Moderate
CVE-2021-42847
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-42847
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityHigh
Technical Analysis
The GPO Watcher endpoint at /api/agent/tabs/agentGPOWatcherData
on Zoho ManageEngine ADAudit Plus before 7006 is vulnerable to a directory traversal in the Html_fileName
parameter of a formulated POST request. By sending this request with the Html_fileName
containing a directory traversal to write to the alert_scripts
directory and setting the htmlReport
parameter to the contents of a malicious command that the attacker wishes to execute, the attacker can create a malicious alert script file on the target computer.
Once this malicious alert script is created, they can then create an alert profile that will trigger on failed logins, and set the script to be executed on failed logins to the malicious script file that was created. At this point, all the attacker needs to do is to attempt to login with invalid credentials, and the malicious script file they created will be loaded and any of the commands contained within it will be executed as the user running Zoho ManageEngine ADAudit Plus.
The one limitation of this vulnerability is that a user will need to have valid credentials to the server as a user who has the ability to create alert profiles, so this does limit the usefulness of this vulnerability somewhat. However should the attacker possess these credentials, it is pretty easy for them to exploit this vulnerability to gain access to the target server.
If you would like more details on the specifics of this vulnerability, there is a great writeup at https://www.ctfiot.com/71659.html that goes into more detail.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- zohocorp
Products
- manageengine adaudit plus,
- manageengine adaudit plus 7.0
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: