Moderate
CVE-2021-42847
CVE-2021-42847
Description
Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.
Add Assessment
Technical Analysis
The GPO Watcher endpoint at /api/agent/tabs/agentGPOWatcherData on Zoho ManageEngine ADAudit Plus before 7006 is vulnerable to a directory traversal in the Html_fileName parameter of a formulated POST request. By sending this request with the Html_fileName containing a directory traversal to write to the alert_scripts directory and setting the htmlReport parameter to the contents of a malicious command that the attacker wishes to execute, the attacker can create a malicious alert script file on the target computer.
Once this malicious alert script is created, they can then create an alert profile that will trigger on failed logins, and set the script to be executed on failed logins to the malicious script file that was created. At this point, all the attacker needs to do is to attempt to login with invalid credentials, and the malicious script file they created will be loaded and any of the commands contained within it will be executed as the user running Zoho ManageEngine ADAudit Plus.
The one limitation of this vulnerability is that a user will need to have valid credentials to the server as a user who has the ability to create alert profiles, so this does limit the usefulness of this vulnerability somewhat. However should the attacker possess these credentials, it is pretty easy for them to exploit this vulnerability to gain access to the target server.
If you would like more details on the specifics of this vulnerability, there is a great writeup at https://www.ctfiot.com/71659.html that goes into more detail.
CVSS V3 Severity and Metrics
General Information
Vendors
- zohocorp
Products
- manageengine adaudit plus,
- manageengine adaudit plus 7.0
Metasploit Modules
References
