// For flags

CVE-2021-20110

 

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In httphandler.cpp, the agent reaching out over HTTP is vulnerable to an Integer Overflow, which can be turned into a Heap Overflow allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving POST response from the Manage Engine server, and the agent calling "HttpQueryInfoW" in order to get the "Content-Length" size from the incoming POST request. This size is taken, but multiplied to a larger amount. If an attacker specifies a Content-Length size of 1073741823 or larger, this integer arithmetic will wrap the value back around to smaller integer, then calls "calloc" with this size to allocate memory. The following API "InternetReadFile" will copy the POST data into this buffer, which will be too small for the contents, and cause heap overflow.

Debido a que Manage Engine Asset Explorer Agent versión 1.0.34, no comprueba los certificados HTTPS, un atacante en la red puede configurar estáticamente su dirección IP para que coincida con la dirección IP del servidor de Asset Explorer. Esto permitirá a un atacante enviar una petición NEWSCAN a un agente de escucha en la red, así como recibir la petición HTTP del agente comprobando su authtoken. En el archivo httphandler.cpp, el agente que llega a través de HTTP es vulnerable a un Desbordamiento de Enteros, que puede convertirse en un Desbordamiento de Pila que permite la ejecución de código remota como NT AUTHORITY/SYSTEM en la máquina del agente. El Desbordamiento de Enteros ocurre cuando se recibe la respuesta POST del servidor Manage Engine, y el agente llama a "HttpQueryInfoW" para obtener el tamaño "Content-Length" de la petición POST entrante. Este tamaño es tomado, pero multiplicado a una cantidad mayor. Si un atacante especifica un tamaño de Content-Length de 1073741823 o mayor, esta aritmética de enteros envolverá el valor de vuelta a un entero más pequeño, y luego llama a "calloc" con este tamaño para asignar memoria. La siguiente API "InternetReadFile" copiará los datos de POST en este búfer, que será demasiado pequeño para el contenido, y causará un desbordamiento de pila

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-12-17 CVE Reserved
  • 2021-07-19 CVE Published
  • 2024-08-03 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-190: Integer Overflow or Wraparound
CAPEC
References (1)
URL Tag Source
https://www.tenable.com/security/research/tra-2021-31 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Zohocorp
Search vendor "Zohocorp"
 Manageengine Assetexplorer
Search vendor "Zohocorp" for product "Manageengine Assetexplorer"
 1.0.34
Search vendor "Zohocorp" for product "Manageengine Assetexplorer" and version "1.0.34"
-
Affected