CVE-2021-33055

Name

Unauthenticated and authenticated RCE via PowerShell injection - system locale dependant

CVSS score

8.1 (High)

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Product name

ManageEngine ADSelfService Plus

Confirmed exploitable versions

< 6105

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Blog posts

PowerShell script, Unicode quotes and ウィンドウズ - a story of uncommon command injection

Description

In some cases user password change is done using PowerShell script. User credentials inserted into such script are not properly sanitized, leading to PowerShell script injection and remote code execution. This vulnerability is exploitable only when ADSSP is installed on certain versions of Windows (system language/locale dependant).

Proof-of-concept

Download CVE-2021-33055.py and modify the following values in the script:
URL - ADSSP address (running on Japanese Windows)
DOMAIN - Active Directory domain configured in ADSSP
CMD - command to be executed on the ADSSP server
Execute CVE-2021-33055.py script (using Python 3 interpreter).
Command defined in CMD variable will be executed on ADSSP server.

Timeline

07-05-2021 - Vulnerability reported to vendor
07-05-2021 - First response from vendor
18-05-2021 - Patch for retest received from vendor
26-05-2021 - Fixed version release
30-08-2021 - Public disclosure

References

https://www.manageengine.com/products/self-service-password/release-notes.html
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-33055