Skip to content

Search the site

"Audit this": Active Directory audit tool had a pre-auth RCE-shaped hole in it

Quis custodiet, something something... Unauthenticated remote route to domain admin anyhow.

A compliance tool used by many enterprises to monitor changes to Active Directory -- Microsoft's ubiquitous directory and identity management service used to control access to network resources -- was riddled with vulnerabilities that gave an unauthenticated remote attacker the ability to execute code of their choosing and a pathway to AD domain administrator, security researchers revealed this week in some troubling research.

The vulnerabities were in Zoho ManageEngine ADAudit Plus and allocated CVE-2022-28219. They were reported by US security firm Horizon3.ai which said it regularly encounters the product in penetration tests and that it could be an attractive target to attackers "because of the privileged access [it has] to Active Directory."

A large part of the vulnerability stems from Zoho's implementation of the `CewolfServlet` servlet that was responsible for another pre-auth RCE zero day in the same vendor's ManageEngine Desktop Central in 2020.

The issue(s) was fixed on March 30, 2020 but Horizon3.ai has now published an extensive writeup into the vulnerability. As ever, threat actors tend to analyse such research too and users who have not patched are urged to do so. The affected vendor described the ManageEngine ADAudit Plus vulnerability in its advisory as including "vulnerable endpoints that allowed an unauthenticated attacker to exploit XML External Entities (XXE), Java deserialization and path traversal vulnerabilities. The chain could be leveraged to unauthenticated remote code execution..."

Users should update their ADAudit Plus instance to build 7060 using the service pack.

Zoho ManageEngine ADAudit Plus vulnerability details

Detailing its work on the  Zoho ManageEngine ADAudit Plus vulnerability, Horizon3.ai said it was "surprised to see the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library. This is the same vulnerable endpoint from CVE-2020-10189, reported by @steventseeley against ManageEngine Desktop Central. The FileStorage  class in this library was abused for remote code execution via untrusted Java deserialization" adding that "one of the features of ADAudit Plus is the ability to collect security events from agents running on other machines in the domain. To our surprise, we found that a few of the endpoints that agents use to upload events to ADAudit Plus were unauthenticated. This gave us a large attack surface to work with..."

"The only pre-requisite that an attacker needs to know ahead of time is the name of the fully qualified Windows domain that the ADAudit Plus application is monitoring. This is trivial for attackers to discover."

The security researchers were further aided in finding a clear attack path by the old Java runtime bundled with ADAudit Plus (by default ADAudit Plus ships with Java 8u051): "With the old Java runtime, we found the blind XXE can be used to do all of the following: exfiltrate files over FTP; get directory listings over FTP; upload files!"

In the wild ~3/4 of the vulnerable ADAudit Plus installs are using the old runtime.

To give Zoho its credit the company confirmed the vulnerability the same day as Horizon3.ai made its disclosure and had a build out with a fix within 48 hours. Other companies, take note...

The technical writeup from Horizon3.ai is here.

See also -- From C2 to C3: Hackers are getting esoteric when covering footprints, calling home

Latest