This was an interesting vulnerability first found by Vinicius, and which then had a nice writeup on how to exploit it published by Y4er at https://xz.aliyun.com/t/11578. It was subsequently patched by Zoho and the patch can be found at https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm, whilst the advisory can be found at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html.

By sending a XML-RPC serialized message via a POST request to the /xmlrpc endpoint as an unauthenticated user, the specs of which can be found at http://xmlrpc.com/spec.md, it is possible to gain RCE as the SYSTEM user that Zoho Password Manager runs as. Note that the name of the method being called does not have to be valid, and the name of the parameter passed to that method also does not have to be valid. All that matters is that the value of the parameter is marked as a serializable object that is Base64 encoded. This can be seen in the Metasploit module at https://github.com/rapid7/metasploit-framework/pull/16852/files#diff-eaa6a1c5246f1059f414cda95a9c5c4e3e1d0adc4373ce64f7165fefe7576ec6R129-R157

Additionally, since the target will also respond with Failed to read result object: null if you send the endpoint an empty string and its vulnerable to deserialization attacks, it makes it really easy to put together a full exploit for this vulnerability that not only can check if the target is vulnerable but can also reliably exploit it. The last step was to use the CommonsBeanutils1 deserialization chain and then supply the command we want to execute and boom, we can go from an unauthenticated user to SYSTEM remotely and without authentication.

Now what are the implications of this? Well it depends on the product. In the case of ManageEngine Access Manager Plus you need authentication to exploit this issue which may negate some of the risk, however one still needs to consider that successful exploitation will result in high privileged user access. However with Zoho ManageEngine Password Manager Pro and PAM360, no authentication is needed yet you will still get very high privileged user access.

Secondly one needs to consider the position of where these products will be placed in the network. Zoho ManageEngine Password Manager Pro will likely be internally facing as there is likely not a need to make it externally accessible, or if it is it will be accessible via a VPN. On the other hand ManageEngine Access Manager Plus and PAM360 are access management solutions so it is feasible, particularly in the world of remote work that we live in today, that these solutions would be accessible over the internet.

In the worse case scenario this would mean an unauthenticated attacker could potentially connect to a target server remotely over the internet, and with no authentication get SYSTEM level access on that server, which will also be controlling sensitive operations via access management controls, or will be holding user’s passwords, which could then be used to gain further access into the target network.

More realistically though is the scenario that these are internally facing and an internal attacker uses this vulnerability to gain control over access management software to avoid detection or grant themselves access to sensitive resources, or steals passwords to gain further access into the target network.

In either case the risk of this vulnerability is quite high and given the incredibly easy exploitation of this issue combined with known exploited in the wild activity, this should be patched as soon as possible and you should investigate your servers for any suspicious activity if you haven’t patched already.