ManageEngine ADAudit Plus Remote Code Execution

Secure your products with top-tier expert knowledge and advanced Penetration Testing (CREST Approved)

Let's collaborate to build and maintain secure, trustworthy products

We transform threats into trust by integrating advanced tech and expertise in product security. Our approach encompasses Security by Design, rigorous security assurance and penetration testing, and compliance through expert documentation, from design to post-market. We offer CREST-approved pen testing in EMEA, upholding top security standards.

CREST Approved in EMEA

This Metasploit module exploits security issues in ManageEngine ADAudit Plus versions prior to 7006 that allow authenticated users to execute arbitrary code by creating a custom alert profile and leveraging its custom alert script component. The module first runs a few checks to test the provided credentials, retrieve the configured domain(s) and obtain the build number of the target ADAudit Plus server. If the credentials are valid and the target is vulnerable, the module creates an alert profile that will be triggered for any failed login attempt to the configured domain. For versions prior to build 7004, the payload is directly inserted in the custom alert script component of the alert profile. For versions 7004 and 7005, the module leverages an arbitrary file write vulnerability (CVE-2021-42847) to create a Powershell script in the alert_scripts directory that contains the payload. The name of this script is then provided as the value for the custom alert script component of the alert profile. This module requires valid credentials for an account with the privileges to create alert scripts. It has been successfully tested against ManageEngine ADAudit Plus builds 7003 and 7005 running on Windows Server 2012 R2. Successful exploitation will result in remote code execution as the user running ManageEngine ADAudit Plus, which will typically be the local administrator.   Exploit Files ≈ Packet Storm 


More To Explore