Zoho ManageEngine ADAudit Plus bug gets public RCE exploit

Security researchers have published technical details and proof-of-concept exploit code for CVE-2022-28219, a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in the Active Directory.

The vulnerability allows an unauthenticated attacker to execute code remotely and compromise Active Directory accounts. It comes with a critical severity score of 9.8 out of 10.

Zoho addressed the issue at the end of March in ADAudit Plus build 7060 after security researcher Naveen Sunkavally at Horizon3.ai reported it to the company.

Executing code remotely

Earlier this week, Horizon3.ai published a blog post explaining the technical aspects behind CVE-2022-28219 along with proof-of-concept exploit code that demonstrates the findings.

The vulnerability consists of three issues, untrusted Java deserialization, path traversal, and a blind XML External Entities (XXE) injection, that ultimately lead to remote code execution without authentication.

The researcher started the investigation after finding an endpoint managed by the CewolfRenderer servlet in the third-party Cewolf charting library.

“This is the same vulnerable endpoint from CVE-2020-10189, reported by @steventseeley against ManageEngine Desktop Central. The FileStorage class in this library was abused for remote code execution via untrusted Java deserialization” - Naveen Sunkavally

Looking closer at the library, the researcher discovered that it did not sanitize input paths, leaving the door open to deserializing a Java payload in an arbitrary location on the disk.

Bypassing authentication, stealing logins

Once Sunkavally found a way to execute code remotely, he started to look for methods to upload files without authentication and found that some ADAudit Plus endpoints used by agents running on the machine to upload security events did not require authentication.

“This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events” - Naveen Sunkavally

The researcher then found a way to trigger a blind XXE vulnerability in the ProcessTrackingListener class in charge of managing events with Windows scheduled task XML content.

Sunkavally notes that while blind XXE vulnerabilities in Java can be difficult to exploit. However, his work was made easier since ADAudit Plus shipped with an older Java runtime, allowing him to transfer files and list directories over FTP as well as upload files.

The researcher says that the default in ADAudit Plus is Java 8u051 and he found that three quarters of the installations are running an older version of Java runtime.

Sunkavally’s investigation also revealed that an attacker could also collect and relay NTLM hashes on Windows machines regardless of the Java runtime version or XXE vulnerabilities.

“This is because the Java HTTP client will attempt to authenticate over NTLM if it connects to a server requiring NTLM to authenticate,” Sunkavally explains.

To show the validity of these findings, Horizon3.ai published code that exploits CVE-2022-28219 in ManageEngine ADAudit Plus builds before 7060 to execute the calculator app in Windows.

An attacker targeting a vulnerable ADAudit Plus instance could also obtain credentials for the Active Directory and use this access to distribute malware on all machines on the network.

Although ADAudit Plus stores the credentials in an encrypted state, the researcher says that “it’s possible to reverse the encryption to access these credentials in the clear.”

Since many users typically use Domain Admin credentials to start auditing activities using ADAudit Plus, a threat actor could grab the logins and use them to further their attack.

While this is an easier path, creating separate service accounts with limited privileges is a more secure method.