High
CVE-2020-28653
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-28653
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
A deserialization vulnerability exists in the ManageEngine OpManager platform that can be leveraged by an unauthenticated attacker to execute code as the application user which is typically NT AUTHORITY\SYSTEM on Windows and root on Linux.
Exploitation can be broken down into three high level steps.
- Issue an HTTP request to the application’s page, to have an HTTP session cookie issued. For this purpose the login page works just fine.
- Issue a POST request to the
/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet
resource with a body of\xac\xed\x00\x05\x77\x04\x00\x00\x03\xea
which is 1002 serialized as a Java int. This command associates a handler to the HTTP session that is then exploited.
- Issue a POST request to the
/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet
resource. The body of this request is the length in bytes of the serialized Java payload as a 32-bit unsigned, big endian value followed by the serialized Java payload.
In Ruby the POST body would be made like:
data = [ java_payload.length ].pack('N') + java_payload
Step 3 can be repeated multiple times to execute a different serialized Java payload to for example, execute multiple OS commands.
The default OpManager instance is vulnerable out of the box, there is no configuration necessary and a user never needs to have logged in. Technically, the HTTP request handler may fail in step 2 but it does so after the necessary request handler has been associated with the session, allowing exploitation to proceed regardless.
A patched version (v12.5.233 and later) will not respond with a body starting with \xac\ed\x00\x05
which can be used by an attacker to check for exploitability. The version number can also be found in the source of the login page by searching for paths beginning with /cachestart/#####/
where #####
is the 5-digit version number.
A bypass for the patch issued by ManageEngine is identified as CVE-2021-3287.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- zohocorp
Products
- manageengine opmanager,
- manageengine opmanager 12.5
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: