Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-28653

Disclosure Date: February 03, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

Add Assessment

3
Ratings
Technical Analysis

A deserialization vulnerability exists in the ManageEngine OpManager platform that can be leveraged by an unauthenticated attacker to execute code as the application user which is typically NT AUTHORITY\SYSTEM on Windows and root on Linux.

Exploitation can be broken down into three high level steps.

  1. Issue an HTTP request to the application’s page, to have an HTTP session cookie issued. For this purpose the login page works just fine.
  2. Issue a POST request to the /servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet resource with a body of \xac\xed\x00\x05\x77\x04\x00\x00\x03\xea which is 1002 serialized as a Java int. This command associates a handler to the HTTP session that is then exploited.
  3. Issue a POST request to the /servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet resource. The body of this request is the length in bytes of the serialized Java payload as a 32-bit unsigned, big endian value followed by the serialized Java payload.

In Ruby the POST body would be made like:

data = [ java_payload.length ].pack('N') + java_payload

Step 3 can be repeated multiple times to execute a different serialized Java payload to for example, execute multiple OS commands.

The default OpManager instance is vulnerable out of the box, there is no configuration necessary and a user never needs to have logged in. Technically, the HTTP request handler may fail in step 2 but it does so after the necessary request handler has been associated with the session, allowing exploitation to proceed regardless.

A patched version (v12.5.233 and later) will not respond with a body starting with \xac\ed\x00\x05 which can be used by an attacker to check for exploitability. The version number can also be found in the source of the login page by searching for paths beginning with /cachestart/#####/ where ##### is the 5-digit version number.

A bypass for the patch issued by ManageEngine is identified as CVE-2021-3287.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • zohocorp

Products

  • manageengine opmanager,
  • manageengine opmanager 12.5

Additional Info

Technical Analysis