Lucene search

K

CA ARCserve D2D r15 - Web Service Servlet Code Execution

🗓️ 30 Dec 2010 00:00:00Reported by rgodType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 40 Views

CA ARCserve D2D r15 Web Service Servlet Code Execution Vulnerability Poc. World accessible Apache Axis2 Web Service with default credentials allows remote code execution

Show more
Related
Code
ReporterTitlePublishedViews
Family
Veracode
Arbitrary Code Execution
25 Mar 201908:40
veracode
CVE
CVE-2010-0219
18 Oct 201017:00
cve
Packet Storm
Axis2 / SAP BusinessObjects dswsbobje Upload Exec
16 Nov 201000:00
packetstorm
Packet Storm
Rapid7 Security Advisory 37
15 Oct 201000:00
packetstorm
Packet Storm
Apache Axis2 Brute Force Utility
1 Sep 202400:00
packetstorm
Packet Storm
Axis2 Upload Exec (via REST)
1 Dec 201000:00
packetstorm
Nuclei
Apache Axis2 Default Login
26 Feb 202120:03
nuclei
NVD
CVE-2010-0219
18 Oct 201017:00
nvd
Cvelist
CVE-2010-0219
18 Oct 201016:00
cvelist
securityvulns
R7-0037: SAP BusinessObjects Axis2 Default Admin Password
24 Oct 201000:00
securityvulns
Rows per page
Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet 
Code Execution Vulnerability Poc

product homepage:
https://support.ca.com/phpdocs/0/8363/support/arcserved2d_support.html

vulnerability:
The Tomcat Server, which listens for incoming connections on port 8014,
carries a world accessible Apache Axis2 Web Service with default credentials.
Also, the web service port is added to firewall exceptions, allowing all 
computers, including those on the internet, to access the default Axis2 instance.

Check :
C:\Program Files\CA\ARCserve D2D\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml

It shows: 
<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter>

By uploading a well-constructed .aar (axis2 service) file
by accessing the 

http://host:8014/WebServiceImpl/axis2-admin/upload

url, then interrogating it trough a SOAP request, is possible to execute arbitrary
code with NT AUTHOTITY\SYSTEM privileges.

poc:
as attachment a proof-of-concept written in php which automates the process
and an .aar file which remotely executes calc.exe

note:
this poc was sent to zdi vulnerability research program on 2010-07-03
together with pocs for the same vulnerability in:

- Hewlett Packard Universal CMDB Server 9.0 
- SAP BusinessObjects Crystal Reports Server 2008 

but refused with the motivation that they don't accept axis2 default credentials
vulnerabilities.
Note that in HP Universal CMDB this is limited by the presence of a basic auth
box on axis2 web services. However there is also a default user/password for this
which is 'admin/admin'.

I remember that this was reported in SAP by HD Moore and the Metasploit crew.

However, here we are. And two of three are unpatched.

proof of concept:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15869.zip (9sg_ca_d2d.zip)

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
30 Dec 2010 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.975
40
.json
Report