CVE-2020-11552
ManageEngine ADSelfService Plus 6000 Remote Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
4Exploited in Wild
-Decision
Descriptions
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM.
Se presenta una vulnerabilidad de elevación de privilegios en ManageEngine ADSelfService Plus antes del build 6003, porque no aplica apropiadamente los privilegios de usuario asociados con un cuadro de diálogo del Certificado. Esta vulnerabilidad podría permitir a un atacante no autenticado escalar privilegios sobre un host de Windows. Un atacante no requiere ningún privilegio en el sistema de destino para explotar esta vulnerabilidad. Una opción es la opción de autoservicio en la pantalla de inicio de sesión de Windows. Al seleccionar esta opción, se inicia el software thick-client, que se conecta a un servidor ADSelfService Plus remoto para facilitar las operaciones de autoservicio. Un atacante no autenticado que tenga acceso físico al host podría activar una alerta de seguridad al suministrar un certificado SSL autofirmado al cliente. La opción View Certificate de la alerta de seguridad permite a un atacante exportar un certificado desplegado hacia un archivo. Esto puede convertirse en cascada en un cuadro de diálogo que puede abrir Explorer como SYSTEM. Al navegar desde Explorer en \windows\ system32, el archivo cmd.exe puede ser iniciado como un SYSTEM
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-04-05 CVE Reserved
- 2020-08-10 CVE Published
- 2024-07-18 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-269: Improper Privilege Management
CAPEC
References (6)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.html | 2024-08-04 | |
http://seclists.org/fulldisclosure/2020/Aug/4 | 2024-08-04 | |
http://seclists.org/fulldisclosure/2020/Aug/6 | 2024-08-04 | |
https://www.exploit-db.com/exploits/48739 | 2024-08-04 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support | 2020-08-13 | |
https://www.manageengine.com | 2020-08-13 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Zohocorp Search vendor "Zohocorp" | Manageengine Adselfservice Plus Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" | <= 5.8 Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" and version " <= 5.8" | - |
Affected
| ||||||
Zohocorp Search vendor "Zohocorp" | Manageengine Adselfservice Plus Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" | 6.0 Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" and version "6.0" | - |
Affected
| ||||||
Zohocorp Search vendor "Zohocorp" | Manageengine Adselfservice Plus Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" | 6.0 Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" and version "6.0" | 6000 |
Affected
| ||||||
Zohocorp Search vendor "Zohocorp" | Manageengine Adselfservice Plus Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" | 6.0 Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" and version "6.0" | 6001 |
Affected
| ||||||
Zohocorp Search vendor "Zohocorp" | Manageengine Adselfservice Plus Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" | 6.0 Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" and version "6.0" | 6002 |
Affected
|