Attacker Value
Moderate
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2021-42847

Disclosure Date: November 11, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

Add Assessment

1
Ratings
Technical Analysis

The GPO Watcher endpoint at /api/agent/tabs/agentGPOWatcherData on Zoho ManageEngine ADAudit Plus before 7006 is vulnerable to a directory traversal in the Html_fileName parameter of a formulated POST request. By sending this request with the Html_fileName containing a directory traversal to write to the alert_scripts directory and setting the htmlReport parameter to the contents of a malicious command that the attacker wishes to execute, the attacker can create a malicious alert script file on the target computer.

Once this malicious alert script is created, they can then create an alert profile that will trigger on failed logins, and set the script to be executed on failed logins to the malicious script file that was created. At this point, all the attacker needs to do is to attempt to login with invalid credentials, and the malicious script file they created will be loaded and any of the commands contained within it will be executed as the user running Zoho ManageEngine ADAudit Plus.

The one limitation of this vulnerability is that a user will need to have valid credentials to the server as a user who has the ability to create alert profiles, so this does limit the usefulness of this vulnerability somewhat. However should the attacker possess these credentials, it is pretty easy for them to exploit this vulnerability to gain access to the target server.

If you would like more details on the specifics of this vulnerability, there is a great writeup at https://www.ctfiot.com/71659.html that goes into more detail.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • zohocorp

Products

  • manageengine adaudit plus,
  • manageengine adaudit plus 7.0

Additional Info

Technical Analysis