Authentication Bypass on Zoho ManageEngine Desktop Central
We discussed this vulnerability during Episode 115 on 31 January 2022
This is almost an intended feature, basically if an attacker can craft a their own State cookie, they can trick the StateFilter
into reading the forwardPath
and forwarding their request to another servlet directly. The interesting side-effect here is that the redirect will bypass any other filters left in the chain and go directly to the other servlet.
This was abused (in-the-wild) with the AgentLogUploadServlet
to with a directory traversal vulnerability to write a file. Only interesting part of that is that the filename was checked for directory traversal but the path, which was also influenced by user parameters was not. Used to upload a malicious jar (as a .zip) file that would get loaded on reboot.