header-logo
Suggest Exploit
vendor:
Ad Manager Plus
by:
Chan Nyein Wai & Thura Moe Myint
10
CVSS
CRITICAL
Log4j vulnerability
20
CWE
Product Name: Ad Manager Plus
Affected Version From: Ad Manager Plus Before 7122
Affected Version To: Ad Manager Plus Before 7122
Patch Exists: YES
Related CWE: CVE-2021-44228
CPE: a:manageengine:ad_manager_plus
Metasploit: https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2022-33915/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-alas-2022-1806/https://www.rapid7.com/db/vulnerabilities/amazon_linux-alas-2022-1601/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2022-33915/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2021-3100/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2022-0070/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2022-0070/https://www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2021-4104/https://www.rapid7.com/db/vulnerabilities/vcenter-log4j-core-vmsa-2021-0028-9-mitigated/https://www.rapid7.com/db/vulnerabilities/vcenter-log4j-CVE-2021-44228/https://www.rapid7.com/db/vulnerabilities/vmsa-2021-0028-cve-2021-44228/https://www.rapid7.com/db/vulnerabilities/vmware-vrealize-cve-2021-44228/https://www.rapid7.com/db/vulnerabilities/vmware-vrealize-cve-2021-45046/https://www.rapid7.com/db/vulnerabilities/vmsa-2021-0028-cve-2021-45046/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2021-3100/https://www.rapid7.com/db/vulnerabilities/amazon_linux-alas-2021-1554/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2021-45046/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2021-4104/https://www.rapid7.com/db/vulnerabilities/red_hat-jboss_eap-cve-2021-4104/https://www.rapid7.com/db/vulnerabilities/ibm-was-cve-2021-45046/https://www.rapid7.com/db/?q=CVE-2021-44228&type=&page=2https://www.rapid7.com/db/?q=CVE-2021-44228&type=&page=3https://www.rapid7.com/db/?q=CVE-2021-44228&type=&page=2
Tags: cve,cve2021,rce,oast,log4j,injection,kev
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Nuclei Metadata: {'max-request': 2, 'vendor': 'apache', 'product': 'log4j'}
Platforms Tested: Windows
2022

AD Manager Plus 7122 – Remote Code Execution (RCE)

In the summer of 2022, I have been doing security engagement on Synack Red Team in the collaboration with my good friend (Thura Moe Myint). At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. They had mentioned that Log4j was not affected by Ad Manager Plus. However, we determined that the Ad Manager Plus was running on our target and managed to exploit the Log4j vulnerability. First, Let’s make a login request using proxy. Inject the following payload in the ```methodToCall``` parameter in the ```ADSearch.cc``` request. Then you will get the dns callback with username in your burp collabrator. When we initially reported this vulnerability to Synack, we only managed to get a DNS callback and our report was marked as LDAP injection. However, we attempted to gain full RCE on the host but were not successful. Later, we discovered that Ad Manager Plus was running on another target, so we tried to get full RCE on that target. We realized that there was a firewall and an anti-virus running on the machine, so most of our payloads wouldn't work. After spending a considerable amount of time , we eventually managed to bypass the firewall and anti-virus, and achieve full RCE.

Mitigation:

Updating Ad Manager Plus to version 7122 or later will mitigate this vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE)
# Exploit Author: Chan Nyein Wai & Thura Moe Myint
# Vendor Homepage: https://www.manageengine.com/products/ad-manager/
# Software Link: https://www.manageengine.com/products/ad-manager/download.html
# Version: Ad Manager Plus Before 7122
# Tested on: Windows
# CVE : CVE-2021-44228
# Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md

### Description

In the summer of 2022, I have been doing security engagement on Synack
Red Team in the collaboration with my good friend (Thura Moe Myint).
At that time, Log4j was already widespread on the internet. Manage
Engine had already patched the Ad Manager Plus to prevent it from
being affected by the Log4j vulnerability. They had mentioned that
Log4j was not affected by Ad Manager Plus. However, we determined that
the Ad Manager Plus was running on our target and managed to exploit
the Log4j vulnerability.

### Exploitation

First, Let’s make a login request using  proxy.

Inject the following payload in the ```methodToCall``` parameter in
the ```ADSearch.cc``` request.

Then you will get the dns callback with username in your burp collabrator.




### Notes

When we initially reported this vulnerability to Synack, we only
managed to get a DNS callback and our report was marked as LDAP
injection. However, we attempted to gain full RCE on the host but were
not successful. Later, we discovered that Ad Manager Plus was running
on another target, so we tried to get full RCE on that target. We
realized that there was a firewall and an anti-virus running on the
machine, so most of our payloads wouldn't work. After spending a
considerable amount of time , we eventually managed to  bypass the
firewall and anti-virus, and achieve full RCE.

### Conclusion

We had already informed Zoho about the log4j vulnerability, and even
after it was fixed, they decided to reward us with a bonus bounty for
our report.

### Mitigation

Updating to a version of Ad Manager Plus higher than 7122 should
resolve the issue.