CVE-2022-40300: Uncovering Multiple SQL Injection Vulnerabilities in Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus

A recent security advisory has revealed multiple SQL injection vulnerabilities in Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 555 before 560, and Access Manager Plus through 4304 before 4305. In this long-read post, we will dive deep into the details of this vulnerability, known as CVE-2022-40300, and explore how it affects the aforementioned products, along with example code snippets and links to original references.

Description of the Vulnerability (CVE-2022-40300)

CVE-2022-40300 describes multiple SQL injection vulnerabilities in Zoho ManageEngine Password Manager Pro (PMP), PAM360, and Access Manager Plus (AMP). An attacker can exploit these vulnerabilities by sending a specially crafted HTTP request containing malicious SQL statements to vulnerable installations. Successful exploitation could allow an attacker to view, modify, or delete data stored in the underlying databases, potentially leading to unauthorized access, disclosure of sensitive information, or a complete compromise of the affected system.

Example Code Snippet

An attacker would typically exploit the SQL injection vulnerability by sending a specially crafted HTTP request with malicious SQL statements. Here is an example of a vulnerable HTTP request that might trigger the vulnerability:

import requests

payload = "1 OR 1=1"
headers = {'Content-Type': 'application/json'}
url = f"https://<TARGET_URL>/restAPIContext/ResourceController?RESOURCEID={payload}";

response = requests.get(url, headers=headers, verify=False)

if response.status_code == 200:
    print("Vulnerable to SQL Injection (CVE-2022-40300)")
else:
    print("Not vulnerable or not exploitable")

In this example, the payload variable contains a simple, well-known SQL injection payload (1 OR 1=1). If the target system is vulnerable, the server would execute the payload as part of an underlying SQL query, potentially returning all records from the database instead of the expected single record for the resource ID.

For more information on CVE-2022-40300, please check the following resources

1. CVE-2022-40300 on MITRE's CVE List
2. Zoho ManageEngine Patch Details
3. National Vulnerability Database (NVD) Entry on CVE-2022-40300

Exploit Details

The exploitation of CVE-2022-40300 requires an attacker to craft a specially formulated HTTP request targeting vulnerable Zoho product installations. To mitigate this risk, Zoho has released security patches for the affected versions of Password Manager Pro (update to 12121+), PAM360 (update to 560+), and Access Manager Plus (update to 4305+). Users should apply these patches as soon as possible to ensure the security and integrity of their installations.

Conclusion

CVE-2022-40300 affects a range of ManageEngine products, including Password Manager Pro, PAM360, and Access Manager Plus. Anyone using these products should ensure they have updated to the latest patched versions to protect against unauthorized database access and manipulation. Additionally, following best practices for securing installations will help mitigate any potential risks associated with this vulnerability.

Timeline

Published on: 09/16/2022 23:15:00 UTC
Last modified on: 09/21/2022 06:17:00 UTC