module
ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection
| Disclosed | Created |
|---|---|
| 2023-04-12 | 2023-06-02 |
Disclosed
2023-04-12
Created
2023-06-02
Description
ManageEngine ADManager Plus prior to build 7181 is vulnerable to an authenticated command injection due to insufficient
validation of user input when performing the ChangePasswordAction function before passing it into a string that is later
used as an OS command to execute.
By making a POST request to /api/json/admin/saveServerSettings with a params POST
parameter containing a JSON array object that has a USERNAME or PASSWORD element containing a
carriage return and newline, followed by the command the attacker wishes to execute, an attacker can gain RCE as the user
running ADManager Plus, which will typically be the local administrator.
Note that the attacker must be authenticated in order to send requests to /api/json/admin/saveServerSettings,
so this vulnerability does require authentication to exploit.
As this exploit modifies the HTTP proxy settings for the entire server, one cannot use fetch payloads
with this exploit, since these will use HTTP connections that will be affected by the change in configuration.
validation of user input when performing the ChangePasswordAction function before passing it into a string that is later
used as an OS command to execute.
By making a POST request to /api/json/admin/saveServerSettings with a params POST
parameter containing a JSON array object that has a USERNAME or PASSWORD element containing a
carriage return and newline, followed by the command the attacker wishes to execute, an attacker can gain RCE as the user
running ADManager Plus, which will typically be the local administrator.
Note that the attacker must be authenticated in order to send requests to /api/json/admin/saveServerSettings,
so this vulnerability does require authentication to exploit.
As this exploit modifies the HTTP proxy settings for the entire server, one cannot use fetch payloads
with this exploit, since these will use HTTP connections that will be affected by the change in configuration.
Authors
Simon Humbert
Dinh Hoang
Grant Willcox
Dinh Hoang
Grant Willcox
Platform
Windows
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.