nuclei-templates/cves/2022/CVE-2022-35405.yaml

id: CVE-2022-35405

info:
  name: Zoho ManageEngine Password Manager Pro and PAM 360 - Unauthenticated Remote Command Execution
  author: true13
  severity: critical
  description: |
    This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro, PAM360 and Access Manager Plus (Authenticated).
  reference:
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb
    - https://xz.aliyun.com/t/11578
    - https://nvd.nist.gov/vuln/detail/CVE-2022-35405
    - https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
    - https://www.bigous.me/2022/09/06/CVE-2022-35405.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-35405
  metadata:
    shodan-query: http.title:"ManageEngine Password"
  tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf

requests:
# Password Manager Pro
  - method: POST
    path:
      - "{{RootURL}}:7272/xmlrpc"
    body: |
        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>

    matchers:
      - type: word
        words:
          - "faultString"
          - "No such service [ProjectDiscovery]"
          - "methodResponse"
        condition: or
        part: body

# PAM360
  - method: POST
    path:
    - "{{RootURL}}:8282/xmlrpc"
    body: |
      <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
    matchers:
      - type: word
        words:
          - "faultString"
          - "No such service [ProjectDiscovery]"
          - "methodResponse"
        condition: or
        part: body

# Hosts thats uses on port 80
  - method: POST
    path:
    - "{{RootURL}}/xmlrpc"
    body: |
      <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>

    matchers:
      - type: word
        words:
          - "faultString"
          - "No such service [ProjectDiscovery]"
          - "methodResponse"
        condition: or
        part: body

# Access Manager Plus -> https://www.manageengine.com/privileged-session-management/help/setting-up-amp-over-wan.html
  - method: POST
    path:
    - "{{RootURL}}:9292/xmlrpc"
    body: |
      <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>

    matchers:
      - type: word
        words:
          - "faultString"
          - "No such service [ProjectDiscovery]"
          - "methodResponse"
        condition: or
        part: body
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`id: CVE-2022-35405`

			`info:`
update CVE-2022-35405 2022-09-06 03:26:42 +00:00			`name: Zoho ManageEngine Password Manager Pro and PAM 360 - Unauthenticated Remote Command Execution`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`author: true13`
			`severity: critical`
			`description: \|`
update CVE-2022-35405 2022-09-06 03:26:42 +00:00			`This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro, PAM360 and Access Manager Plus (Authenticated).`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`reference:`
			`- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb`
Update CVE-2022-35405.yaml 2022-09-04 06:59:30 +00:00			`- https://xz.aliyun.com/t/11578`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-35405`
Auto Generated CVE annotations [Mon Sep 5 11:04:01 UTC 2022] :robot: 2022-09-05 11:04:01 +00:00			`- https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html`
Update CVE-2022-35405.yaml 2022-09-06 20:14:24 +00:00			`- https://www.bigous.me/2022/09/06/CVE-2022-35405.html`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`classification:`
Auto Generated CVE annotations [Mon Sep 5 11:04:01 UTC 2022] :robot: 2022-09-05 11:04:01 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`cve-id: CVE-2022-35405`
Update CVE-2022-35405.yaml 2022-09-04 06:55:42 +00:00			`metadata:`
			`shodan-query: http.title:"ManageEngine Password"`
Auto Generated CVE annotations [Mon Sep 5 11:04:01 UTC 2022] :robot: 2022-09-05 11:04:01 +00:00			`tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00
			`requests:`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00			`# Password Manager Pro`
			`- method: POST`
			`path:`
			`- "{{RootURL}}:7272/xmlrpc"`
			`body: \|`
			`<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>`

Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`matchers:`
			`- type: word`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00			`words:`
			`- "faultString"`
			`- "No such service [ProjectDiscovery]"`
			`- "methodResponse"`
			`condition: or`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`part: body`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00
			`# PAM360`
			`- method: POST`
			`path:`
			`- "{{RootURL}}:8282/xmlrpc"`
			`body: \|`
			`<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>`
			`matchers:`
			`- type: word`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`words:`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00			`- "faultString"`
			`- "No such service [ProjectDiscovery]"`
			`- "methodResponse"`
			`condition: or`
			`part: body`
Update CVE-2022-35405.yaml 2022-09-04 06:55:42 +00:00
update CVE-2022-35405 2022-09-06 03:07:42 +00:00			`# Hosts thats uses on port 80`
			`- method: POST`
			`path:`
			`- "{{RootURL}}/xmlrpc"`
			`body: \|`
			`<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>`

			`matchers:`
Update CVE-2022-35405.yaml 2022-09-04 06:55:42 +00:00			`- type: word`
			`words:`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00			`- "faultString"`
			`- "No such service [ProjectDiscovery]"`
			`- "methodResponse"`
			`condition: or`
			`part: body`

			`# Access Manager Plus -> https://www.manageengine.com/privileged-session-management/help/setting-up-amp-over-wan.html`
			`- method: POST`
			`path:`
			`- "{{RootURL}}:9292/xmlrpc"`
			`body: \|`
			`<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>`

			`matchers:`
			`- type: word`
			`words:`
			`- "faultString"`
			`- "No such service [ProjectDiscovery]"`
			`- "methodResponse"`
			`condition: or`
			`part: body`