In a recent internal penetration test performed for one of our clients, we were able to compromise their network by chaining vulnerabilities together that allowed us...
From Insecure File Share to Domain Administrator
Authored By: Joseph Choi
Introduction
In a recent internal penetration test performed for one of our clients, we were able to compromise their network by chaining vulnerabilities together that allowed us to acquire domain administrator credentials. The initial vulnerability was an insecure file share, which we find quite often on internal networks. This led to the discovery of ManageEngine application files that could be abused to compromise the ManageEngine ServiceDesk Plus application. This blog demonstrates how a security misconfiguration such as insecure file share can result in complete network compromise.
Exploitation Path
During our internal penetration test, we initially discovered a standard user account that had an easily guessable password. With this user account, we ran a tool called Snaffler (https://github.com/SnaffCon/Snaffler) which searches for files shares that a user has access to and enumerates the contents of the file shares for files with interesting keywords or file extensions, such as “password” or “*.conf.”
Going through the Snaffler results, we discovered that a server running ManageEngine’s ServiceDesk Plus application had the installation directory exposed as a file share and accessible to all domain users. ServiceDesk Plus is a help desk and asset management software, so we thought there might be interesting/sensitive information in its installation directory. After enumerating the directory, we found an interesting file called “UploadFromDB.bat.”
This batch file is used to upload data from local databases and other applications into Zoho Analytics. The batch file was referring to a configuration file called database_connection_params.conf and this configuration file contained the local database connection parameters like database type, machine name, port, username, password, etc. However, the password was encrypted.
In order for ManageEngine tools to connect to the database, they had to decrypt the password so we started looking in the library (lib) directory within the file share to find a Java Archive (JAR) file that the file upload tool might use. During our searching we found a JAR file called ZohoReportUploadTool.jar that seemed like a good candidate for needing the ability to connect to the SQL database. Using a Java decompiler called JD-GUI (http://java-decompiler.github.io/), we were able to find the AES secret key used to encrypt the password within the ZohoReportUploadDataFromDB.class Java class.
Using an AES encryption/decryption tool, we were able to decrypt the database password and use the SQL credentials to gain access to a database called ServiceDeskPlusEnt on a Microsoft SQL Server.
After doing more research on the ServiceDesk Plus application, we found an article on how to reset the administrator password from the SQL database (https://pitstop.manageengine.com/portal/en/kb/articles/how-to-reset-administrator-password-in-servicedesk-plus). Following the instructions and using the SQL command below, we were able to reset the administrator password to “admin” and gain access to the application. Note that the credentials are encrypted within the database using native Symmetric Key functionality.
OPEN SYMMETRIC KEY ZOHO_SYMM_KEY DECRYPTION BY CERTIFICATE ZOHO_CERT; update AaaPassword set password='$2a$12$fZUC9IK8E/AwtCxMKnCfiu830qUyYB/JRhWpi2k1vgWLC6iLFAgxa', SALT= EncryptByKey(Key_GUID('ZOHO_SYMM_KEY'), N'$2a$12$fZUC9IK8E/AwtCxMKnCfiu'), algorithm='bcrypt' where password_id in (select ap.password_id from aaaaccpassword ap left join aaaaccount ac on ac.account_id=ap.account_id left join aaalogin al on al.login_id=ac.login_id where al.login_id= Login_ID);CLOSE SYMMETRIC KEY ZOHO_SYMM_KEY ;
Once logged in, we looked around the application to find any functionality that could be used to elevate our privileges and we came across a page called Credentials Library.
According to ManageEngine, Credentials Library stores various user account credentials the application can use for monitoring or scanning assets like workstations, servers, printers, etc. Within the Credentials Library we found an entry for a domain administrator account. Since we already had access to the SQL database, we decided to extract all of the stored credentials. Using the native Symmetric Key functionality within SQL, it was possible to decrypt the domain administrator’s password from the database.
Conclusion
By chaining vulnerabilities together, we were able to obtain a domain administrator access. This exploitation path could’ve been thwarted by the following:
- Enforcing a stronger password policy for end users and training the end users on password best practices for choosing strong passphrases.
- Configuring the necessary file share permissions to restrict access to sensitive information to only those that need access.
- Restricting access to the ManageEngine SQL service to localhost or to specific IP addresses that need access to query the database.
- Not utilizing Domain Administrator accounts for applications. Service accounts should have the minimum privileges necessary for their role. Carefully guard Domain Administrator accounts.
Defense in depth and regularly assessing the security posture of your network by performing vulnerability assessments/penetration tests should be an integral part of your defensive strategy.
Author: Joseph Choi
Want to learn more? Complete the form below and we'll be in touch. If you are unable to see the form below, please complete your submission here.Contact us