CVE-2022-28810 In Zoho ManageEngine ADSelfService Plus before build 6122, a remote authenticated admin can execute operating system commands as SYSTEM.

CVE-2022-28810 In Zoho ManageEngine ADSelfService Plus before build 6122, a remote authenticated admin can execute operating system commands as SYSTEM.

Zoho ADSelfService Plus allows administrators to define custom scripts that are run when an event occurs. These scripts can be used to perform operations such as sending notification emails or modifying system settings. These scripts are run in the context of the ADSelfService Plus instance that received the event. If a user with administrative privileges creates a custom script, it can be run as SYSTEM with the privileges of the ADSelfService Plus user. Zoho ADSelfService Plus 6.0.x before build 6122 has a default administrator password that makes this vulnerability especially dangerous. A malicious attacker may be able to run custom scripts with SYSTEM privileges by default.

Step 1: Install Zoho ADSelfService Plus 6.0.x before build 6122

It is possible to exploit this vulnerability by simply installing Zoho ADSelfService Plus 6.0.x before build 6122.

Summary of Product Behavior

Zoho ADSelfService Plus allows administrators to define custom scripts that are run when an event occurs. These scripts can be used to perform operations such as sending notification emails or modifying system settings. These scripts are run in the context of the ADSelfService Plus instance that received the event. If a user with administrative privileges creates a custom script, it can be run as SYSTEM with the privileges of the ADSelfService Plus user. Zoho ADSelfService Plus 6.0.x before build 6122 has a default administrator password that makes this vulnerability especially dangerous. A malicious attacker may be able to run custom scripts with SYSTEM privileges by default.

How to Fix Zoho ADSelfService Plus Self-Service Scripts

This vulnerability required an attacker to have administrative privileges on the affected system. To remediate this, administrators should create a new ADSelfService Plus user with restricted privileges that does not include SYSTEM. Administrators can also set a custom password by connecting to their Zoho ADSelfService Plus instance and changing the password in the Security tab of the Administration interface.

Solution:

Zoho ADSelfService Plus 6.0.x before build 6122 has a default administrator password that makes this vulnerability especially dangerous. A malicious attacker may be able to run custom scripts with SYSTEM privileges by default.
Zoho ADSelfService Plus 6.0.x before build 6122 should be updated to a fixed version as soon as possible, or at least until Zoho can confirm that the issue is no longer present in the fixed version of Zoho ADSelfService Plus 6.0.x.

Installation of ADSelfService Plus

1.Install the ADSelfService Plus application either using the Zoho Platform App Store or by downloading it from the Zoho website.
2.Open the ADSelfService Plus application and log in with a valid administrator account.
3.Wait for a few minutes while the ADSelfService Plus instance is created.
4.While your instance is still active, go to Settings -> Scripts and click on "Add Script".
5.Enter a name for your script and press Save button to save it in your ADSelfService Plus instance's scripts folder (typically C:\Users\username\AppData\Roaming\Zoho\ADSelf Service Plus\scripts).
6.Navigate to the newly created script in your scripts folder and rename it "powershell_script".
7.Open notepad and paste the following script: Imports System Imports System . Configuration Imports System . Management . Automation Imports System . Management . PowerShell 'PowerShell Version' = [Version]'System' = 'system' 'Configuration' = 'configuration' 'ManagementAutomation' = 'managementautomation' 'ManagementPowerShell' = 'managementpowershell' $ExecutionContextSessionStatePath = [Environment]::GetFolderPath("System") + "\Windows" + "\Temp\" $ExecutionContextSessionStateName = "cw5nt2x" $ExecutionContextSessionStateProviderNamespaceURI = "http://sc

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe