-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ManageEngine ServiceDesk Plus RCE (CVE-2022-47966) #17527
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
@cdelafuente-r7 Cool stuff ! Works well with reverse_bash, reverse_netcat, python meterpreter and other python payloads with following code additions:
Linux dropper does not work yet...
Another suggestion is maybe to add a native java payload in your Looking forward to see your module landed soon ! |
Thanks @h00die-gr3y for looking into this! I managed to install a Linux target and added your suggestions. It works great! I had to do some updates to make it work with a Linux Dropper target. |
modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb
Outdated
Show resolved
Hide resolved
Thanks @smcintyre-r7 ! I added randomisation to the XML in ed2dd2f. I also fixed an issue with BadChars not handled correctly by the |
@cdelafuente-r7 Quick question for you: This module covers ManageEngine ServiceDesk Plus targets, however the SAML RCE applies to a broad range of other ManageEngine products. Today I tested most of your code base against a vulnerable |
@h00die-gr3y, I had the exact same question! For now, I think separate modules is good enough, but we can think about another option later. Feel free to reuse this code and submit separate modules for other affected products. That would be great, actually! BTW, I just submitted a PR for ADSelfService Plus: #17556. |
@cdelafuente-r7 I have some suggestions to improve your check logic. So have a code suggestion to improve the check. You can use the endpoint Here is the code suggestion, feel free to change because I am not a ruby expert.
and add this after your checks on the build version.
Check it out in your lab... And one more suggestion, you might want to introduce a lower limit check on the build version. |
Thanks for your suggestions @h00die-gr3y. The
So, in both cases, we end up with the same check code and the execution of the exploit. The only difference is that the user know if SAML is enabled or not. He will have to run the exploit to find out if it is exploitable anyway. I'm not sure this extra information is useful for this and if it is worth sending one more request for it. That said, I will add the minimum build number check. Thanks for the suggestion! |
@cdelafuente-r7 One more point, why are you referring to CVE-2020-0646 instead of referencing CVE-2022-47966? |
Good catch @h00die-gr3y ! It is a bad copy/paste. Thanks for the heads up! |
1. Start the server running `run.sh` | ||
|
||
### Enable SAML 2.0 SSO | ||
1, Go to `http://localhost:8080` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1, Go to `http://localhost:8080` | |
1. Go to `http://localhost:8080` |
|
Linux Cmd:
Linux Dropper
|
Release NotesThis adds an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (GHSA-4w3v-83v8-mg94). |
Tagging this |
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2020-0646). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted
samlResponse
XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.Installation
SAML 2.0 Identity Provider
If you don't have an already SAML 2.0 Identity Provider (IdP), you can use this free one for testing: https://mocksaml.com/
Save the certificate to a local file (e.g.
cert.cer
) and take note of the SSO URL (https://mocksaml.com/api/saml/sso
).Download the installers
Go to https://archives.manageengine.com/, fill the form with any data and select ServiceDesk Plus product with any version (e.g.
14003
). You can then have access to all the versions and platform installers.Windows
Next
(you can skip the Registration for Technical Support part, it is optional). When the installation is done, selectStart ServiceDesk Server
and clickFinish
C:\Program Files\ManageEngine\ServiceDesk\bin\
and runSDPLaunch
. This will start a browser and get you to the login page.Linux (Ubuntu)
chmod +x <linux_installer>.bin
Next
until you reach the installation path page./root/
(it doesn't work with this default path) and finish the installation. You might get an error 'Problem in initializing Postgres', just ignore it, clickOK
and finish the installation. We'll fix this in the next step.Postgres
error in the last step, go to the installation base path (e.g. '/opt/ManageEngine/ServiceDesk/') and run the following commands as root:cp tools/postgres/bin/gettimezone tools/postgres/bin/gettimezone_32
cp tools/postgres/bin/gettimezone_64 tools/postgres/bin/gettimezone
cd bin
./initPgsql.sh
run.sh
as rootEnable SAML 2.0 SSO
1, Go to
http://localhost:8080
Log in as
Administrator
.http://localhost:8080/app#/admin
and click onSAML Single Sign On
in theUsers & Permission
section.Configure Identity Provider Details
, set the SSO URL from the IdP (e.g.https://mocksaml.com/api/saml/sso
), set theName ID Format
toUnspecified
, theAlgorithm
toRSA_SHA1
and select the SiP certificate file (e.g.cert.cer
).Additional Claims
>Default Fields
, set theLogin Name
to any value.Save
Enable SAML Single Sign-On ?
button on the top of the page.Verification Steps
use multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966
exploit rhosts=<remote host IP> lhost=<local host IP>
Scenarios
ServiceDesk Plus versions 14003 on Windows - Target 1 (
Windows Command
)ServiceDesk Plus versions 14003 on Windows - Target 0 (
Windows EXE Dropper
)ServiceDesk Plus versions 14003 on Linux (Ubuntu) - Target 2 (
Unix Command
)ServiceDesk Plus versions 14003 on Linux (Ubuntu) - Target 2 (
Unix Dropper
)