module
ManageEngine ADAudit Plus Authenticated File Write RCE
| Disclosed | Created |
|---|---|
| 2021-10-01 | 2023-05-08 |
Disclosed
2021-10-01
Created
2023-05-08
Description
This module exploits security issues in ManageEngine ADAudit Plus
prior to 7006 that allow authenticated users to execute arbitrary
code by creating a custom alert profile and leveraging its custom
alert script component.
The module first runs a few checks to test the provided
credentials, retrieve the configured domain(s) and obtain the
build number of the target ADAudit Plus server.
If the credentials are valid and the target is
vulnerable, the module creates an alert profile that will be
triggered for any failed login attempt to the configured domain.
For versions prior to build 7004, the payload is directly inserted
in the custom alert script component of the alert profile.
For versions 7004 and 7005, the module leverages an arbitrary file
write vulnerability (CVE-2021-42847) to create a Powershell script
in the alert_scripts directory that contains the payload. The name
of this script is then provided as the value for the custom alert
script component of the alert profile.
This module requires valid credentials for an account with the
privileges to create alert scripts. It has been successfully tested
against ManageEngine ADAudit Plus builds 7003 and 7005 running on
Windows Server 2012 R2.
Successful exploitation will result in RCE as the user running
ManageEngine ADAudit Plus, which will typically be the local
administrator.
prior to 7006 that allow authenticated users to execute arbitrary
code by creating a custom alert profile and leveraging its custom
alert script component.
The module first runs a few checks to test the provided
credentials, retrieve the configured domain(s) and obtain the
build number of the target ADAudit Plus server.
If the credentials are valid and the target is
vulnerable, the module creates an alert profile that will be
triggered for any failed login attempt to the configured domain.
For versions prior to build 7004, the payload is directly inserted
in the custom alert script component of the alert profile.
For versions 7004 and 7005, the module leverages an arbitrary file
write vulnerability (CVE-2021-42847) to create a Powershell script
in the alert_scripts directory that contains the payload. The name
of this script is then provided as the value for the custom alert
script component of the alert profile.
This module requires valid credentials for an account with the
privileges to create alert scripts. It has been successfully tested
against ManageEngine ADAudit Plus builds 7003 and 7005 running on
Windows Server 2012 R2.
Successful exploitation will result in RCE as the user running
ManageEngine ADAudit Plus, which will typically be the local
administrator.
Authors
Moon
Erik Wynter
Erik Wynter
Platform
Windows
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.