Tenable discovered multiple vulnerabilities in ADMP build 7111.
1) PasswordExpiryNotification Post-Authentication File Upload RCE (CVE-2021-20130)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An authenticated remote attacker can send a POST message to /RestAPI/WC/PasswordExpiryNotification to upload a JSP file to <ADMP_DIR>\webapps\adsm\ompemberapp\PasswordExpiryNotification\ on the remote ADMP host. The file created is in the form of <unixtime_milliseconds>_<filename>, where <unixtime_miliseconds> is the file creation time in milliseconds since the Unix Epoch, and <filename> is the file name specified in the HTTP upload message.
The attacker can then execute the JSP code by fetching the JSP file at URL /ompemberapp/PasswordExpiryNotification/<unixtime_miliseconds>_<filename> (i.e., 1630429499081_webshell.jsp).
The JSP code can create an administrative Windows user on the ADMP host. Once having admin access on the ADMP host, the attacker can obtain the domain credentials used to add a Windows domain in the ADMP web UI. This domain account tends to have high privileges (i.e., a domain administrator) as it is used to perform Active Directory operations such as creating user accounts and resetting user passwords.
One way the attacker can obtain the domain credentials is to attach a debugger to the ADMP Java process and break into the ADsOpenObject function in ACTIVEDS.dll:
2) Personalize Post-Authentication File Upload RCE (CVE-2021-20131)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An authenticated remote attacker can send a POST message to /RestAPI/WC/Personalize to upload a malicious executable to <ADMP_DIR>\bin\ on the remote ADMP host and replace the existing admanager.exe file with attacker-controlled data. When ADMP restarts, <ADMP_DIR>\bin\admanager.exe executes with attacker-controlled code.
As with the previous vulnerability, the attacker-controlled code can create an administrative Windows user on the ADMP host and the attacker can obtain the credentials of high-privileged domain accounts (i.e., domain administrator).