Security research

How to detect the Zoho ManageEngine ADSelfService Plus RCE (CVE-2021-40539)

Publisher
Pentest-Tools.com
Updated at
Article tags

Overwhelmed by so many high-risk vulnerabilities that emerge? Thousands of them are disclosed every year and 2021 is no exception.

Systems are complex, cyber-attacks get more sophisticated, and patching is still a challenge for many organizations. As infosec pros, it’s our responsibility to help companies (and individuals) understand the real implications and impact of a critical vulnerability and help them find it before it gets worse.

That’s what this article is all about.   

When you tackle a critical CVE like an unauthenticated RCE in a service like Zoho ManageEngine ADSelfService Plus (CVSSv3 9.8), patching proves to be a difficult, time-consuming, and resource-intensive process.

On September 8, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the ADSelfService Plus from ManageEngine as being actively exploited in the wild. The vulnerability consists of an unauthenticated Remote Code Execution, where an attacker can upload files on the server and access them bypassing authentication services.

Let’s dig deeper into the context of the problem.

What is Zoho ManageEngine ADSelfService Plus?

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for cloud applications and Active Directory infrastructure.

Zoho Corp has over 50 million users around the world, and about 180 000 companies run ManageEngine services. These numbers are enough to get a better picture of the criticality of this security issue and why this vulnerability has the potential to spread across Zoho software products.  

How the Zoho ManageEngine ADSelfService Plus RCE vuln works

When a user tries to use the REST API functionality, the URLs are authenticated by the ManageEngine service. An attacker can bypass this authentication process using specially crafted URLs because those requests are improperly sanitized. This offers malicious actors a way to get unauthenticated remote code execution rights.

Because of improper checks, if a malicious actor with network access to port 443 passes a POST request having the URL with /./RestAPI/LogonCustomization and the following data methodToCall=previewMobLogo in the body of the requestthey can also bypass security check mechanisms.    

It’s no surprise that this vulnerability has been widely exploited on the internet since September 2021. What’s more, according to the Federal Bureau of Investigation (FBI), the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA), this vulnerability has been widely abused since August 2021.

It is reported that threat actors used different techniques and procedures including:

  • Frequently web shells [T1505.003]

  • Obfuscated and deobfuscated files [T1027 and T1140]

  • User credential disclosure [T1003]

  • Exfiltrating copies of Active Directory databases or registering hives [T1003.003]

  • Using custom encryption for C2 [T1573.001]

APT actors are using tools such as:

  • Dropper – A trojan that drops a shell on the system

  • Godzilla – A Chinese language shell

  • NGLite – A backdoor for access  

Vulnerable ManageEngine ADSelfService Plus versions

Tracked as CVE-2021-40539, this security issue affects ManageEngine ADSelfService Plus version 6113 according to the Zoho security release. It has a CVSSv3 score of 9.8 because exploiting it doesn’t require a very complex attack.

Patches have been available since September 2021 but it is very likely that there is still a significant number of vulnerable instances out there.

The business impact of CVE-2021-40539

When successfully exploited, this vulnerability allows an unauthenticated attacker to get a “full-access ticket” to the Remote Code Execution club. 

With RCE access, an attacker can easily get into the Active Directory accounts and passwords, and even create their own accounts on the network. Attackers could also take over the entire domain by resetting passwords, doing massive damage to the organization.

You can detect if your system was compromised by looking within log files located at C:\ManageEngine\ADSelfService Plus\logs, more specifically checking for access logs, and error logs related to Java that includes references to NullPointerException in addSmartCardConfig or getSmartCardConfig and also the presence of web shells.

So how do you prove the business impact of this vulnerability?

I’ll show you how to find instances that may be affected by it.

ManageEngine instances use web-based interfaces, so you can use Google Dorks to sniff out ADSelfService hosts with the following search queries:

inurl:"showLogin.cc"

detect ManageEngine instances with Google Dorks

How to detect CVE-2021-40539 in ethical hacking engagements

In order to detect CVE-2021-40539, I recommend following these two steps:

curl -k -s https://<HOST>/./RestAPI/LogonCustomization"

From here, you need to send data in the body of the request.

curl -k -s "https://<HOST>/./RestAPI/LogonCustomization" -d "methodToCall=previewMobLogo"path-as-is

Then, the output will look like this:

<script type=”text/javascript”>
var d = new Date();
window.parent.$(“#mobLogo”).attr(“src”,”/temp/tempMobPreview.jpeg?”+d.getTime());
window.parent.$(“#tabLogo”).attr(“src”,”/temp/tempMobPreview.jpeg?”+d.getTime());
</script>

If you’re curious to try another, much faster detection tactic, keep reading this guide.

How to detect CVE-2021-40539 using Pentest-Tools.com

The fastest and no-hassle way to validate that CVE-2021-40539 is affecting your target is to run a Network Vulnerability Scan on Pentest-Tools.com.

The tool maps all the services exposed on the network perimeter and checks for potential vulnerabilities such as:

  • Scans for open ports, collecting data about the protocol, type of service, and version

  • Interrogates a database with known vulnerabilities to check if specific versions of the services are affected by any issues

  • Checks if the target is indeed vulnerable – without extracting any data at this stage, but applying minimum interaction with the service (light version of the scanner). It does fine-tune requests to the services and checks the responses to discover if it is vulnerable or not.

How an AdSelfService Plus vulnerability appears in Pentest-Tools.com

The light version of our Network Scanner is a faster method, but prone to returning more false-positive results. For better and more accurate results, we recommend the full version of our scanner, which performs more and deeper scans to detect a wide range of vulnerabilities.  

How to mitigate CVE-2021-40539

Take immediate action and make sure to apply the existing patches in your environment, because  ManageEngine has already released the fix for CVE-2021-40539.

Product Build

Fixed Version

ADSelfService Plus 6113

6114

Focus on prevention and mitigation to minimize risks and business impact  

With a worrying rise of critical vulnerabilities emerging, it gets challenging to understand and cope with this environment. But prevention and mitigation with clear, basic security measures to follow are always in our control and help us reduce or eliminate these risks.    

As an offensive security specialist, you are equipped to help your colleagues, customers, and the infosec community to find vulnerable targets and act to secure them the best they can. We’re all contributors. H*ck the system – make it better! 

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)

Related articles

Suggested articles

Footer

© 2013-2024 Pentest-Tools.com

Pentest-Tools.com has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Pentest-Tools.com has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.