Zoho AD Manager Plus multiple Vulnerabilities

Posted by Author Pallavi Pangavhane on Posted on
Overview

AD Manager Plus product of Zoho corporation is vulnerable to multiple Unauthenticated critical vulnerability.

Active Directory management tool offers administrators customizable templates to manage all the aspects of Active Directory account creation and modification

Bypass Authentication check:

AD Manager Plus is a java web application. web.xml contains declaration for java servlet.  Web.xml <servlet-mapping> section contains url-pattern /servlet/UpdateProductDetails. Send a POST request to this URL, we will receive response status 200 OK with message “failed”.

Let’s check how request is process,
UpdateProductDetails class contains a function isUserAuthenticated.
isUserAuthenticated function code processed request parameter username and password and returns Boolean.valueOf(true). Here vulnerability is present.  If we don’t provide a username  parameter and set UPDATE_HA_VIRTUAL_HOST parameter to TRUE, then credentials will not be check and returns true.

Image Source: Medium

Integrate ADManager Plus with other ManageEngine Products:

Request parameters internally operated by database table ADSProductDetails. It has column is_remotely_hosted. It stored the reference to other ManageEngine products used in combination. E.g. ServiceDesk Plus.

Integration of ADManager Plus and ServiceDesk Plus, allows user to perform Active Directory tasks such as user management and password reset from within the ServiceDesk Plus interface. For integration a new row was inserted into the database table ADSProductDetails.

Image Source: Medium

From above image, for host we can give our IP address. For authentication bypass and insert a row into database, below POST request formed.

Image Source: Medium

To verify your configuration is correct, use netcat to listen on port number 8443.

SSOConfig overwrite:

Another important request parameter is EVENTS. It’s JSONArray object.  If we send a POST request with EVENTS parameter having following structure, SSOConfig can be overwrite.

Single Sign On(SSO) is a session and authentication service, permits a user to use once set of login credentials.

Image Source: Medium

If attacker send POST request to AD Manager Plus in above format, will result in authentication bypass, integration of AD Manager Plus with ServiceDesk Plus and SSOConfig overwrite.

Advisory

Upgrade your software to latest patch available on following webpage

https://www.manageengine.com/products/ad-manager/service-pack.html

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *