origianl text by 4er
Intro:
ManageEngine offers enterprise IT management software for your service management, operations management, Active Directory and security needs.
CVE-2022-36923 ManageEngine OpManager getUserAPIKey Authentication Bypass
CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE
CVE-2022-28219 Zoho ManageEngine ADAudit Plus XXE to RCE
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Pre-Auth RCE
CVE-2020-10189 Zoho ManageEngine Desktop Central deserialize RCE
According to ZDI’s announcement , the vulnerability exists
<strong>com.adventnet.me.opmanager.server.util.RMMUtil#getUserAPIKey</strong>
The key point is how to get to this position.
Search the xml configuration file to find
The route is
Prompt missing parameters, see the log to report an error
The IAMSecurityException breakpoint hits its constructor and traces back up, and finally
The final construction parameter successfully returns 200
look back now
public String getUserAPIKey(HttpServletRequest request, HttpServletResponse response) throws IOException {
String userName = request.getParameter("username");
String domainName = request.getParameter("domainname");
if (userName != null && domainName != null) {
try {
Long userId = MickeyLiteUtil.getUserId(userName, domainName);
String apiKey = (new APIKeyGenerator()).checkAndGenerateApiKey(userId, -1L);
response.setContentType("text/plain");
PrintWriter out = response.getWriter();
out.println(apiKey);
out.flush();
return null;
} catch (Exception var8) {
var8.printStackTrace();
return null;
}
} else {
return null;
}
}
You need to give a correct domainName, it depends on what value is in the AaaLogin table in the database.
View database jdbc link
The password is encrypted and found in the bin directory
call .\setCommonEnv.bat
set CLASS_PATH="%SERVER_HOME%\lib\framework-tools.jar"
IF "%1"=="" GOTO SHOW_SYNTAX
"%JAVA%" -Dserver.home="%SERVER_HOME%" -cp %CLASS_PATH% com.zoho.framework.utils.crypto.CryptoUtil %*
GOTO END_ENCRYPT
:SHOW_SYNTAX
"%JAVA%" -Dserver.home="%SERVER_HOME%" -cp %CLASS_PATH% com.zoho.framework.utils.crypto.CryptoUtil "showUsage"
:END_ENCRYPT
Call the CryptoUtil class for encryption
Write a class directly to call the decrypt function
cryptTag is
Parse the persistence-configurations.xml file to get the CryptTag attribute and view the file content
Attempt to
Finally
The algorithm is AES256. After decryption, link to the database and check the AaaLogin table.
The domainName is obtained
, and the final request package is as follows<strong>-</strong>
Get restapi from this
The rce method looked at the restapi documentation. There is a workflow that can be used for rce, but there is a problem with accessing through restapi.
If your api is
The
At this point, the rce is broken. I traced back the
I looked at it and saw that nothing was added, deleted, modified, and checked. I hope someone who is destined can dig out a rce.
Replenish
My colleague looked at the cve injected by the other two commands of opmanager and found that it should be possible to string rce together. see colleagues’ articles
ZOHO ManageEngine OpManager Two RCEs
The writing is rubbish, the wording is frivolous, the content is simple, and the operation is unfamiliar. The deficiencies are welcome to give pointers and corrections from the masters, and I am grateful.
CVE-2022-36923 Detail
Current Description
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user’s API key, and then access external APIs.
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user’s API key, and then access external APIs.
