{"id":3979,"date":"2019-04-16T20:11:41","date_gmt":"2019-04-16T15:41:41","guid":{"rendered":"https:\/\/rasanegar.com\/blog\/?p=3979"},"modified":"2019-04-16T22:42:39","modified_gmt":"2019-04-16T18:12:39","slug":"manage-engine-admanager-6-6-privilege-escalation","status":"publish","type":"post","link":"https:\/\/rasanegaar.com\/blog\/manage-engine-admanager-6-6-privilege-escalation\/","title":{"rendered":"\u0622\u0633\u06cc\u0628\u200e\u067e\u0630\u06cc\u0631\u06cc \u0627\u0645\u0646\u06cc\u062a\u06cc  ManageEngine ADManager  6.6"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">\u0633\u0631\u0641\u0635\u0644\u0647\u0627\u06cc \u0645\u0637\u0644\u0628<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/rasanegaar.com\/blog\/manage-engine-admanager-6-6-privilege-escalation\/#%d8%b4%d8%b1%d8%ad_%d8%a2%d8%b3%db%8c%d8%a8_%d9%be%d8%b0%db%8c%d8%b1%db%8c_manageengine_admanager_66\" >\u0634\u0631\u062d \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc ManageEngine ADManager 6.6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/rasanegaar.com\/blog\/manage-engine-admanager-6-6-privilege-escalation\/#%d8%b4%d8%b1%d8%ad_%d8%a2%d8%b3%db%8c%d8%a8_%d9%88_%d8%b1%d9%88%d8%b4_%d8%a7%d8%ac%d8%b1%d8%a7_%d8%a8%d9%87_%d8%b2%d8%a8%d8%a7%d9%86_%d8%a7%d8%b5%d9%84%db%8c\" >\u0634\u0631\u062d \u0622\u0633\u06cc\u0628 \u0648 \u0631\u0648\u0634 \u0627\u062c\u0631\u0627 \u0628\u0647 \u0632\u0628\u0627\u0646 \u0627\u0635\u0644\u06cc<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/rasanegaar.com\/blog\/manage-engine-admanager-6-6-privilege-escalation\/#the_cause_of_the_vulnerability\" >The Cause of the Vulnerability<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/rasanegaar.com\/blog\/manage-engine-admanager-6-6-privilege-escalation\/#exploitation\" >Exploitation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/rasanegaar.com\/blog\/manage-engine-admanager-6-6-privilege-escalation\/#timeline\" >Timeline<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">\u0632\u0645\u0627\u0646 \u0644\u0627\u0632\u0645 \u0628\u0631\u0627\u06cc \u0645\u0637\u0627\u0644\u0639\u0647: <\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">\u062f\u0642\u06cc\u0642\u0647<\/span><\/span><p>\u0633\u0644\u0627\u0645 \u060c \u0627\u0645\u0634\u0628 \u0645\u0637\u0644\u0639 \u0634\u062f\u0645 \u06cc\u06a9 \u0628\u0627\u06af \u0627\u0631\u062a\u0642\u0627\u06cc \u0633\u0637\u062d \u062f\u0633\u062a\u0631\u0633\u06cc \u062f\u0631 \u06cc\u06a9\u06cc \u0627\u0632 \u0645\u062d\u0628\u0648\u0628\u200c\u062a\u0631\u06cc\u0646 \u067e\u0644\u062a\u0641\u0631\u0645\u200c\u0647\u0627\u06cc \u0645\u062f\u06cc\u0631\u06cc\u062a \u0627\u06a9\u062a\u06cc\u0648\u062f\u06cc\u0631\u06a9\u062a\u0648\u0631\u06cc\u00a0 (ADManager Plus) \u0646\u0633\u062e\u0647 \u06f6.\u06f6 \u06af\u0632\u0627\u0631\u0634 \u0634\u062f\u0647 \u06a9\u0647 \u062f\u0631 \u0627\u062f\u0627\u0645\u0647 \u0628\u0647 \u062a\u0648\u0636\u06cc\u062d\u0627\u062a\u06cc \u062f\u0631 \u0627\u06cc\u0646 \u062e\u0635\u0648\u0635 \u062e\u0648\u0627\u0647\u0645 \u067e\u0631\u062f\u0627\u062e\u062a<br \/>\n\u0644\u0627\u0632\u0645 \u0627\u0633\u062a \u0628\u062f\u0627\u0646\u06cc\u062f \u06a9\u0647 \u0633\u0627\u0639\u0627\u062a\u06cc \u067e\u06cc\u0634 \u0627\u0632 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 ADManager \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628\u200c\u067e\u0630\u06cc\u0631\u06cc \u06a9\u0634\u0641 \u0634\u062f\u0647 \u0648 \u0648\u062c\u0648\u062f \u06a9\u0631\u06a9 \u0628\u0631\u0627\u06cc \u0646\u0633\u062e\u0647 \u0647\u0627\u06cc \u0645\u062e\u062a\u0644\u0641 \u0627\u06cc\u0646 \u062e\u0627\u0646\u0648\u0627\u062f\u0647\u060c \u0627\u06cc\u0646 \u0646\u0631\u0645\u200e\u0627\u0641\u0632\u0627\u0631 \u0631\u0627 \u0628\u0647 \u06cc\u06a9\u06cc \u0627\u0632 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631\u0647\u0627\u06cc \u0645\u062d\u0628\u0648\u0628 \u0628\u0633\u06cc\u0627\u0631\u06cc \u0627\u0632 \u0645\u062f\u06cc\u0631\u0627\u0646 \u0634\u0628\u06a9\u0647 \u062a\u0628\u062f\u06cc\u0644 \u06a9\u0631\u062f\u0647 \u0627\u0633\u062a.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%d8%b4%d8%b1%d8%ad_%d8%a2%d8%b3%db%8c%d8%a8_%d9%be%d8%b0%db%8c%d8%b1%db%8c_manageengine_admanager_66\"><\/span>\u0634\u0631\u062d \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc ManageEngine ADManager 6.6<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u062f\u0631 \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628\u200e\u067e\u0630\u06cc\u0631\u06cc \u0628\u0647 \u06cc\u06a9 \u06a9\u0627\u0631\u0628\u0631 (Authenticated) \u0627\u06cc\u0646 \u0627\u0645\u06a9\u0627\u0646 \u0631\u0627 \u0645\u06cc \u062f\u0647\u062f \u06a9\u0647 \u0628\u0647 \u0633\u0637\u062d \u062f\u0633\u062a\u0631\u0633\u06cc NT AUTHORITY\\SYSTEM (\u062a\u0627 \u0646\u0633\u062e\u0647 6.6) \u062f\u0633\u062a\u0631\u0633\u06cc \u067e\u06cc\u062f\u0627 \u06a9\u0646\u062f.<br \/>\n\u062f\u0631 \u062a\u0648\u0636\u06cc\u062d\u0627\u062a \u0641\u0646\u06cc \u0627\u0631\u0627\u0626\u0647 \u0634\u062f\u0647 \u0639\u0646\u0648\u0627\u0646 \u0634\u062f\u0647 \u0627\u0633\u062a \u0645\u062d\u0644 \u0646\u0635\u0628 (\u067e\u06cc\u0634\u0641\u0631\u0636) \u0627\u06cc\u0646 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 \u062f\u0627\u0631\u0627\u06cc \u0686\u0646\u062f\u06cc\u0646 \u062f\u06cc\u0631\u06a9\u062a\u0648\u0631\u06cc \u0628\u0627 \u062a\u0646\u0638\u06cc\u0645\u0627\u062a \u0627\u0645\u0646\u06cc\u062a\u06cc \u067e\u0627\u06cc\u06cc\u0646 \u0627\u0633\u062a (\u062f\u06cc\u0631\u06a9\u062a\u0648\u0631\u06cc \u0647\u0627\u06cc Bin\u060c Lib\u060c Tools) \u06a9\u0647 \u062f\u0633\u062a\u0631\u0633\u06cc \u06a9\u0627\u0645\u0644 \u0631\u0627 \u0628\u0647 \u06af\u0631\u0648\u0647 Authenticated Users\u00a0 \u0627\u0644\u062d\u0627\u0642 \u06a9\u0631\u062f\u0647 \u0627\u0633\u062a \u0648 \u0627\u0632 \u0622\u0646\u062c\u0627\u06cc\u06cc \u06a9\u0647 \u06af\u0631\u0648\u0647 Authenticated Users \u0628\u0647 \u06af\u0648\u0646\u0647 \u0627\u06cc \u0646\u06cc\u0633\u062a \u06a9\u0647 \u06a9\u0627\u0631\u0628\u0631\u0627\u0646 \u0627\u0636\u0627\u0641\u0647 \u0648 \u06cc\u0627 \u062d\u0630\u0641 \u0634\u0648\u0646\u062f\u060c \u0647\u0631 \u06a9\u0627\u0631\u0628\u0631\u06cc \u06a9\u0647 \u0628\u0647 \u0633\u06cc\u0633\u062a\u0645 \u0644\u0627\u06af\u06cc\u0646 \u06a9\u0646\u062f (\u06cc\u0648\u0632\u0631 Domain \u06cc\u0627 Local) \u062c\u0632\u0621 \u06af\u0631\u0648\u0647 Authenticated Users \u062e\u0648\u0627\u0647\u062f \u0628\u0648\u062f\u00a0 \u0648 \u0642\u0627\u062f\u0631 \u0628\u0647 \u062a\u063a\u06cc\u06cc\u0631 \u0645\u062d\u062a\u0648\u0627\u06cc \u062f\u0627\u062e\u0644 \u062f\u06cc\u0631\u06a9\u062a\u0648\u0631\u06cc \u0647\u0627\u06cc \u0641\u0648\u0642 \u062e\u0648\u0627\u0647\u062f \u0628\u0648\u062f. \u062f\u0631 \u062f\u06cc\u0631\u06a9\u062a\u0648\u0631\u06cc \u0627\u0633\u0627\u0633\u06cc bin \u0686\u0646\u062f\u06cc\u0646 \u0641\u0627\u06cc\u0644 \u0645\u0647\u0645 \u0648\u062c\u0648\u062f \u062f\u0627\u0631\u062f \u06a9\u0647 \u0645\u062d\u0642\u0642\u0627\u0646 \u0628\u0627 \u0631\u0635\u062f \u06a9\u0631\u062f\u0646 \u062f\u0648 \u0641\u0627\u06cc\u0644 \u062f\u0631 \u062d\u06cc\u0646 \u0634\u0631\u0648\u0639 \u0641\u0639\u0627\u0644\u06cc\u062a \u0627\u06cc\u0646 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 \u0628\u0647 \u0646\u062a\u0627\u06cc\u062c \u062c\u0627\u0644\u0628\u06cc \u0631\u0633\u06cc\u062f\u0646\u062f \u06a9\u0647 \u0628\u0627 \u062a\u0648\u062c\u0647 \u0628\u0647 \u0645\u0627\u0647\u06cc\u062a \u0627\u06cc\u0646 \u067e\u0631\u062f\u0627\u0632\u0647\u200c\u0647\u0627 (\u0628\u0627 \u0647\u062f\u0641 \u0645\u062f\u06cc\u0631\u06cc\u062a \u0627\u06a9\u062a\u06cc\u0648\u062f\u06cc\u0631\u06a9\u062a\u0648\u0631\u06cc \u062d\u062a\u0645\u0627 \u0628\u0627\u06cc\u062f \u0628\u0627 \u0633\u0637\u062d \u062f\u0633\u062a\u0631\u0633\u06cc Administrator \u0627\u062c\u0631\u0627 \u0634\u0648\u062f) \u062f\u0644\u06cc\u0644\u06cc \u0648\u062c\u0648\u062f \u0646\u062f\u0627\u0631\u062f \u06a9\u0647 \u062a\u0648\u0633\u0637 \u062a\u0645\u0627\u0645\u06cc \u06a9\u0627\u0631\u0628\u0631\u0627\u0646\u06cc \u06a9\u0647 \u0627\u0639\u062a\u0628\u0627\u0631\u0633\u0646\u062c\u06cc \u0645\u0648\u0641\u0642 \u062f\u0627\u0631\u0646\u062f\u060c \u0642\u0627\u0628\u0644 \u062f\u0633\u062a\u0631\u0633 \u0628\u0627\u0634\u062f.<\/p>\n<p>\u067e\u06cc\u0634\u0646\u0647\u0627\u062f \u0645\u06cc\u06a9\u0646\u0645 \u062a\u0648\u0636\u06cc\u062d\u0627\u062a \u062c\u0627\u0644\u0628 \u0648 \u062f\u0642\u06cc\u0642 \u0627\u062f\u0627\u0645\u0647 \u0645\u0637\u0644\u0628 \u0628\u0647 \u0632\u0628\u0627\u0646 \u0627\u0646\u06af\u0644\u06cc\u0633\u06cc \u0648 \u0647\u0645\u0686\u0646\u06cc\u0646 \u062a\u0635\u0627\u0648\u06cc\u0631 \u0645\u0631\u0628\u0648\u0637\u0647 \u0631\u0627 \u0645\u0634\u0627\u0647\u062f\u0647 \u06a9\u0646\u06cc\u062f \u0648 \u062f\u0631 \u0635\u0648\u0631\u062a\u06cc \u06a9\u0647 \u0627\u0632 \u0646\u0633\u062e\u0647 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0645\u06cc\u06a9\u0646\u06cc\u062f \u0633\u0631\u06cc\u0639\u0627 \u0628\u0647\u200c\u0631\u0648\u0632\u0631\u0633\u0627\u0646\u06cc \u0627\u0648\u0646 \u0631\u0648 \u0627\u0646\u062c\u0627\u0645 \u0628\u062f\u06cc\u062f \u0648 \u062a\u0648\u0635\u06cc\u0647 \u0627\u06a9\u06cc\u062f \u0645\u06cc\u06a9\u0646\u06cc\u0645 \u06a9\u0647 \u0627\u0632 \u06a9\u0631\u06a9 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0646\u06a9\u0646\u06cc\u062f.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%d8%b4%d8%b1%d8%ad_%d8%a2%d8%b3%db%8c%d8%a8_%d9%88_%d8%b1%d9%88%d8%b4_%d8%a7%d8%ac%d8%b1%d8%a7_%d8%a8%d9%87_%d8%b2%d8%a8%d8%a7%d9%86_%d8%a7%d8%b5%d9%84%db%8c\"><\/span>\u0634\u0631\u062d \u0622\u0633\u06cc\u0628 \u0648 \u0631\u0648\u0634 \u0627\u062c\u0631\u0627 \u0628\u0647 \u0632\u0628\u0627\u0646 \u0627\u0635\u0644\u06cc<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<hr \/>\n<p dir=\"ltr\">During a recent review of the ADManager Plus software offered by Zoho, we were able to identify a &#8216;chva vulnerability which would allow authenticated users to escalate to <code class=\"highlighter-rouge\">NT AUTHORITY\\SYSTEM<\/code>\u00a0in versions up to and including 6.6 (build 6657).<\/p>\n<h3 id=\"the-cause-of-the-vulnerability\" dir=\"ltr\"><span class=\"ez-toc-section\" id=\"the_cause_of_the_vulnerability\"><\/span>The Cause of the Vulnerability<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p dir=\"ltr\">After completing the installation, the software can be found in\u00a0<code class=\"highlighter-rouge\">C:\\ManageEngine\\ADManager Plus<\/code>, assuming the default location is not changed. Within this directory are several directories with weak security settings. The affected directories are:<\/p>\n<ul dir=\"ltr\">\n<li><code class=\"highlighter-rouge\">bin<\/code><\/li>\n<li><code class=\"highlighter-rouge\">lib<\/code><\/li>\n<li><code class=\"highlighter-rouge\">tools<\/code><\/li>\n<\/ul>\n<p dir=\"ltr\">The issue affecting these directories is that they are created with full control assigned to the\u00a0<code class=\"highlighter-rouge\">Authenticated Users<\/code>\u00a0group:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/permissions-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<p dir=\"ltr\">The\u00a0<code class=\"highlighter-rouge\">Authenticated Users<\/code>\u00a0group in <a href=\"https:\/\/rasanegaar.com\/blog\/how-to-reclaim-freeup-thin-disk-in-esxi\/\">Windows<\/a> is not a typical group in which users can be added or removed. If an account authenticates with the system, be it a local account or domain account, it will be deemed to be part of the\u00a0<code class=\"highlighter-rouge\">Authenticated Users<\/code>group. The built-in accounts such as\u00a0<code class=\"highlighter-rouge\">LOCAL SERVICE<\/code>\u00a0do not get included in this group, as they are accounts without a password that do not require authentication.<\/p>\n<p dir=\"ltr\">By assigning full control to\u00a0<code class=\"highlighter-rouge\">Authenticated Users<\/code>, any user that is logged in is capable of modifying the contents of the aforementioned directories. The\u00a0<code class=\"highlighter-rouge\">bin<\/code>\u00a0directory is of significance, as the entry point of the software is found in this directory, along with several other core executables.<\/p>\n<p dir=\"ltr\">An example of two files being accessed during startup can be seen in the screenshot of procmon below:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/bin_access-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<p dir=\"ltr\">As the nature of the software requires administrator privileges, due to it serving the purpose of managing an active directory environment, there is no reason to provide write access to all authenticated users. This misconfiguration is particularly dangerous due to the previously touched upon point &#8211; the software\u00a0<em>requires<\/em>\u00a0administrator level access. The\u00a0<code class=\"highlighter-rouge\">ManageEngine ADManager Plus<\/code>\u00a0service is by default installed to launch using the local system account:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/sc-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<h3 id=\"exploitation\" dir=\"ltr\"><span class=\"ez-toc-section\" id=\"exploitation\"><\/span>Exploitation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p dir=\"ltr\">To exploit this vulnerability, one of the core files used by ADManager in the\u00a0<code class=\"highlighter-rouge\">bin<\/code>\u00a0directory needs to be modified or replaced to execute a payload that will elevate one\u2019s privileges. As previously mentioned, one must be in the context of an authenticated user, in this example, we will start as a low privilege user aptly named\u00a0<code class=\"highlighter-rouge\">lowpriv<\/code>:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/lowpriv-shell-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<p dir=\"ltr\">It was previously noted that when the service starts, the\u00a0<code class=\"highlighter-rouge\">wrapper.exe<\/code>\u00a0and\u00a0<code class=\"highlighter-rouge\">admanager.exe<\/code>\u00a0files are both accessed. Whilst it is possible to backdoor these files, they cannot be overwritten whilst the service is running. Instead, an alternative file must be found which either:<\/p>\n<ul dir=\"ltr\">\n<li>Is not persistently running after startup<\/li>\n<li>Can be modified whilst being executed<\/li>\n<\/ul>\n<p dir=\"ltr\">Running procmon again and looking at the results show several other files being accessed during startup &#8211; in particular,\u00a0<code class=\"highlighter-rouge\">ChangeJRE.bat<\/code>. As this is a batch script, even if this script continues to execute throughout the lifetime of the process, it can still be modified in place.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/changejre-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<p dir=\"ltr\">The purpose of this file appears to be to upgrade several files if newer versions are present. For example, if a file is present in\u00a0<code class=\"highlighter-rouge\">lib\/native<\/code>named\u00a0<code class=\"highlighter-rouge\">ntlmauth.dll_new<\/code>, the\u00a0<code class=\"highlighter-rouge\">ntlmauth.dll<\/code>\u00a0file will be deleted and replaced with\u00a0<code class=\"highlighter-rouge\">ntlmauth.dll_new<\/code>. Although this mechanism can be abused, it would mean creating a DLL that is compatible with the previous one; there is much simpler way to utilise this file.<\/p>\n<p dir=\"ltr\">By adding an extra line to the batch file, we can make it run another executable. Rather than just launching the executable directly, it should ideally be launched using\u00a0<code class=\"highlighter-rouge\">start<\/code>. This will make the executable launch in a non-blocking manner and allow\u00a0<code class=\"highlighter-rouge\">ChangeJRE.bat<\/code>\u00a0to continue executing seamlessly:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/changejre-modification-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<p dir=\"ltr\">The highlighted change in the above screenshot will launch\u00a0<code class=\"highlighter-rouge\">C:\\ManageEngine\\ADManager Plus\\bin\\privesc.exe<\/code>\u00a0alongside\u00a0<code class=\"highlighter-rouge\">ChangeJRE.bat<\/code>. In this case, we created\u00a0<code class=\"highlighter-rouge\">privesc.exe<\/code>\u00a0using\u00a0<code class=\"highlighter-rouge\">msfvenom<\/code>:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/msfvenom-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<p dir=\"ltr\">With a payload ready and the backdoored batch file, all that is left to do is upload them and wait:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/upload-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<p dir=\"ltr\">After initiating a reboot on the server, the previous session (running as\u00a0<code class=\"highlighter-rouge\">lowpriv<\/code>) drops, and a new session is initiated as the server comes back up; this time running as\u00a0<code class=\"highlighter-rouge\">NT AUTHORITY\\SYSTEM<\/code>:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/privesc-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<p dir=\"ltr\">Looking at the task list after acquiring the SYSTEM shell also confirms that the modification made to\u00a0<code class=\"highlighter-rouge\">ChangeJRE.bat<\/code>\u00a0is not blocking execution; meaning that ADManager Plus will continue to function as normal:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/rasanegar.com\/blog\/wp-content\/uploads\/-000\/\/1\/tasklist-3979-2019-04-16.png\" alt=\"\" title=\"\"><\/p>\n<h3 id=\"timeline\" dir=\"ltr\"><span class=\"ez-toc-section\" id=\"timeline\"><\/span>Timeline<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul dir=\"ltr\">\n<li><strong>2018-11-15<\/strong>: Vulnerability identified in build 6653<\/li>\n<li><strong>2019-01-31<\/strong>: Vendor contacted via their bug bounty program<\/li>\n<li><strong>2019-01-31<\/strong>: Acknowledgement from vendor and investigation opened<\/li>\n<li><strong>2019-04-15<\/strong>: Vulnerability confirmed to be in the latest build (6657)<\/li>\n<li><strong>2019-02-28<\/strong>: Update released to fix vulnerability<\/li>\n<li><strong>2019-04-15<\/strong>: Public disclosure<\/li>\n<\/ul>\n\n\n<div class=\"kk-star-ratings kksr-auto kksr-align-center kksr-valign-bottom\"\n    data-payload='{&quot;align&quot;:&quot;center&quot;,&quot;id&quot;:&quot;3979&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;bottom&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;10&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;4.8&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;\u0627\u0645\u062a\u06cc\u0627\u0632 \u0634\u0645\u0627 \u0628\u0647 \u0627\u06cc\u0646 \u0645\u0637\u0644\u0628&quot;,&quot;legend&quot;:&quot;4.8\\\/5 (10 \u0631\u0627\u06cc)&quot;,&quot;size&quot;:&quot;30&quot;,&quot;title&quot;:&quot;\u0622\u0633\u06cc\u0628\u200e\u067e\u0630\u06cc\u0631\u06cc \u0627\u0645\u0646\u06cc\u062a\u06cc  ManageEngine ADManager  6.6&quot;,&quot;width&quot;:&quot;165.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} ({count} \u0631\u0627\u06cc)&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n            \n<div class=\"kksr-stars\">\n    \n<div class=\"kksr-stars-inactive\">\n            <div class=\"kksr-star\" data-star=\"1\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n            <div class=\"kksr-star\" data-star=\"2\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n            <div class=\"kksr-star\" data-star=\"3\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n            <div class=\"kksr-star\" data-star=\"4\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n            <div class=\"kksr-star\" data-star=\"5\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n    <\/div>\n    \n<div class=\"kksr-stars-active\" style=\"width: 165.5px;\">\n            <div class=\"kksr-star\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n            <div class=\"kksr-star\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n            <div class=\"kksr-star\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n            <div class=\"kksr-star\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n            <div class=\"kksr-star\" style=\"padding-left: 5px\">\n            \n\n<div class=\"kksr-icon\" style=\"width: 30px; height: 30px;\"><\/div>\n        <\/div>\n    <\/div>\n<\/div>\n                \n\n<div class=\"kksr-legend\" style=\"font-size: 24px;\">\n            4.8\/5 (10 \u0631\u0627\u06cc)    <\/div>\n    <\/div>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">\u0632\u0645\u0627\u0646 \u0644\u0627\u0632\u0645 \u0628\u0631\u0627\u06cc \u0645\u0637\u0627\u0644\u0639\u0647: <\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">\u062f\u0642\u06cc\u0642\u0647<\/span><\/span>\u0633\u0644\u0627\u0645 \u060c \u0627\u0645\u0634\u0628 \u0645\u0637\u0644\u0639 \u0634\u062f\u0645 \u06cc\u06a9 \u0628\u0627\u06af \u0627\u0631\u062a\u0642\u0627\u06cc \u0633\u0637\u062d \u062f\u0633\u062a\u0631\u0633\u06cc \u062f\u0631 \u06cc\u06a9\u06cc \u0627\u0632 \u0645\u062d\u0628\u0648\u0628\u200c\u062a\u0631\u06cc\u0646 \u067e\u0644\u062a\u0641\u0631\u0645\u200c\u0647\u0627\u06cc \u0645\u062f\u06cc\u0631\u06cc\u062a \u0627\u06a9\u062a\u06cc\u0648\u062f\u06cc\u0631\u06a9\u062a\u0648\u0631\u06cc\u00a0 (ADManager Plus) \u0646\u0633\u062e\u0647 \u06f6.\u06f6 \u06af\u0632\u0627\u0631\u0634 \u0634\u062f\u0647 \u06a9\u0647 \u062f\u0631 \u0627\u062f\u0627\u0645\u0647 \u0628\u0647 \u062a\u0648\u0636\u06cc\u062d\u0627\u062a\u06cc \u062f\u0631 \u0627\u06cc\u0646 \u062e\u0635\u0648\u0635 \u062e\u0648\u0627\u0647\u0645 \u067e\u0631\u062f\u0627\u062e\u062a\u0644\u0627\u0632\u0645 \u0627\u0633\u062a \u0628\u062f\u0627\u0646\u06cc\u062f \u06a9\u0647 \u0633\u0627\u0639\u0627\u062a\u06cc \u067e\u06cc\u0634 \u0627\u0632 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 ADManager \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628\u200c\u067e\u0630\u06cc\u0631\u06cc \u06a9\u0634\u0641 \u0634\u062f\u0647. \u0648\u062c\u0648\u062f \u06a9\u0631\u06a9 \u0628\u0631\u0627\u06cc \u0646\u0633\u062e\u0647 \u0647\u0627\u06cc \u0645\u062e\u062a\u0644\u0641 \u0627\u06cc\u0646 \u062e\u0627\u0646\u0648\u0627\u062f\u0647\u060c \u0627\u06cc\u0646 \u0646\u0631\u0645\u200e\u0627\u0641\u0632\u0627\u0631 \u0631\u0627 \u0628\u0647 \u06cc\u06a9\u06cc \u0627\u0632 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631\u0647\u0627\u06cc \u0645\u062d\u0628\u0648\u0628 \u0628\u0633\u06cc\u0627\u0631\u06cc \u0627\u0632 \u0645\u062f\u06cc\u0631\u0627\u0646 \u0634\u0628\u06a9\u0647 \u062a\u0628\u062f\u06cc\u0644 \u06a9\u0631\u062f\u0647 \u0627\u0633\u062a.<\/p>\n","protected":false},"author":3,"featured_media":3993,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[965,618,205,103],"tags":[969,973,968,966,967,974,970,971,354,972],"class_list":["post-3979","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cve-bug-reports","category-it","category-security","category-malware","tag-active-directory","tag-admanager--","tag-admanger","tag-cve","tag-cve-2018-19374","tag-manage-engine","tag-970","tag-971","tag-354","tag--admanager"],"acf":[],"_links":{"self":[{"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/posts\/3979","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/comments?post=3979"}],"version-history":[{"count":0,"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/posts\/3979\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/media\/3993"}],"wp:attachment":[{"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/media?parent=3979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/categories?post=3979"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rasanegaar.com\/blog\/wp-json\/wp\/v2\/tags?post=3979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}