001

    Disclosure Timeline

    • March 5, 2021 – Vulnerability reported to Zoho
    • March 8, 2021 – Zoho begins investigation into report
    • March 13, 2021 – Zoho releases version 6001 to mitigate vulnerability
    • March 15, 2021 CVE-2021-28382 assigned to this vulnerability

    CVE Links

  • Cross-Site Scripting Vulnerability in ManageEngine AD Self Service Plus (CVE-2021-27956)

    Cross-Site Scripting Vulnerability in ManageEngine AD Self Service Plus (CVE-2021-27956)

    I’m Matt Dunn, lead penetration tester at Raxis.This is a summary of the first stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the AD Self Service Plus Version 6.1.

    Summary

    Recently I discovered a stored cross-site scripting (XSS) vulnerability in the Zoho-owned ManageEngine AD Self Service Plus for Version 6.1 (CVE-2021-27956). The vulnerability exists in the email field of search results on the page: /webclient/index.html#/directory-search. After searching for a user, if the “More” tab is clicked, the email field is loaded with unescaped content, allowing for malicious JavaScript to be reflected back to users.

    Proof of Concept

    The vulnerability can be triggered by inserting HTML content, in this case script tags, into the email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

    <script>alert(document.cookie)</script>

    An example of this on one such user is shown here:

    Stored XSS Payload

    After searching for that user, the HTML is then presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML as loaded is shown here:

    Unescaped JavaScript Tags

    After loading the search page, clicking the “More” tab triggers the vulnerability, which is shown in Figure 3:

    XSS Payload Executed
    Affected Versions

    Raxis discovered this vulnerability on ManageEngine AD Self Service Plus 6.1, build 6100.

    Remediation

    Upgrade ManageEngine AD Self Service Plus to Build Version 6104 immediately. The ServicePack can be found here with release notes here.

    Disclosure Timeline
    • February 19, 2021 Vulnerability reported to Zoho
    • February 19, 2021 Zoho begins investigation into report
    • March 5, 2021 CVE-2021-27956 assigned to this vulnerability
    • May 8, 2021 Zoho releases patch for this vulnerability

    CVE Links