Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
**Recent assessments:**
**gwillcox-r7** at October 25, 2022 5:15pm UTC reported:
This was an interesting vulnerability first found by Vinicius, and which then had a nice writeup on how to exploit it published by Y4er at . It was subsequently patched by Zoho and the patch can be found at , whilst the advisory can be found at .
By sending a XML-RPC serialized message via a POST request to the `/xmlrpc` endpoint as an unauthenticated user, the specs of which can be found at , it is possible to gain RCE as the `SYSTEM` user that Zoho Password Manager runs as. Note that the name of the method being called does not have to be valid, and the name of the parameter passed to that method also does not have to be valid. All that matters is that the value of the parameter is marked as a serializable object that is Base64 encoded. This can be seen in the Metasploit module at
Additionally, since the target will also respond with `Failed to read result object: null` if you send the endpoint an empty string and its vulnerable to deserialization attacks, it makes it really easy to put together a full exploit for this vulnerability that not only can check if the target is vulnerable but can also reliably exploit it. The last step was to use the CommonsBeanutils1 deserialization chain and then supply the command we want to execute and boom, we can go from an unauthenticated user to SYSTEM remotely and without authentication.
Now what are the implications of this? Well it depends on the product. In the case of ManageEngine Access Manager Plus you need authentication to exploit this issue which may negate some of the risk, however one still needs to consider that successful exploitation will result in high privileged user access. However with Zoho ManageEngine Password Manager Pro and PAM360, no authentication is needed yet you will still get very high privileged user access.
Secondly one needs to consider the position of where these products will be placed in the network. Zoho ManageEngine Password Manager Pro will likely be internally facing as there is likely not a need to make it externally accessible, or if it is it will be accessible via a VPN. On the other hand ManageEngine Access Manager Plus and PAM360 are access management solutions so it is feasible, particularly in the world of remote work that we live in today, that these solutions would be accessible over the internet.
In the worse case scenario this would mean an unauthenticated attacker could potentially connect to a target server remotely over the internet, and with no authentication get SYSTEM level access on that server, which will also be controlling sensitive operations via access management controls, or will be holding userâs passwords, which could then be used to gain further access into the target network.
More realistically though is the scenario that these are internally facing and an internal attacker uses this vulnerability to gain control over access management software to avoid detection or grant themselves access to sensitive resources, or steals passwords to gain further access into the target network.
In either case the risk of this vulnerability is quite high and given the incredibly easy exploitation of this issue combined with known exploited in the wild activity, this should be patched as soon as possible and you should investigate your servers for any suspicious activity if you havenât patched already.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5Read More