ADManager Plus Build < 7230 Elevation Of Privilege Vulnerability

# Requirements

• A technician user with the 'Modify user general properties' role and logon access to the server where ADManager is installed.

# Description

If the technician user has logon rights on the server , they can escalate privileges to the service account or the user account that runs the Admanager with high privileges. The user can create an arbitrary directory through the web application and then copy a DLL file into this directory. When ADManager is restarted, the DLL file is executed with the privileges of the user running ADManager.

# PoC

• Log in as the technician user and click “Profile Attributes.”

• Select “Home folder” and in the “Connect” box, type an arbitrary network path. Then enter the name of the logged-in technician user and click “Search.”

• Capture the request using Burp Suite, replace the value of the homeDirectory parameter with ....\\jre\\lib\\ext\\amd64 and forward the request.

• Select the technician user and click “Apply.”

• A directory named “amd64” will be created under C:\Program Files\ManageEngine\ADManager Plus\jre\lib\ext. The technician user will have Full Control permissions over the “amd64” directory.

• Create malicious DLL files named sunmscapi.dll or sunec.dll to obtain a reverse shell.

• Log in to the server where ADManager is installed as the technician user. Copy a DLL file into the directory C:\Program Files\ManageEngine\ADManager Plus\jre\lib\ext\amd64. Normally, the user cannot copy files directly under C:\Program Files\ManageEngine\ADManager Plus\jre\lib\ext due to insufficient privileges. However, by exploiting the arbitrary directory creation vulnerability, the user obtains write access to the “amd64” subdirectory and is able to copy the malicious files.

• Once ADManager is restarted, the malicious DLL will be executed, resulting in a reverse shell with elevated privileges.

# Author: Metin Yunus Kandemir