ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection
Description
ManageEngine ADManager Plus prior to build 7181 is vulnerable to an authenticated command injection due to insufficient validation of user input when performing the ChangePasswordAction function before passing it into a string that is later used as an OS command to execute. By making a POST request to /api/json/admin/saveServerSettings with a params POST parameter containing a JSON array object that has a USERNAME or PASSWORD element containing a carriage return and newline, followed by the command the attacker wishes to execute, an attacker can gain RCE as the user running ADManager Plus, which will typically be the local administrator. Note that the attacker must be authenticated in order to send requests to /api/json/admin/saveServerSettings, so this vulnerability does require authentication to exploit. As this exploit modifies the HTTP proxy settings for the entire server, one cannot use fetch payloads with this exploit, since these will use HTTP connections that will be affected by the change in configuration.
Author(s)
- Simon Humbert
- Dinh Hoang
- Grant Willcox
Platform
Windows
Architectures
cmd
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection
msf exploit(manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection) > show targets
...targets...
msf exploit(manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection) > set TARGET < target-id >
msf exploit(manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection) > show options
...show and set options...
msf exploit(manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security