Authentication Bypass on Zoho ManageEngine Desktop Central

We discussed this vulnerability during Episode 115 on 31 January 2022

This is almost an intended feature, basically if an attacker can craft a their own State cookie, they can trick the StateFilter into reading the forwardPath and forwarding their request to another servlet directly. The interesting side-effect here is that the redirect will bypass any other filters left in the chain and go directly to the other servlet.

This was abused (in-the-wild) with the AgentLogUploadServlet to with a directory traversal vulnerability to write a file. Only interesting part of that is that the filename was checked for directory traversal but the path, which was also influenced by user parameters was not. Used to upload a malicious jar (as a .zip) file that would get loaded on reboot.