762197db08
10 changes to exploits/shellcodes/ghdb Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) Artica Proxy 4.50 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) DocsGPT 0.12.0 - Remote Code Execution
62 lines
No EOL
3.1 KiB
Text
62 lines
No EOL
3.1 KiB
Text
# Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of
|
|
Privilege Vulnerability
|
|
# Exploit Author: Metin Yunus Kandemir
|
|
# Vendor Homepage: https://www.manageengine.com/
|
|
# Software Link: https://www.manageengine.com/products/ad-manager/
|
|
# Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
|
|
# Version: ADManager Plus Build < 7210
|
|
# Tested against: Build 7203
|
|
# CVE: CVE-2024-24409
|
|
|
|
|
|
# Description
|
|
The Modify Computers is a predefined role in ADManager for managing
|
|
computers. If a technician user has the Modify Computers privilege
|
|
over a computer can change the userAccountControl and
|
|
msDS-AllowedToDelegateTo attributes of the computer object. In this
|
|
way, the technician user can set Constrained Kerberos Delegation over
|
|
any computer within the Organizational Unit that the user was
|
|
delegated.
|
|
|
|
Contrary to what ADManager claims the user who has the Modify
|
|
Computers role can change the privilege of computer objects in the
|
|
Active Directory. The Constrained Kerberos Delegation can be set for
|
|
any service such as CIFS, LDAP, HOST services. Then the user can
|
|
access these services by abusing the Constrained Kerberos Delegation.
|
|
In addition, the Unconstrained Kerberos Delegation can be set over the
|
|
computer objects by changing the userAccountControl attribute.
|
|
Normally, only users that have SeEnableDelegationPrivilege privilege
|
|
can set constrained kerberos delegation. Only members of the
|
|
BUILTIN\Administrators group have this privilege by default. The
|
|
delegated user for an Organizational Unit can not set constrained
|
|
kerberos delegation even if a user has the GenericAll right over a
|
|
computer account, so the delegation process in Active Directory does
|
|
not grant this privilege. However, the technician user can use the
|
|
SeEnableDelegationPrivilege right via the Modify Computers role.
|
|
|
|
# Vulnerability reasons
|
|
1. ADMP Web App Authorization issue: Assigning a predefined Modify
|
|
Computers role delegates the technician user to modify custom
|
|
attributes of computers unexpectedly. Even though it appears that this
|
|
privilege is not granted in the UI, the Additional Custom Attribute
|
|
property is assigned and this leads to broken access control
|
|
vulnerability.
|
|
|
|
2. There is no restriction for editing the userAccountControl and
|
|
msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP
|
|
application performs changes with domain admin privileges as designed
|
|
so that if we can bypass some restrictions (e.g. format of attribute
|
|
value), our requests are applied with domain admin privileges. This
|
|
way we can edit the attributes userAccountControl and
|
|
msDS-AllowedToDelegateTo.
|
|
|
|
# Impact
|
|
A technician user elevates privileges from Domain User to Domain
|
|
Admin. For example, the user can set Constrained Kerberos Delegation
|
|
over CLIENT1$ for the CIFS service of the domain controller and access
|
|
the CIFS service. As a result, the user is delegated to manage
|
|
CLIENT1$ but he can access the CIFS service of the domain controller
|
|
impersonating a user unexpectedly.
|
|
|
|
# Proof Of Concept
|
|
https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409 |