关联漏洞
标题:ZOHO ManageEngine ADManager Plus 权限许可和访问控制问题漏洞 (CVE-2024-24409)Description:ZOHO ManageEngine ADManager Plus是美国卓豪(ZOHO)公司的一套为使用Windows域的企业用户设计的微软活动目录管理软件。该软件能够协助AD管理员和帮助台技术人员进行日常管理工作,例如批量管理用户帐户和AD对象、给帮助台技术员指派基于角色的访问权限等。 ZOHO ManageEngine ADManager Plus 7210之前版本存在权限许可和访问控制问题漏洞,该漏洞源于Web应用程序的授权问题,允许技术用户意外修改计算机对象的自定义属性,从而提升权限。
Description
ADManager Plus Build < 7210 Elevation of Privilege Vulnerability
介绍
## ADManager Plus Build < 7210 Elevation of Privilege Vulnerability
## Description
The `Modify Computers` is a predefined role in ADManager for managing computers. If a technician user has the `Modify Computers` privilege over a computer can change the `userAccountControl` and `msDS-AllowedToDelegateTo` attributes of the computer object. In this way, the technician user can set `Constrained Kerberos Delegation` over any computer within the Organizational Unit that the user was delegated.<br>
Contrary to what ADManager claims the user who has the `Modify Computers` role can change the privilege of computer objects in the Active Directory. The `Constrained Kerberos Delegation` can be set for any service such as CIFS, LDAP, HOST services. Then the user can access these services by abusing the `Constrained Kerberos Delegation`. In addition, the `Unconstrained Kerberos Delegation` can be set over the computer objects by changing the `userAccountControl` attribute.
Normally, only users that have `SeEnableDelegationPrivilege` privilege can set constrained kerberos delegation. Only members of the `BUILTIN\Administrators` group have this privilege by default. The delegated user for an Organizational Unit can not set constrained kerberos delegation even if a user has the `GenericAll` right over a computer account, so the delegation process in Active Directory does not grant this privilege. However, the technician user can use the `SeEnableDelegationPrivilege` right via the `Modify Computers` role.<br>
<br>
## Vulnerability reasons:
1. ADMP Web App Authorization issue: Assigning a predefined `Modify Computers` role delegates the technician user to modify custom attributes of computers unexpectedly. Even though it appears that this privilege is not granted in the UI, the `Additional Custom Attribute` property is assigned and this leads to broken access control vulnerability.
3. There is no restriction for editing the `userAccountControl` and `msDS-AllowedToDelegateTo` attributes of the computer objects. The ADMP application performs changes with domain admin privileges as designed so that if we can bypass some restrictions (e.g. format of attribute value), our requests are applied with domain admin privileges. This way we can edit the attributes `userAccountControl` and `msDS-AllowedToDelegateTo`.
## Impact
A technician user elevates privileges from `Domain User` to `Domain Admin`. For example, the user can set `Constrained Kerberos Delegation` over `CLIENT1$` for the `CIFS` service of the domain controller and access the `CIFS` service. As a result, the user is delegated to manage `CLIENT1$` but he can access the `CIFS` service of the domain controller impersonating a user unexpectedly.
## PoC - 1
If a user has local admin right over a computer and can manage this computer with the “Modify Computers” role in ADManager:
https://github.com/passtheticket/CVE-2024-24409/assets/76125965/e2e7accd-f66c-4ae3-981e-0b10e700e4ba
## PoC - 2
If a user can add a computer to Active Directory (MAQ, delegation) or obtain NT hash of the computer account (dumping hash) and manage this computer with the “Modify Computers” role:
https://github.com/passtheticket/CVE-2024-24409/assets/76125965/95de0d26-c144-485e-924d-714b8de2c15e
文件快照
[4.0K] /data/pocs/3d8a509501973e4fc1f26afeedb320a6b5b59af1
└── [3.2K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。