Dangerous URL Redirection and CSRF in Zoho ManageEngine AD Manager Plus (CVE-2017-17552) (Updated)

Vendor: Zoho Corp.
Product: ManageEngine ADManager Plus
CVE ID: CVE-2017-17552
Discoverer: Douglas Weir (dbweir19_a_lavabit_com)
CVSS v3 Score: 6.5
CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Versions: Build 6590 – 6613 (earlier builds may also be affected).
Linkhttps://www.manageengine.com/products/ad-manager/
Product Description: The ManageEngine ADManager Plus software is a management and reporting solution for Windows Active Directories.

Summary:

Dangerous URL Redirection and Cross-site Request Forgery

Details:

Vulnerability: Dangerous URL Redirection
Impact: A remote unauthenticated user can use this flaw to masquerade an arbitrary URL as appearing to originate from AD Manager Plus.
Details: The /LoadFrame resource in the AD Manager Plus web application includes a src parameter which is vulnerable to manipulation.  Using the /LoadFrame resource URLs of the kind shown below can be created.

hxxps://ad.manager.plus.domain/LoadFrame?src=hxxps://evil.url.otherdomain&frame_name=foo

When such a URL is clicked, the browser’s address bar shows the expected address, but the content displayed in the browser is that supplied by hxxps://evil.url.otherdomain loaded inside of an IFRAME.  An attacker could leverage this vulnerability to expose their malicious content to end-users while exploiting the trust imparted by a familiar address in the browser’s address bar.

Vulnerability: Cross-site Request Forgery
Impact: A remote attacker can use this flaw to defeat the CSRF protections in AD Manager Plus
Details: The /LoadFrame resource in AD Manager Plus sends a POST request to the URL supplied in the src parameter and instructs the browser to load the response in an IFRAME.  This request includes a POST parameter called adcsrf  whose value is an anti-CSRF token created by the AD Manager Plus application. If the URL provided in the src parameter belongs to the same AD Manager Plus application an adcsrf token will be sent back to the application.  An attacker can use this /LoadFrame resource to defeat the applications anti-CSRF protection.  An example of such an attack might be:

hxxps://ad.manager.plus.domain/LoadFrame?src=hxxps://ad.manager.plus.domain/someFunction.do&frame_name=foo

When an end-user (who is already authenticated to AD Manager Plus) clicks on such a link, the AD Manager Plus application will perform the specified action because it believes the request is genuine since it was accompanied by a valid CSRF token (supplied by the /LoadFrame wrapper)

Remediation

Zoho Corp has provided a patch for AD Manager Plus build 6610 only.  The installation instructions are found below.

NOTE: Please note that this patch is developed for the latest version(Build.No.6610) of ADManager Plus.
 
Kindly upgrade your ADManager Plus from the link given below. 
 
Note 1 : Please ensure that you have a folder backup of ADManager Plus before you proceed  
 
Note 2 : Strictly follow the steps provided in the service pack link to apply the service pack.
 
Follow these steps to apply the patch,
 1. Stop ADManager Plus(Start->Programs->ADManager Plus->Stop ADManager Plus)
If you are running the product as a service, go to “services.msc” -> stop ManageEngine ADManager Plus service.
 
2. Take a backup of the following files :
  • “Security.xml” by renaming it as   “security.xml_bak” which is  located in “<Installation directory>\ManageEngine\ADManager Plus\webapps\adsm\WEB-INF\security”.
  • “Web.xlm” by renaming it as   “Web.xml_bak” which is  located in “<Installation directory>\ManageEngine\ADManager Plus\webapps\adsm\WEB-INF\”.
  • “AdventNetADSMJspClient.jar” by renaming it as “AdventNetADSMJspClient.jar_bak”which is  located in “<Installation directory>\ManageEngine\ADManager Plus\webapps\adsm\WEB-INF\lib”
3. Extract and save following files from the patch downloaded :
  • “Security.xml” to “<Installation directory>\ManageEngine\ADManager Plus\webapps\adsm\WEB-INF\security”.
  • “Web.xml”  to  “<Installation directory>\ManageEngine\ADManager Plus\webapps\adsm\WEB-INF\”.
  • “AdventNetADSMJspClient.jar”  to “<Installation directory>\ManageEngine\ADManager Plus\webapps\adsm\WEB-INF\lib”
4. Start the product and check whether the issue has been resolved.

This effectiveness of this patch has not been tested.

At the time of writing, the current version of AD Manager Plus is build 6613 – there is no patch available for this version or any other version (except for the patch shown above).

[Update 2018/02/14] Zoho Corp has announced that a permanent fix for this vulnerability has been included in ADManager Plus build 6620.

https://www.manageengine.com/products/ad-manager/release-notes.html

Disclosure Timeline

  • 2017/11/01 – Vulnerability discovered.
  • 2017/11/01 – Contacted the vendor regarding this vulnerability.
  • 2017/11/01 – Vendor contacted me to acknowledge notification.
  • 2017/11/15 – Vendor provided me with some investigation feedback.
  • 2017/11/21 – Vendor provided me with some investigation feedback.
  • 2017/11/28 – Vendor provided me with some investigation feedback.
  • 2017/12/11 – Vendor provided a patch for build 6610.
  • 2017/12/11 – Contacted the vendor with follow-up questions.
  • 2017/12/11 – Vendor provided specific details on the timeline for a permanent fix.
  • 2017/12/13 – Contacted the vendor and provided them with reserved CVE ID.
  • 2017/12/18 – The vendor withdrew the timeline for a permanent fix.
  • 2018/02/06 – Published vulnerability in this post.
  • 2018/02/14 – Vendor provided information that this vulnerability is fixed in build 6620 (https://www.manageengine.com/products/ad-manager/release-notes.html).

Leave a comment