E-mail MIME injection in /RestAPI/PasswordSelfServiceAPI endpoint
ManageEngine ADSelfService Plus
Krzysztof Andrusiak and Marcin Ogorzelski
An unauthenticated attacker can send emails with any content to domain users by sending specially crafted requests to "/RestAPI/PasswordSelfServiceAPI" endpoint.
- Configure mail server in ADSSP.
- Make sure that "victim" user has e-mail address set in Active Directory.
- Modify the following parameters in CVE-2021-37420.py script:
URL- ADSSP server URL
DOMAIN- domain name (FQDN)
USERNAME- user from step 2 (AD username, not e-mail address)
HTML_CONTENT- phishing email content
- Execute CVE-2021-37420.py script - user should receive modified e-mail.
- 07-05-2021 - Vulnerability reported to vendor
- 07-05-2021 - First response from vendor
- 24-06-2021 - Update from vendor
- 26-08-2021 - Fixed version release
- 21-02-2022 - Public disclosure
- 21-02-2022 - PoC release