SAP BusinessObjects Axis2 Default Admin Password

2010.10.18
Risk: High
Local: No
Remote: Yes
CWE: CWE-255


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

R7-0037: SAP BusinessObjects Axis2 Default Admin Password October 13th, 2010 Description: The SAP BusinessObjects product contains a module (dswsbobje.war) which deploys Axis2 with an administrator account which is configured with a static password. As a result, anyone with access to the Axis2 port can gain full access to the machine via arbitrary remote code execution. This requires the attacker to upload a malicious web service and to restart the instance of Tomcat. This issue may apply to other products and vendors that embed the Axis2 component. The username is "admin" and the password is "axis2", this is also the default for standalone Axis2 installations. Impact: An attacker can execute arbitrary code by creating a malicious web service (jar). The attacker can log in to the Axis2 component with the default admin account, upload the malicious web service, and upon restart the malicious code will be executed. Proof of Concept Code: Create a webservice (jar) which contains malicious code. Login to Axis2 and upload the web service. Restart Tomcat and the malicious code will execute once Axis2 is loaded. package org.apache.axis2.axis2userguide; import java.io.IOException; public class AddUser { public AddUser() { Process process; try { process = Runtime.getRuntime().exec("net user foo bar /add"); } catch(IOException ioexception) { ioexception.printStackTrace(); } } public void main() { return; } } CVE: CVE-2010-0219 Vendor Response: A fix has been provided on the SAP customer support site: SAP Security Note 1432881. Please note that this site requires authentication. References: http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20Busines sObjects.pdf http://www.kb.cert.org/vuls/id/989719 Disclosure Timeline: 2010-08-12 - Vulnerability reported to the vendor via email 2010-08-12 - Vendor confirmed the vulnerability 2010-09-02 - Vulnerability reported to CERT 2010-10-13 - Coordinated public release of advisory Credit: This vulnerability was reported by Joshua Abraham and Will Vandevanter. About Rapid7 Security: Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool. Our vulnerability disclosure policy is available online at: http://www.rapid7.com/disclosure.jsp

References:

http://www.kb.cert.org/vuls/id/989719
https://service.sap.com/sap/support/notes/1432881
http://xforce.iss.net/xforce/xfdb/62523
http://www.vupen.com/english/advisories/2010/2673
http://www.securityfocus.com/archive/1/archive/1/514284/100/0/threaded
http://www.rapid7.com/security-center/advisories/R7-0037.jsp
http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf
http://secunia.com/advisories/41799


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top