nuclei-templates/http/cves/2022/CVE-2022-35405.yaml

id: CVE-2022-35405

info:
  name: Zoho ManageEngine - Remote Code Execution
  author: viniciuspereiras,true13
  severity: critical
  description: |
    Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
  reference:
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb
    - https://xz.aliyun.com/t/11578
    - https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
    - https://www.bigous.me/2022/09/06/CVE-2022-35405.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-35405
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-35405
    epss-score: 0.97399
  metadata:
    max-request: 4
    shodan-query: http.title:"ManageEngine"
  tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf,kev

http:
  - method: POST
    path:
      - "{{RootURL}}/xmlrpc"
    body: |
        <?xml version="1.0"?><methodCall><methodName>{{randstr}}</methodName><params><param><value>big0us</value></param></params></methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<name>faultString</name>"

      - type: word
        part: body
        words:
          - "No such service [{{randstr}}]"
          - "No such handler: {{randstr}}"
        condition: or

      - type: word
        part: body
        words:
          - "<methodResponse>"
          - "</methodResponse>"
        condition: or

# Enhanced by mp on 2022/10/06
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`id: CVE-2022-35405`

			`info:`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`name: Zoho ManageEngine - Remote Code Execution`
Update CVE-2022-35405.yaml 2022-09-15 08:58:56 +00:00			`author: viniciuspereiras,true13`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`reference:`
			`- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb`
Update CVE-2022-35405.yaml 2022-09-04 06:59:30 +00:00			`- https://xz.aliyun.com/t/11578`
Auto Generated CVE annotations [Mon Sep 5 11:04:01 UTC 2022] :robot: 2022-09-05 11:04:01 +00:00			`- https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html`
Update CVE-2022-35405.yaml 2022-09-06 20:14:24 +00:00			`- https://www.bigous.me/2022/09/06/CVE-2022-35405.html`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-35405`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`classification:`
Auto Generated CVE annotations [Mon Sep 5 11:04:01 UTC 2022] :robot: 2022-09-05 11:04:01 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00			`cve-id: CVE-2022-35405`
Added CPE and EPSS Score to CVE Templates 2023-04-12 10:55:48 +00:00			`epss-score: 0.97399`
Update CVE-2022-35405.yaml 2022-09-04 06:55:42 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 4`
CVE-2022-35405 - remove comments 2022-09-07 19:05:13 +00:00			`shodan-query: http.title:"ManageEngine"`
Auto Generated CVE annotations [Fri Sep 23 08:39:48 UTC 2022] :robot: 2022-09-23 08:39:48 +00:00			`tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf,kev`
Add CVE-2022-35405 This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. 2022-09-03 02:23:45 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Update CVE-2022-35405 - requests dont working #5477 (#5478) 2022-10-10 14:10:43 +00:00			`- method: POST`
			`path:`
			`- "{{RootURL}}/xmlrpc"`
			`body: \|`
Update CVE-2022-35405.yaml (#5453) * Update CVE-2022-35405.yaml * misc updates Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2022-09-25 19:48:40 +00:00			`<?xml version="1.0"?><methodCall><methodName>{{randstr}}</methodName><params><param><value>big0us</value></param></params></methodCall>`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00
Update CVE-2022-35405.yaml (#5453) * Update CVE-2022-35405.yaml * misc updates Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2022-09-25 19:48:40 +00:00			`matchers-condition: and`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00			`matchers:`
			`- type: word`
Update CVE-2022-35405.yaml 2022-09-15 08:58:56 +00:00			`part: body`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00			`words:`
Update CVE-2022-35405.yaml Updating the matcher to reduce the False positives. 2022-09-15 11:42:32 +00:00			`- "<name>faultString</name>"`
Update CVE-2022-35405.yaml (#5453) * Update CVE-2022-35405.yaml * misc updates Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2022-09-25 19:48:40 +00:00
			`- type: word`
			`part: body`
			`words:`
			`- "No such service [{{randstr}}]"`
			`- "No such handler: {{randstr}}"`
update CVE-2022-35405 2022-09-06 03:07:42 +00:00			`condition: or`
Update CVE-2022-35405.yaml Updating the matcher to reduce the False positives. 2022-09-15 11:42:32 +00:00
			`- type: word`
			`part: body`
			`words:`
			`- "<methodResponse>"`
			`- "</methodResponse>"`
Update CVE-2022-35405.yaml 2022-09-22 09:55:23 +00:00			`condition: or`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00
			`# Enhanced by mp on 2022/10/06`