After running into ManageEngine products on a number of penetration tests we decided to take a closer look at their products and see if there were any vulnerabilities that we could take advantage of.
DesktopCentral – 10.0.380
ADSelfService Plus – 5.7
ADManager Plus – 6.6.5
Multiple ManageEngine products run as System on startup and have bad file permissions. The services keep their data in C:\ManageEngine by default and any user can write to these folders. This makes the applications vulnerable to DLL hijacking allowing low-level users to escalate their privileges.
Figure 1 – Permissions
In order to take advantage of this, we just need to generate a DLL and rename it to any DLL that the binary loads when it runs. In this case, we will show how to take advantage of DesktopCentral loading Secur32.dll
To start with we needed a custom DLL that would execute what we wanted in order to prove privilege escalation. We wrote a simple DLL, with the code below. which will create the user pwned and then add that user to the local Administrators group.
We then compiled it as a 32bit DLL, renamed it to Secur32.dll and put it into the bin folder. Which any user has access too as shown below.
Once the DLL is in place you can restart the service, either manually with an Admin account or by rebooting the machine. Once the service is restarted the DLL will be loaded by the service and our code will execute giving us a new Admin user on the system.
Figure 3 – DLL called
Figure 4 – Admin User Creation
Figure 5 – New Admin User
ManageEngine has patched the issue in their DesktopCentral product, but states that the issue is a feature in their other offerings and will provide guidance around it for their customers.
2019-03-20 – Vulnerability Disclosed to Vendor
2019-04-10 – Vulnerability acknowledged and fix in the works
2019-06-18 – Vendor responds saying they have fixed it in some products
Chase Dardaman – Adversarial Engineer | SECTION8, CRITICALSTART
Quentin Rhoads-Herrera – Offensive Security Manager | SECTION8, CRITICALSTART