McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution

2013-10-23T00:00:00
ID SAINT:F331FA17751309C5BD461AF4E8A90312
Type saint
Reporter SAINT Corporation
Modified 2013-10-23T00:00:00

Description

Added: 10/23/2013
CVE: CVE-2013-4810
BID: 62854
OSVDB: 97153

Background

McAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing.

Problem

McAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111.

Resolution

Contact the vendor for a solution.

References

<http://secunia.com/advisories/55112/>
<http://retrogod.altervista.org/9sg_ejb.html>

Limitations

This exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut).

Platforms

Windows