UI
  • ABOUT US
  • UNSAFE
    • sAMAccountName Spoofing in the Forest
    • Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
    • Netcat Relay
    • Hiren's BootCD in the AD
    • Abusing LAPS
  • INLINE
    • Asena
    • Suyla
    • dcFinder
  • 0DAY
    • ADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)
    • Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)
    • ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure (CVE-2023-31492)
    • Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
    • Thecus N4800Eco Nas Server Control Panel Comand Injection
    • ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
    • Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
    • KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
    • Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
    • KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
    • Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
    • Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
    • BRAdmin Professional 3.75 - Unquoted Service Path
Powered by GitBook
On this page
  • # Description
  • # Vulnerability reasons
  • # Impact
  • # Proof Of Concept

Was this helpful?

  1. 0DAY

ADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)

PreviousdcFinderNextAsp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)

Last updated 5 months ago

Was this helpful?

# Description

The Modify Computers is a predefined role in ADManager for managing computers. If a technician user has the Modify Computers privilege over a computer, they can change the userAccountControl and msDS-AllowedToDelegateTo attributes of the computer object. In this way, the technician user can set Constrained Kerberos Delegation over any computer within the Organizational Unit that the user was delegated.

Contrary to what ADManager claims the user who has the Modify Computers role can change the privilege of computer objects in the Active Directory. The Constrained Kerberos Delegation can be set for any service such as CIFS, LDAP, HOST services. Then the user can access these services by abusing the Constrained Kerberos Delegation. In addition, the Unconstrained Kerberos Delegation can be set over the computer objects by changing the userAccountControl attribute. Normally, only users that have SeEnableDelegationPrivilege privilege can set constrained kerberos delegation. Only members of the BUILTIN\Administrators group have this privilege by default. The delegated user for an Organizational Unit can not set constrained kerberos delegation even if a user has the GenericAll right over a computer account, so the delegation process in Active Directory does not grant this privilege. However, the technician user can use the SeEnableDelegationPrivilege right via the Modify Computers role.

# Vulnerability reasons

  • ADMP Web App Authorization issue: Assigning a predefined Modify Computers role delegates the technician user to modify custom attributes of computers unexpectedly. Even though it appears that this privilege is not granted in the UI, the Additional Custom Attribute property is assigned and this leads to broken access control vulnerability.

  • There is no restriction for editing the userAccountControl and msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP application performs changes with domain admin privileges as designed so that if we can bypass some restrictions (e.g. format of attribute value), our requests are applied with domain admin privileges. This way we can edit the attributes userAccountControl and msDS-AllowedToDelegateTo.

# Impact

A technician user elevates privileges from Domain User to Domain Admin. The user can fetch the krbtgt account hash using a DCSync attack after configuring Constrained Kerberos Delegation for the LDAP service of the domain controller on a computer. As another example, the user can set Constrained Kerberos Delegation on CLIENT1$ for the CIFS service of the DC and then access the CIFS service. As a result, the user is delegated to manage CLIENT1$ but he can access the CIFS service of the domain controller impersonating a user unexpectedly.

# Proof Of Concept

Tested against ADManager Plus Build 7203

The attacker user can perform DCSync attack after adding the Constrained Kerberos Delegation for LDAP service with following prerequisites: Scenario 1: If the attacker has local admin right over a computer and can manage this computer with the “Modify Computers” role in ADManager Plus Scenario 2: If the attacker adds a computer to Active Directory (MAQ, delegation) and manage this computer with the “Modify Computers” role Scenario 3: If the attacker can dump NT hash of a computer account (dumping hash with mimikatz, secretsdump, etc.) and manage this computer with the “Modify Computers” role

# Author: Metin Yunus Kandemir
LogoGitHub - passtheticket/CVE-2024-24409: ADManager Plus Build < 7210 Elevation of Privilege VulnerabilityGitHub