How to detect the Zoho ManageEngine ADSelfService Plus RCE (CVE-2021-40539)
- Article tags
Overwhelmed by so many high-risk vulnerabilities that emerge? Thousands of them are disclosed every year and 2021 is no exception.
Systems are complex, cyber-attacks get more sophisticated, and patching is still a challenge for many organizations. As infosec pros, it’s our responsibility to help companies (and individuals) understand the real implications and impact of a critical vulnerability and help them find it before it gets worse.
That’s what this article is all about.
When you tackle a critical CVE like an unauthenticated RCE in a service like Zoho ManageEngine ADSelfService Plus (CVSSv3 9.8), patching proves to be a difficult, time-consuming, and resource-intensive process.
On September 8, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the ADSelfService Plus from ManageEngine as being actively exploited in the wild. The vulnerability consists of an unauthenticated Remote Code Execution, where an attacker can upload files on the server and access them bypassing authentication services.
Let’s dig deeper into the context of the problem.
What is Zoho ManageEngine ADSelfService Plus?
ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for cloud applications and Active Directory infrastructure.
Zoho Corp has over 50 million users around the world, and about 180 000 companies run ManageEngine services. These numbers are enough to get a better picture of the criticality of this security issue and why this vulnerability has the potential to spread across Zoho software products.
How the Zoho ManageEngine ADSelfService Plus RCE vuln works
When a user tries to use the REST API functionality, the URLs are authenticated by the ManageEngine service. An attacker can bypass this authentication process using specially crafted URLs because those requests are improperly sanitized. This offers malicious actors a way to get unauthenticated remote code execution rights.
Because of improper checks, if a malicious actor with network access to port 443 passes a POST request having the URL with /./RestAPI/LogonCustomization and the following data methodToCall=previewMobLogo in the body of the request, they can also bypass security check mechanisms.
It’s no surprise that this vulnerability has been widely exploited on the internet since September 2021. What’s more, according to the Federal Bureau of Investigation (FBI), the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA), this vulnerability has been widely abused since August 2021.
It is reported that threat actors used different techniques and procedures including:
Frequently web shells [T1505.003]
Obfuscated and deobfuscated files [T1027 and T1140]
User credential disclosure [T1003]
Exfiltrating copies of Active Directory databases or registering hives [T1003.003]
Using custom encryption for C2 [T1573.001]
APT actors are using tools such as:
Dropper – A trojan that drops a shell on the system
Godzilla – A Chinese language shell
NGLite – A backdoor for access
Vulnerable ManageEngine ADSelfService Plus versions
Tracked as CVE-2021-40539, this security issue affects ManageEngine ADSelfService Plus version 6113 according to the Zoho security release. It has a CVSSv3 score of 9.8 because exploiting it doesn’t require a very complex attack.
Patches have been available since September 2021 but it is very likely that there is still a significant number of vulnerable instances out there.
The business impact of CVE-2021-40539
When successfully exploited, this vulnerability allows an unauthenticated attacker to get a “full-access ticket” to the Remote Code Execution club.
With RCE access, an attacker can easily get into the Active Directory accounts and passwords, and even create their own accounts on the network. Attackers could also take over the entire domain by resetting passwords, doing massive damage to the organization.
You can detect if your system was compromised by looking within log files located at C:\ManageEngine\ADSelfService Plus\logs, more specifically checking for access logs, and error logs related to Java that includes references to NullPointerException in addSmartCardConfig or getSmartCardConfig and also the presence of web shells.
So how do you prove the business impact of this vulnerability?
I’ll show you how to find instances that may be affected by it.
ManageEngine instances use web-based interfaces, so you can use Google Dorks to sniff out ADSelfService hosts with the following search queries:
inurl:"showLogin.cc"
How to detect CVE-2021-40539 in ethical hacking engagements
In order to detect CVE-2021-40539, I recommend following these two steps:
curl -k -s https://<HOST>/./RestAPI/LogonCustomization"From here, you need to send data in the body of the request.
curl -k -s "https://<HOST>/./RestAPI/LogonCustomization" -d "methodToCall=previewMobLogo" –path-as-isThen, the output will look like this:
<script type=”text/javascript”>
var d = new Date();
window.parent.$(“#mobLogo”).attr(“src”,”/temp/tempMobPreview.jpeg?”+d.getTime());
window.parent.$(“#tabLogo”).attr(“src”,”/temp/tempMobPreview.jpeg?”+d.getTime());
</script>If you’re curious to try another, much faster detection tactic, keep reading this guide.
How to detect CVE-2021-40539 using Pentest-Tools.com
The fastest and no-hassle way to validate that CVE-2021-40539 is affecting your target is to run a Network Vulnerability Scan on Pentest-Tools.com.
The tool maps all the services exposed on the network perimeter and checks for potential vulnerabilities such as:
Scans for open ports, collecting data about the protocol, type of service, and version
Interrogates a database with known vulnerabilities to check if specific versions of the services are affected by any issues
Checks if the target is indeed vulnerable – without extracting any data at this stage, but applying minimum interaction with the service (light version of the scanner). It does fine-tune requests to the services and checks the responses to discover if it is vulnerable or not.
The light version of our Network Scanner is a faster method, but prone to returning more false-positive results. For better and more accurate results, we recommend the full version of our scanner, which performs more and deeper scans to detect a wide range of vulnerabilities.
How to mitigate CVE-2021-40539
Take immediate action and make sure to apply the existing patches in your environment, because ManageEngine has already released the fix for CVE-2021-40539.
Product Build | Fixed Version |
|---|---|
ADSelfService Plus 6113 | 6114 |
Focus on prevention and mitigation to minimize risks and business impact
With a worrying rise of critical vulnerabilities emerging, it gets challenging to understand and cope with this environment. But prevention and mitigation with clear, basic security measures to follow are always in our control and help us reduce or eliminate these risks.
As an offensive security specialist, you are equipped to help your colleagues, customers, and the infosec community to find vulnerable targets and act to secure them the best they can. We’re all contributors. H*ck the system – make it better!
