Unauthenticated and authenticated RCE via PowerShell injection - system locale dependant
ManageEngine ADSelfService Plus
Krzysztof Andrusiak and Marcin Ogorzelski
In some cases user password change is done using PowerShell script. User credentials inserted into such script are not properly sanitized, leading to PowerShell script injection and remote code execution. This vulnerability is exploitable only when ADSSP is installed on certain versions of Windows (system language/locale dependant).
- Download CVE-2021-33055.py and modify the following values in the script:
URL- ADSSP address (running on Japanese Windows)
DOMAIN- Active Directory domain configured in ADSSP
CMD- command to be executed on the ADSSP server
- Execute CVE-2021-33055.py script (using Python 3 interpreter).
- Command defined in
CMDvariable will be executed on ADSSP server.
- 07-05-2021 - Vulnerability reported to vendor
- 07-05-2021 - First response from vendor
- 18-05-2021 - Patch for retest received from vendor
- 26-05-2021 - Fixed version release
- 30-08-2021 - Public disclosure