Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege

ManageEngine ADManager Plus (<7210) — Elevation of Privilege (CVE-2024-24409)

This article provides a technical yet non-actionable analysis of the ManageEngine ADManager Plus elevation-of-privilege vulnerability tracked as CVE-2024-24409. It explains what the bug is, why it matters in Active Directory environments, how defenders can detect and mitigate it, and best practices to reduce risk from similar product authorization failures.

Executive summary

• Product: ManageEngine ADManager Plus (ADMP)
• Affected versions: Build < 7210 (reported against build 7203)
• Vulnerability class: Broken access control / improper authorization in the web application
• Impact: A delegated technician with the predefined "Modify Computers" role can indirectly cause AD changes (including delegation-related attributes) that lead to privilege escalation in Active Directory.
• CVE: CVE-2024-24409

Background: Kerberos delegation and AD attributes

Understanding the impact requires a quick recap of delegation types and the AD attributes involved:

• Unconstrained delegation (legacy): an account marked for delegation can impersonate users to any service on any host. This is controlled by the userAccountControl flag for the computer or user account.
• Constrained delegation: limits which services an account can present delegated tickets to. It is configured through the msDS-AllowedToDelegateTo attribute on computer or service accounts.
• Privilege to set delegation: normally only elevated principals (e.g., members of BUILTIN\Administrators or principals granted SeEnableDelegationPrivilege) can set delegation attributes via standard AD controls.

Root cause (high level)

The vulnerability stems from two interacting issues inside ADManager Plus:

• ADMP’s predefined "Modify Computers" role grants a technician UI-level permission that, due to an implementation flaw, also allows changes to additional custom attributes on computer objects that were not expected to be editable.
• ADMP performs certain attribute modifications by executing changes using an elevated service account (designed for legitimate AD management tasks). Because ADMP applies some validation inconsistently, a delegated technician can trigger changes to sensitive attributes such as userAccountControl and msDS-AllowedToDelegateTo, with those changes being committed under the elevated context.

In short: the web app exposes an unexpected modification path where a lower-privileged user causes the server (running with higher rights) to write delegation-related attributes to AD.

Why this is dangerous

• By manipulating delegation attributes, an attacker can receive service tickets or impersonate other users in ways not anticipated by ACLs in AD. For example, constrained delegation could be added to a non-sensitive computer account, allowing ticket delegation to services running on a high-value host.
• Unconstrained delegation (or enabling delegation flags) is particularly risky — it can allow full impersonation of domain accounts to services trusted for delegation.
• The root authorization issue is in the management product, not in AD itself; the result is that a product intended to simplify delegation of administration inadvertently becomes a privilege-escalation vector.

Realistic attack impact (non-actionable)

In impacted environments, a technician assigned the ADMP "Modify Computers" role (intended to manage computer object properties) could elevate from a standard domain user to a privileged position by leveraging the ADMP server’s elevated rights to configure delegation on computer accounts. This may allow access to services (CIFS/SMB, LDAP, etc.) on other hosts by impersonating domain users — a common path to domain compromise when combined with additional footholds.

Detection and hunting guidance (for defenders)

Below are defensive queries and monitoring suggestions to find signs of suspicious delegation activity or attempted abuse. These examples assume the analyst has appropriate administrative rights and are presented for detection and remediation only.

Search for computer accounts with delegation configured via PowerShell

Import-Module ActiveDirectory
Get-ADComputer -Filter * -Properties msDS-AllowedToDelegateTo,userAccountControl |
  Where-Object {
    ($_.msDS-AllowedToDelegateTo -and $_.msDS-AllowedToDelegateTo.Count -gt 0) -or
    (($_.userAccountControl -band 0x00080000) -ne 0) # TRUSTED_FOR_DELEGATION flag
  } |
  Select-Object Name, DistinguishedName, userAccountControl, msDS-AllowedToDelegateTo

Explanation: This PowerShell snippet lists computer accounts that either have constrained delegation entries in msDS-AllowedToDelegateTo or have the AD flag indicating trusted (unconstrained) delegation. Use it to baseline and review unexpected entries.

Find recent changes to delegation attributes in AD audit logs

# Example LDAP-style search using Event Logs (Windows Security auditing must be enabled)
# Search for Event ID 5136 (Directory Service Change) and filter for changed attributes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136; StartTime=(Get-Date).AddDays(-30)} |
  Where-Object { $_.ToXml() -match 'msDS-AllowedToDelegateTo|userAccountControl' } |
  Select-Object TimeCreated, @{n='ChangedBy';e={[regex]::Match($_.ToXml(), '(?).*?(?=</)') -replace '[]',''}}, Message

Explanation: If AD auditing of directory service changes is enabled, Event ID 5136 captures attribute changes. Filter these events for the delegation-related attributes to identify who changed them and when.

Audit ADManager Plus activity

• Enable and collect ADManager Plus application logs and correlate web-app user actions with AD changes.
• Look for ADMP account actions that change computer object attributes or call into AD with elevated service accounts.
• Alert on unexpected AD changes that are performed by the ADManager service account or by users who normally cannot perform them directly.

Mitigation and remediation

Immediate and medium-term mitigations to reduce risk until ADMP is patched:

• Patch: Apply the vendor update to ADManager Plus Build 7210 or later. This is the primary remediation for the vulnerability.
• Restrict ADMP administrative roles: Review and minimize assignments of the "Modify Computers" and other powerful predefined roles. Use least privilege — grant only what is required.
• Harden the ADMP service account: Ensure the AD account ADManager uses to perform writes is not a Domain Admin unless explicitly required. Give it the minimum rights necessary and audit its activity closely.
• Enable/Review AD auditing: Ensure directory service change auditing is enabled and that changes to msDS-AllowedToDelegateTo and userAccountControl are logged and reviewed.
• Network segmentation and access controls: Limit which hosts can reach ADManager Plus administration interfaces (management network, VPN, or jump hosts only).
• Temporary compensating control: If an immediate patch is not possible, consider disabling ADManager’s ability to perform writes (use read-only mode) or stop the ADManager service until patched — but evaluate operational impact first.

Post-incident remediation

• Inspect and revert any unintended changes to delegation attributes. Remove unexpected msDS-AllowedToDelegateTo entries and clear unconstrained delegation flags where appropriate.
• Reset credentials and secrets for service accounts that may have been abused, and rotate passwords or keys where necessary.
• Perform a full AD compromise assessment: review recent authentication patterns, tickets, and lateral movement indicators (e.g., unusual SMB access from service accounts).

Hardening recommendations to prevent similar issues

• Apply the principle of least privilege to management tools: management products should have narrowly scoped service accounts and role-based access control that aligns with AD ACLs.
• Separate duties: avoid allowing a single product admin to both delegate rights and perform sensitive AD writes without multi-person or approval workflows.
• Regularly audit delegation settings and remove unnecessary delegation entries. Treat msDS-AllowedToDelegateTo and delegation flags as sensitive configuration like ACLs.
• Adopt modern defenses: implement Conditional Access, multifactor authentication for administrative portals, and monitor for anomalous Kerberos/SPN activity.

Responsible disclosure and references

• Vulnerability and PoC were publicly described by the researcher who reported the issue. Administrators should consult the vendor advisory and apply official patches: https://www.manageengine.com/
• Technical write-up referenced by the researcher: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409 (contains demonstration materials — review only for defensive purposes).
• CVE record: CVE-2024-24409

Conclusion

CVE-2024-24409 is a high-impact example of how misapplied web-application authorization in a privileged management tool can translate into Active Directory privilege escalation. The remedy is straightforward: apply the vendor patch, reduce the blast radius of management accounts, and monitor delegation-related AD attributes closely. Combining prompt patching with auditing and least-privilege practices will mitigate both this issue and many similar risks in AD management tooling.