atxsinn3r

CVE-2017-10271 - Oracle WebLogic Server AsyncResponseService Deserialization Vulnerability

Background

Oracle WebLogic Server (WLS) is a Java EE application server currently developed by Oracle, and it was acquired from BEA Systems in 2008. It is also bundled in other Oracle products such as Oracle Application Testing Suite, which is what the analysis is based on. By default, OATS ships with WebLogic 12.1.3.

The AsyncResponseService component in WebLogic allows a remote user to send a SOAP request that contains a malicious payload in XML format, which ends up being parsed and decoded as Java code, and result in remote code execution.

Our analysis is also based on Metasploit Framework's pull request #11780.

atxsinn3r

Apache Spark CreateSubmissionRequest Vulnerability

Originally created by UC Berkeley's AMPLab, Apache Spark is an open-source cluster-computing framework that has been maintained by the Apache Software Foundation. Mostly written in Scala, it is designed to be a fast unified analytics engine for large data, and is used and invested by many high profile or large-scale companies.

Discovered by Chinese researcher Fengwei Zhang (of Alibaba Cloud Security Team), the REST API CreateSubmissionRequest can be abused while in standalone mode to allow users to submit a malicious code and result in remote code execution. A Metasploit module was submitted on November 12, 2018, and this is how our analysis began.

Accroding to Apache Spark's security issue list, this vulnerability is referred as CVE-2018-11770.

Vulnerable Application

atxsinn3r

CVE-2018-20323: MailCleaner SOAP API Logs_StartTrace Command Injection Vulnerability

MailCleaner is an anti-spam and anti-virus software that functions as a filter SMTP gateway. It comes in two editions: Enterprise and Community. The community edition is open source, and then codebase can be found on Github.

A vulnerability was found by Mehmet Ince, a Turkish researcher, who also submitted the exploit to Metasploit as a module, and this is how the analysis started. The vulnerability is a remote command execution in the Logs_StartTrace SOAP web request, which can be triggered after authentication.

We will review it starting from the attack surface, and go through every major component that is part of the code path, and eventually to the actual vulnerable code.

Publicly, the vulnerability is referred as CVE-2018-20323.

atxsinn3r

CVE-2019-0232: Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability

Background

Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. It powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations.

The Common Gateway Interface (CGI) defines a way for a web server to interact with external content-generating programs, which are often referred to as CGI programs. Within Tomcat, CGI support is disabled by default, but can be manually added in the configuration file.

One of the configurations for the CGI servlet is enableCmdLineArguments, which allows command line arguments from the query string, but can be abused to inject system commands in order to gain remote code execution.

atxsinn3r

CVE-2019-1821: Cisco Prime Infrastructure HA HealthMonitor TarArchive Directory Traversal Remote Code Execution

Description

Cisco Prime Infrastructure (CPI) is a wired and wireless network management software suite that consists of different networking applications from Cisco Systems. The system is used across various industries, from healthcare, manufacturing, government, IT, etc.

A vulnerability was found in the HealthMonitor component, specifically the TarArchive class that is used to extract a Tar file. An unauthenticated user can upload a Tar file that embeds a malicious JSP payload, with a path that traverses back to the web directory. After extraction, the user can send a GET request to trigger the JSP payload, and gain arbitrary remote code execution.

It was originally discovered by Steven Seeley (mr_me) of Source Incite. A detailed write-up is also available here.

atxsinn3r

CVE-2019-5420: Ruby on Rails DoubleTap Development Mode secret_key_base Vulnerability

Description

Ruby on Rails is a server-side web application framework written in Ruby. It is a model-view-controller (MVC) archtecture, providing default structures for a database, a web service, and web pages. It is also a popular choice of framework among well known services and products such as Github, Bloomberg, Soundcloud, Groupon, Twitch.tv, and of course, Rapid7s Metasploit.

Ruby on Rails versions including 5.2.2.1 and prior are vulnerable to a deserialization attack, because the Rails application by default uses its own name as the secret_key_base in development mode. This can be easily extracted by visiting an invalid resource for a route, which as a result allows a remote user to create and deliver a signed serialized payload, load it by the application, and gain remote code execution.

Please note that this is not the same as the "DoubleTap" vulnerability. The other one is a directory traversal attack that

atxsinn3r

CVE-2019-5418: Ruby on Rails 5.2 "DoubleTap" Directory Traversal

Description

Ruby on Rails is a server-side web application framework written in Ruby. It is a model-view-controller (MVC) archtecture, providing default structures for a database, a web service, and web pages. It is also a popular choice of framework among well known services and products such as Github, Bloomberg, Soudcloud, Groupon, Twitch.tv, and of course, Rapid7's Metasploit.

Ruby on Rails versions including 5.2.2.1 and prior are vulnerable to directory traversal in Action View. More specifically, a specially crafted accept header in combination with calls to reander file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

In this documentation, I'll go over:

atxsinn3r

CVE-2019-8903: Total.js requestcontinue Directory Traversal Vulnerability

Background

Total.js is a free web application framework for building websites and web applications using JavaScript, HTML, and CSS. It is based on the Node.js platform.

A directory traversal vulnearbility was found by Riccardo Krauter, and reported to Total.js on February 2019. A Metasploit module was submitted by Fabio Cogno on March. The vulnerability can be found in the framework's F.$requestcontinue function in index.js, which can be exploited in order to download files from the server without authentication.

Vulnerability Analysis

atxsinn3r

CVE-2019-9692: CMS Made Simple (CMSMS) Showtime2 Post Auth Arbitrary File Upload Vulnerability

Background

CMS Made Simple (CMSMS) is an open source content management system. It can be used for various purposes such as galleries, company and user directories, guestbooks, E-Commerce, blogs, etc, depending on the module the user installs. It is written in PHP, and runs on MySQL.

One of the commonly downloaded modules for CMSMS is called Showtime2, a slideshow feature. In it, the watermark support allows an authenticated user (likely an administrator) to upload a watermark image, which can be abused to upload a malicious payload.

A Metasploit module was submitted on March 19th 2019, which allowed me to investigate the vulnerability.

atxsinn3r

Jira Universal Plugin Manager PluginCollectionResource Class Upload Vulnerability

Jira is a Java application for the purposes of bug tracking and agile project management developed by Atlassian. According to Atlassian, Jira is used by over 75,000 customers in 122 countries. Some high-profile organizations include Fedora Commons, NASA, Skype Technogies, Twitter, United States Deaprtment of Defense, etc.

The upload feature in the The Universal Plugin Manager (UPM) would allow a Jira user to upload a malicious plugin (add-on), and acheive remote code exeuction. This also implies authentication is required in order to acheive this.

Originally, an exploit module was submitted to Metasploit by Alex Gonzalez, and this is how our analysis started.

Vulnerable Application