CVE-2018–7248 — Enumerating Active Directory users via unauthenticated ManageEngine ServiceDesk Plus API

By default ManageEngine ServiceDesk Plus allows an “auto-complete” feature on the login page that will automatically select the correct login domain from a drop-down box. This uses an API endpoint exposed at /domainServlet/AJaxDomainServlet? that does not require authentication to access.

By sending a request like http://server.name/domainServlet/AJaxDomainServlet?action=searchDomain&search=USERNAME, the API will return either the user’s logon domain, or “null” if the user does not exist. This only effects users who have been imported into ManageEngine from the LDAP server.

A (very) short Python script using names (https://github.com/treyhunner/names) to brute-force Active Directory (or locally configured)) accounts using ManageEngine’s auto-completing login page

As a proof of concept I wrote a quick Python script using the names library to generate a series of random firstName.lastName combinations to try and brute-force a few valid usernames through the API. With a delay of two seconds between attempts it only took an hour to return a valid username and domain combo from my environment.

The script above was able to identify a user account within around an hour, with a 2 second delay between attempts and no seeding with word lists, etc.

To take advantage of this exploit I’ve written a more involved Python script that can ingest a list of usernames, along side the ability to generate them (as above) to allow you to load in a list of possible usernames in order to confirm if they exist.

This script will run through each supplied username in turn (or will generate up to the defined number of random usernames), and perform the same test as the original PoC, returning the username and their domain name if they exist, and “Not found” if they don’t.

If you’re using the brute force approach, the default method of generating usernames (FirstName.LastName) may not be appropriate for the target environment. If this is the case simply edit the genUserName to output the expected format.

You can find the script in the GitLab repository here: https://gitlab.com/e-sterling/cve-2018-7248

Disclosure Timeline

19/02/2018 — Initial report to vendor
19/02/2018 — CVE assigned
27/02/2018 — Vendor acknowledged report
10/03/2018 — Request for update from vendor
05/04/2018 — Vendor confirms wontfix
08/05/2018 — Public disclosure