Security researcher Naveen Sunkavally from Horizon3.ai uncovered technical details and published a proof-of-concept exploit code for a high severity vulnerability (CVE-2022-28219) in Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory.
Using this vulnerability, a cybercriminal can get the remote access to sensitive information. The flaw exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
According to Sunkavally, he found an endpoint managed by the CewolfRenderer servlet in the third-party Cewolf charting library. This fact interested him, and he decided to dig deeper.
It turned out that this was the same vulnerable endpoint from CVE-2020-10189, reported by researcher Steven Seeley against ManageEngine Desktop Central. As per Sunkavally, the FileStorage class in this library was abused for remote code execution via untrusted Java deserialization.
First, the researcher found out how to execute code remotely. The next thing he did was find a way to upload files without authentication. Sunkavally discovered that some ADAudit Plus endpoints used by agents running on the machine to upload security events did not require authentication. Then he managed to trigger a blind XXE vulnerability in the ProcessTrackingListener class which manages events with Windows scheduled task XML content.
The malicious actor can attack the affected ADAudit Plus instance, obtain credentials for the Active Directory and use this access to infect all the systems connected to the network with malaware.