ManageEngine AppManager15 (Build No:15510) - DLL Hijacking

Summary

NameManageEngine AppManager15 (Build No:15510) - DLL Hijacking
Code nameCerati
ProductManageEngine
Affected versionsAppManager15 (Build No:15510)
Fixed versionsAppManager15 (Build No:15520)
StatePublic

Vulnerability

KindDLL Hijacking
Rule413. Insecure file upload - DLL Injection
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSSv3 Base Score9.1
Exploit availableNo
CVE ID(s)CVE-2022-23050

Description

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the working folder through the Upload Files / Binaries functionality.

Proof of Concept

Steps to reproduce

  1. Log in as an admin user.

  2. Go to Settings.

  3. Go to the Tools section and click on Upload Files / Binaries.

  4. Select the Upload Script to <Product_Home>/working/ option.

  5. Create a malicious DLL with one of the following names

    MSASN1.dll
    WTSAPI32.dll
    CRYPTSP.dll
    CRYPTBASE.dll
    
  6. Upload the file.

  7. Go to Shutdown / Restart Service and click on Restart

  8. Wait for the service to restart in order to load the DLL file.

System Information

  • Version: ManageEngine AppManager15 (Build No:15510).
  • Operating System: Windows 10.0.19042 N/A Build 19042.

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

An updated version of ManageEngine is available at the vendor page.

Credits

The vulnerability was discovered by Andrés Roldán and Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor pagehttps://www.manageengine.com/
Release noteshttps://www.manageengine.com/products/applications_manager/release-notes.html
Latest versionhttps://www.manageengine.com/products/applications_manager/download.html

Timeline

Time-lapse-logo

2022-02-03

Vulnerability discovered.

Time-lapse-logo

2022-02-03

Vendor contacted.

Time-lapse-logo

2022-02-04

Vendor replied acknowledging the report.

Time-lapse-logo

2022-02-08

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-05-19

Vulnerability patched.

Time-lapse-logo

2022-05-20

Public Disclosure.