id: CVE-2022-35405

info:
  name: Zoho ManageEngine - Remote Code Execution
  author: viniciuspereiras,true13
  severity: critical
  description: |
    Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
  reference:
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb
    - https://xz.aliyun.com/t/11578
    - https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
    - https://www.bigous.me/2022/09/06/CVE-2022-35405.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-35405
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-35405
    epss-score: 0.97529
    cpe: cpe:2.3:a:zohocorp:manageengine_access_manager_plus:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    shodan-query: http.title:"ManageEngine"
    vendor: zohocorp
    product: manageengine_access_manager_plus
  tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf,kev

http:
  - method: POST
    path:
      - "{{RootURL}}/xmlrpc"

    body: |
      <?xml version="1.0"?><methodCall><methodName>{{randstr}}</methodName><params><param><value>big0us</value></param></params></methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<name>faultString</name>"

      - type: word
        part: body
        words:
          - "No such service [{{randstr}}]"
          - "No such handler: {{randstr}}"
        condition: or

      - type: word
        part: body
        words:
          - "<methodResponse>"
          - "</methodResponse>"
        condition: or