• Latest
  • Trending
Zoho ManageEngine ADAudit Plus bug gets public RCE exploit

Zoho ManageEngine ADAudit Plus bug gets public RCE exploit

July 4, 2022
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022
8 Most Common Causes of a Data Breach

5.7bn data entries found exposed on Chinese VPN

August 18, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Sunday, 4 June, 2023
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Zoho ManageEngine ADAudit Plus bug gets public RCE exploit

by ITECHNEWS
July 4, 2022
in Infosec, Leading Stories
0 0
0
Zoho ManageEngine ADAudit Plus bug gets public RCE exploit

Security researchers have published technical details and proof-of-concept exploit code for CVE-2022-28219, a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in the Active Directory.

The vulnerability allows an unauthenticated attacker to execute code remotely and compromise Active Directory accounts. It comes with a critical severity score of 9.8 out of 10.

YOU MAY ALSO LIKE

ATC Ghana supports Girls-In-ICT Program

Vice President Dr. Bawumia inaugurates ICT Hub

Zoho addressed the issue at the end of March in ADAudit Plus build 7060 after security researcher Naveen Sunkavally at Horizon3.ai reported it to the company.

Executing code remotely

Earlier this week, Horizon3.ai published a blog post explaining the technical aspects behind CVE-2022-28219 along with proof-of-concept exploit code that demonstrates the findings.

The vulnerability consists of three issues, untrusted Java deserialization, path traversal, and a blind XML External Entities (XXE) injection, that ultimately lead to remote code execution without authentication.

The researcher started the investigation after finding an endpoint managed by the CewolfRenderer servlet in the third-party Cewolf charting library.

“This is the same vulnerable endpoint from CVE-2020-10189, reported by @steventseeley against ManageEngine Desktop Central. The FileStorage class in this library was abused for remote code execution via untrusted Java deserialization” – Naveen Sunkavally

Looking closer at the library, the researcher discovered that it did not sanitize input paths, leaving the door open to deserializing a Java payload in an arbitrary location on the disk.

Bypassing authentication, stealing logins

Once Sunkavally found a way to execute code remotely, he started to look for methods to upload files without authentication and found that some ADAudit Plus endpoints used by agents running on the machine to upload security events did not require authentication.

“This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events” – Naveen Sunkavally

The researcher then found a way to trigger a blind XXE vulnerability in the ProcessTrackingListener class in charge of managing events with Windows scheduled task XML content.

Sunkavally notes that while blind XXE vulnerabilities in Java can be difficult to exploit. However, his work was made easier since ADAudit Plus shipped with an older Java runtime, allowing him to transfer files and list directories over FTP as well as upload files.

The researcher says that the default in ADAudit Plus is Java 8u051 and he found that three quarters of the installations are running an older version of Java runtime.

Sunkavally’s investigation also revealed that an attacker could also collect and relay NTLM hashes on Windows machines regardless of the Java runtime version or XXE vulnerabilities.

“This is because the Java HTTP client will attempt to authenticate over NTLM if it connects to a server requiring NTLM to authenticate,” Sunkavally explains.

To show the validity of these findings, Horizon3.ai published code that exploits CVE-2022-28219 in ManageEngine ADAudit Plus builds before 7060 to execute the calculator app in Windows.

An attacker targeting a vulnerable ADAudit Plus instance could also obtain credentials for the Active Directory and use this access to distribute malware on all machines on the network.

Although ADAudit Plus stores the credentials in an encrypted state, the researcher says that “it’s possible to reverse the encryption to access these credentials in the clear.”

Since many users typically use Domain Admin credentials to start auditing activities using ADAudit Plus, a threat actor could grab the logins and use them to further their attack.

While this is an easier path, creating separate service accounts with limited privileges is a more secure method.

Source: Ionut Ilascu
Via: bleepingcomputer
Tags: Zoho ManageEngine ADAudit Plus bug gets public RCE exploit
ShareTweetShare
Plugin Install : Subscribe Push Notification need OneSignal plugin to be installed.

Search

No Result
View All Result

Recent News

ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023

Recent News

  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Co-Creation Hub’s edtech accelerator puts $15M towards African startups February 20, 2023
  • Data Leak Hits Thousands of NHS Workers February 20, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021-2022 iTechNewsOnline.Com - Powered by BackUPDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021-2022 iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Go to mobile version