Vulnerability Disclosure -Business logic: Unauthorized endpoint security Agent Uninstall @ Zoho R.A.P.

Status: Fixing internally but Publish Pending (As on 04-Dec-2021)

CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H = 5.8 ( Medium Severity)

Fixed version: T.B.D. (Change Log)

Impacted Component: Remote Access Plus (RAP) Agent (Desktop App)

Vulnerability Description: It was observed that the remote access plus application offers security feature which prevents uninstallation of the agent in client machines even upon having admin. However, there are multiple ways in which this can be bypassed. Ideally having admin, uninstall is assumed to be possible, however, when explicitly this security setting is promised hence this would become a vulnerability.

Promise to prevent agent uninstall

Impact rational: Loss of availability & integrity upon agent uninstall, which would risk enterprise network/systems.

Exploitability rational: The attack can be performed by insider user who wants to evade Remote administration, who has access to the system.

Steps to reproduce:

Method 1:
Simplest method, run the installer (which was used to install the agent initially by IT admin) once again, instead of installation this time it asks for repair/uninstall by default. Proceed with guided uninstaller and done

Relaunching installer asks for uninstall (despite restrict uninatll configured)

Method 2:
Modify the reg value NoRemove 0-1

Uninstall restriction bypass via Regedit

Method 3:
from elevated cmd.exe run

wmic
product get name
product where name=”ManageEngine Remote Access Plus — Agent” call uninstall

Uninstall restriction bypass via wmic

Recommendation:

1. If you want to give liberty for admin to uninstall, Windows privilege management is sufficient. Practically assume it as open risk and do not promise such feature.
2. In case even for admin you want to prevent uninstall, GP can be leveraged or how A.V./DLP softwares do adapt their strategy.