ManageEngine AppManager15 (Build No:15510) - DLL Hijacking
Summary
| Name | ManageEngine AppManager15 (Build No:15510) - DLL Hijacking |
| Code name | |
| Product | ManageEngine |
| Affected versions | AppManager15 (Build No:15510) |
| Fixed Versions | AppManager15 (Build No:15520) |
| State | Public |
| Release date | 2022-02-09 |
Vulnerability
| Kind | DLL Hijacking |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 9.1 |
| Exploit available | No |
| CVE ID(s) |
Description
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the working folder through the Upload Files / Binaries functionality.
Proof of Concept
Steps to reproduce
-
Log in as an admin user.
-
Go to
Settings. -
Go to the
Toolssection and click onUpload Files / Binaries. -
Select the
Upload Script to <Product_Home>/working/option. -
Create a malicious DLL with one of the following names
MSASN1.dll WTSAPI32.dll CRYPTSP.dll CRYPTBASE.dll -
Upload the file.
-
Go to
Shutdown / Restart Serviceand click onRestart -
Wait for the service to restart in order to load the DLL file.
System Information
- Version: ManageEngine AppManager15 (Build No:15510).
- Operating System: Windows 10.0.19042 N/A Build 19042.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of ManageEngine is available at the vendor page.
Credits
The vulnerability was discovered by Andrés Roldán and Oscar Uribe from the Offensive Team of Fluid Attacks.
References
Timeline
2022-02-03
Vulnerability discovered.
2022-02-03
Vendor contacted.
2022-02-04
Vendor replied acknowledging the report.
2022-02-08
Vendor Confirmed the vulnerability.
2022-05-19
Vulnerability patched.
2022-05-20
Public Disclosure.
