Home Security research How to detect the Zoho ManageEngine ADSelfService Plus RCE (CVE-2021-40539)

How to detect the Zoho ManageEngine ADSelfService Plus RCE (CVE-2021-40539)

by Catalin Filip

Reading time

4 minutes

Reading Time: 4 minutes

Overwhelmed by so many high-risk vulnerabilities that emerge? Thousands of them are disclosed every year and 2021 is no exception.

Systems are complex, cyber attacks get more sophisticated, and patching is still a challenge for many organizations. As infosec pros, it’s our responsibility to help companies (and individuals) understand the real implications and impact of a critical vulnerability and help them find it before it gets worse.

That’s what this article is all about.   

When you tackle a critical CVE like an unauthenticated RCE in a service like Zoho ManageEngine ADSelfService Plus (CVSSv3 9.8), patching proves to be a difficult, time-consuming, and resource intensive process.

On September 8, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the ADSelfService Plus from ManageEngine as being actively exploited in the wild. The vulnerability consists of an unauthenticated Remote Code Execution, where an attacker can upload files on the server and access them bypassing authentication services.

Let’s dig deeper into the context of the problem.

What is Zoho ManageEngine ADSelfService Plus?

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for cloud applications and Active Directory infrastructure.

Zoho Corp has over 50 million users around the world, and about 180 000 companies run ManageEngine services. These numbers are enough to get a better picture of the criticality of this security issue and why this vulnerability has the potential to spread across Zoho software products.  

How the Zoho ManageEngine ADSelfService Plus RCE vuln works

When a user tries to use the REST API functionality, the URLs are authenticated by the ManageEngine service. An attacker can bypass this authentication process using specially crafted URLs because those requests are improperly sanitized. This offers malicious actors a way to get unauthenticated remote code execution rights.

Because of improper checks, if a malicious actor with network access to port 443 passes a POST request having the URL with /./RestAPI/LogonCustomization and the following data methodToCall=previewMobLogo in the body of the request, they can also bypass security check mechanisms.    

It’s no surprise that this vulnerability has been widely exploited on the internet since September 2021. What’s more, according to the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA), this vulnerability has been widely abused since August 2021.

It is reported that threat actors used different techniques and procedures including:

  • Frequently web shells [T1505.003]
  • Obfuscated and deobfuscated files [T1027 and T1140]
  • User credential disclosure [T1003]
  • Exfiltrating copies of Active Directory databases or register hives [T1003.003]
  • Using custom encryption for C2 [T1573.001]

APT actors are using tools such as:

  • Dropper – A trojan that drops a shell on the system
  • Godzilla – A Chinese language shell
  • NGLite – A backdoor for access  

Vulnerable ManageEngine ADSelfService Plus versions

Tracked as CVE-2021-40539, this security issue affects ManageEngine ADSelfService Plus version 6113 according to the Zoho security release. It has a CVSSv3 score of 9.8 because exploiting it doesn’t require a very complex attack.

Patches have been available since September 2021 but it is very likely that there is still a significant number of vulnerable instances out there.

Business impact of CVE-2021-40539

When successfully exploited, this vulnerability allows an unauthenticated attacker to get a “full-access ticket” to the Remote Code Execution club. 

With RCE access, an attacker can easily get into the Active Directory accounts and passwords, even create their own accounts on the network. Attackers could also take over the entire domain by resetting passwords, doing massive damage to the organization.

You can detect if your system was compromised by looking in log files located at C:\\ManageEngine\\ADSelfService Plus\\logs, more specifically checking for access logs, error logs related to Java that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig also the presence of websheels.

So how do you prove business impact for this vulnerability?

I’ll show you how to find instances that may be affected by it.

ManageEngine instances use web-based interfaces, so you can use Google Dorks to sniff out ADSelfService hosts with the following search queries:

inurl:"showLogin.cc"
detect ManageEngine instances with Google Dorks

How to detect CVE-2021-40539 in ethical hacking engagements

In order to detect CVE-2021-40539, I recommend following these two steps:

curl -k -s https://<HOST>/./RestAPI/LogonCustomization” From here, you need to send data in the body of the request.

curl -k -s “https://<HOST>/./RestAPI/LogonCustomization” -d “methodToCall=previewMobLogo” –path-as-is

Then, the output will look like this:

<script type=”text/javascript”>var d = new Date();window.parent.$(“#mobLogo”).attr(“src”,”/temp/tempMobPreview.jpeg?”+d.getTime());window.parent.$(“#tabLogo”).attr(“src”,”/temp/tempMobPreview.jpeg?”+d.getTime());</script>

If you’re curious to try another, much faster detection tactic, keep reading this guide.

How to detect CVE-2021-40539 using Pentest-Tools.com

The fastest and no-hassle way to validate that CVE-2021-40539 is affecting your target is to run a Network Vulnerability Scan on Pentest-Tools.com.

The tool maps all the services exposed on the network perimeter and checks for potential vulnerabilities such as:

  • Scans for open ports, collecting data about the protocol, type of service, and version
  • Interrogates a database with known vulnerabilities to check if specific versions of the services are affected by any issues
  • Checks if the target is indeed vulnerable – without extracting any data at this stage, but applying minimum interaction with the service (light version of the scanner). It does fine-tuned requests to the services and checks the responses to discover if it is vulnerable or not.

 

Untitled

The light version of our Network Scanner is a faster method, but prone to returning more false positive results. For better and more accurate results, we recommend the full version of our scanner, which performs more and deeper scans to detect a wide range of vulnerabilities.  

How to mitigate CVE-2021-40539

Take immediate action and make sure to apply the existing patches in your environment, because  ManageEngine has already released the fix for CVE-2021-40539.

Product Build

Fixed Version

ADSelfService Plus 6113

6114

Focus on prevention and mitigation to minimize risks and business impact  

With a worrying rise of critical vulnerabilities emerging, it gets challenging to understand and cope with this environment. But prevention and mitigation with clear, basic security measures to follow are always in our control and help us reduce or eliminate these risks.    

As an offensive security specialist, you are equipped to help your colleagues, customers, and the infosec community to find vulnerable targets and act to secure them the best they can. We’re all contributors. H*ck the system – make it better! 

Get future pentesting guides in your inbox!

Related Posts

How we detect Log4Shell at pentest-tools.com

How we detect Log4Shell to help you find targets using vulnerable Log4j versions

Detect Log4Shell scanner

Log4Shell scanner: detect Log4j CVE-2021-44228 in your network and web apps

0 comments

Comments