EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution
tested against: Microsoft Windows Server 2008 r2 sp1
EMC Data Protection Advisor 5.8 sp5
vulnerability:
the "DPA Illuminator" service (DPA_Illuminator.exe) listening
on public port 8090 (tcp/http) and 8453 (tcp/https) is vulnerable.
It exposes the following servlet:
http://[host]:8090/invoker/EJBInvokerServlet
https://[host]:8453//invoker/EJBInvokerServlet
due to a bundled invoker.war
The result is remote code execution with NT AUTHORITY\SYSTEM
privileges.
proof of concept url:
http://retrogod.altervista.org/9sg_ejb.html
~rgod~
{"id": "SECURITYVULNS:DOC:30175", "bulletinFamily": "software", "title": "EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution", "description": "\r\n\r\nEMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution \r\n\r\ntested against: Microsoft Windows Server 2008 r2 sp1\r\n EMC Data Protection Advisor 5.8 sp5\r\n\r\nvulnerability:\r\nthe "DPA Illuminator" service (DPA_Illuminator.exe) listening\r\non public port 8090 (tcp/http) and 8453 (tcp/https) is vulnerable.\r\nIt exposes the following servlet:\r\n\r\nhttp://[host]:8090/invoker/EJBInvokerServlet\r\nhttps://[host]:8453//invoker/EJBInvokerServlet\r\n\r\ndue to a bundled invoker.war\r\nThe result is remote code execution with NT AUTHORITY\SYSTEM\r\nprivileges.\r\n\r\nproof of concept url:\r\nhttp://retrogod.altervista.org/9sg_ejb.html\r\n\r\n~rgod~\r\n", "published": "2014-01-08T00:00:00", "modified": "2014-01-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30175", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:50", "edition": 1, "viewCount": 50, "enchantments": {"score": {"value": 4.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13495"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13495"]}]}, "exploitation": null, "vulnersScore": 4.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645298386, "score": 1659803227}, "_internal": {"score_hash": "7c1391dddda9f236bbd585ef86e4edf9"}}