ManageEngine Applications Manager Deserialization Unauthenticated RCE

This year at Black Hat USA I participated in Offensive Security’s AWAE. This training was extremely interesting and I would strongly recommend it to others interested in web application security. One of the modules in AWAE included looking at ManageEngine Applications Manager. As I have some previous experience with web applications and writing PoCs, I occasionally found myself with some spare time during the training. I spent most of this spare time looking deeper into the applications that were included in the training and I ended up finding my first deserialization vulnerability. This vulnerability happens to be an unauthenticated remote root in ManageEngine Applications Manager running on Windows machines. While I have not seen this vulnerability posted online, I know for a fact that I am not the only one who has come across it.