关联漏洞
标题:
多款ZOHO ManageEngine产品安全漏洞
(CVE-2022-47966)
描述:ZOHO ManageEngine ADAudit Plus和ZOHO ManageEngine Access Manager Plus都是美国卓豪(ZOHO)公司的产品。ZOHO ManageEngine ADAudit Plus是用于简化审计、证明合规性和检测威胁。ZOHO ManageEngine Access Manager Plus是一种特权会话管理解决方案,用于企业集中、保护和管理特权会话的远程访问。 多款ZOHO ManageEngine产品存在安全漏洞,该漏洞源于产品中使用了 Apache
描述
POC for CVE-2022-47966 affecting multiple ManageEngine products
介绍
# CVE-2022-47966
POC for CVE-2022-47966 affecting the following ManageEngine products:
* Access Manager Plus
* Active Directory 360
* ADAudit Plus
* ADManager Plus
* ADSelfService Plus
* Analytics Plus
* Application Control Plus
* Asset Explorer
* Browser Security Plus
* Device Control Plus
* Endpoint Central
* Endpoint Central MSP
* Endpoint DLP
* Key Manager Plus
* OS Deployer
* PAM 360
* Password Manager Pro
* Patch Manager Plus
* Remote Access Plus
* Remote Monitoring and Management (RMM)
* ServiceDesk Plus
* ServiceDesk Plus MSP
* SupportCenter Plus
* Vulnerability Manager Plus
This specific POC only works on products utilizing Apache Santuario (xmlsec) <= 1.4.1 such as:
* ServiceDesk Plus
* Endpoint Central
* ADManager Plus
* ADSelfService Plus
Other products may perform additional checks on the SAML response. Modifying this POC to work on products that perform additional checks involves:
* Scanning the logs of the vulnerable product for stack traces or additional logs message indicating an invalid SAML response.
* Reverse engineering the vulnerable product and searching for the code that implements the checks.
## Technical Analysis
A technical root cause analysis of the vulnerability can be found on our blog:
https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive
## Original Researcher's Writeup
[Khoadha of Viettel Security](https://twitter.com/_l0gg) documents his original research of this vulnerability and how it can be exploited across many versions of xmlsec:
https://blog.viettelcybersecurity.com/saml-show-stopper/
## Indicators of Compromise
For analyzing ManageEngine logs for indicators of compromise check out our IOC blog:
https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/
## Summary
This POC abuses the pre-authentication remote code execution vulnerability to run a command with Java's Runtime.exec method.
## Usage
For Active Directory related products, such as ADManager, an issuer argument is required:
```plaintext
root@kali:~# python3 ./CVE-2022-47966.py --url https://10.0.40.90:8443/samlLogin/<guid> --issuer https://sts.windows.net/<guid>/ --command notepad.exe
```
For other products, a URL is all that is required:
```plaintext
root@kali:~# python3 ./CVE-2022-47966.py --url https://10.0.40.64:8080/SamlResponseServlet --command notepad.exe
```
## Mitigations
Update to the latest version of the affected product.
## Follow the Horizon3.ai Attack Team on Twitter for the latest security research:
* [Horizon3 Attack Team](https://twitter.com/Horizon3Attack)
* [James Horseman](https://twitter.com/JamesHorseman2)
* [Zach Hanley](https://twitter.com/hacks_zach)
## Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
文件快照
[4.0K] /data/pocs/647465be811e5c3b9bd1296bfdb32bd32ac5dfe0
├── [3.1K] CVE-2022-47966.py
└── [2.9K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。