Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Zoho manufacturers a suite of ManageEngine Desktop Central and Desktop Central Management Service provider (MSP) setups. A classic Software as a Service (SaaS) company.

In the web.xml file there is a filter that redirects all traffic. This filter is used for checking CSRF tokens, sessions and many other things. One of the filters is stateParserGenerator.processState, which is used to process the state cookie. Within the state, there is a very dangerous field: forwardPath.

By setting the forwardPath field, an attacker can trick the server into sending data to another location directly. This redirect bypasses other filters in the chain and goes directly to other servers but does not allow calls to REST API. This is referred to as an Arbitrary Request Forward. In the article, they link to a similar bug they find in the past.

To exploit this, an attacker could exploit a directory traversal vulnerability to write a file. The directory traversal check the file name but not the path, making it still possible to exploit. They wrote a malicious .jar (as a zip) file that wold get loaded on reboot.

This exploit chain was found in the wild. What's odd to me is that the author had found the arbitrary request forward vulnerability, but did not report it since they did not have the RCE bug. Why not just report the bug as is? If that was the case, then this zero day would not have been as impactful. Regardless, still a great bug to look for!