Vulnerabilities > CVE-2013-4810 - Code Injection vulnerability in HP products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
hp
CWE-94
critical
nessus
exploit available

Summary

HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

descriptionApache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object RCE. CVE-2013-4810. Remote exploit for php platform
fileexploits/php/remote/28713.php
idEDB-ID:28713
last seen2016-02-03
modified2013-10-04
platformphp
port
published2013-10-04
reporterrgod
sourcehttps://www.exploit-db.com/download/28713/
titleApache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet RMI over HTTP Marshalled Object RCE
typeremote

Nessus

NASL familyCGI abuses
NASL idJMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL
descriptionThe
last seen2020-06-01
modified2020-06-02
plugin id70414
published2013-10-14
reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/70414
titleApache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70414);
  script_version("1.22");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id("CVE-2007-1036", "CVE-2012-0874", "CVE-2013-4810");
  script_bugtraq_id(57552, 62854, 77037);
  script_xref(name:"CERT", value:"632656");
  script_xref(name:"EDB-ID", value:"16318");
  script_xref(name:"EDB-ID", value:"21080");
  script_xref(name:"EDB-ID", value:"28713");
  script_xref(name:"EDB-ID", value:"30211");
  script_xref(name:"ZDI", value:"ZDI-13-229");
  script_xref(name:"HP", value:"HPSBGN02952");
  script_xref(name:"HP", value:"SSRT101127");
  script_xref(name:"HP", value:"emr_na-c04041110");

  script_name(english:"Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities");
  script_summary(english:"Attempts to access the servlets without credentials.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on
the web server on the remote host are accessible to unauthenticated
users. The remote host is, therefore, affected by the following
vulnerabilities :

  - A security bypass vulnerability exists due to improper
    restriction of access to the console and web management
    interfaces. An unauthenticated, remote attacker can
    exploit this, via direct requests, to bypass
    authentication and gain administrative access.
    (CVE-2007-1036)

  - A remote code execution vulnerability exists due to the
    JMXInvokerHAServlet and EJBInvokerHAServlet invoker
    servlets not properly restricting access to profiles. An
    unauthenticated, remote attacker can exploit this to
    bypass authentication and invoke MBean methods,
    resulting in the execution of arbitrary code.
    (CVE-2012-0874)

  - A remote code execution vulnerability exists in the
    EJBInvokerServlet and JMXInvokerServlet servlets due to
    the ability to post a marshalled object. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted request, to install arbitrary
    applications. Note that this issue is known to affect
    McAfee Web Reporter versions prior to or equal to
    version 5.2.1 as well as Symantec Workspace Streaming
    version 7.5.0.493 and possibly earlier.
    (CVE-2013-4810)");
  # https://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?74979c27");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-229/");
  # https://web.archive.org/web/20131031213751/http://retrogod.altervista.org/9sg_ejb.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?52567bc1");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2013/Oct/126");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/530241/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2013/Dec/att-133/ESA-2013-094.txt");
  script_set_attribute(attribute:"solution", value:
"If using EMC Data Protection Advisor, either upgrade to version 6.x or
apply the workaround for 5.x. 

Otherwise, contact the vendor or remove any affected JBoss servlets.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'JBoss JMX Console Deployer Upload and Execute');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
  script_set_attribute(attribute:"exploithub_sku", value:"EH-13-606");
  script_cwe_id(264);

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/09/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:procurve_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:application_lifecycle_management");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:identity_driven_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_web_platform");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_application_platform");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_brms_platform");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_application_platform");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:jboss:jboss_application_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:workspace_streaming");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 9111, 8080, 9832);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

# Identify possible ports.
#
# - web servers.
ports = get_kb_list("Services/www");
if (isnull(ports)) ports = make_list();

# - ports for McAfee Web Reporter and Symantec Workspace Streaming.
foreach p (make_list(8080, 9111, 9832))
{
  if (service_is_unknown(port:p))  ports = add_port_in_list(list:ports, port:p);
}

# Check each port.
non_vuln = make_list();

foreach port (ports)
{
  vuln_urls = make_list();

  foreach page (make_list("/EJBInvokerServlet", "/JMXInvokerServlet"))
  {
    url = "/invoker" + page;
    res = http_send_recv3(
      method : "GET",
      item   : url,
      port   : port,
      fetch404     : TRUE
    );

    if (
      !isnull(res) &&
      "org.jboss.invocation.MarshalledValue" >< res[2] &&
      (
        'WWW-Authenticate: Basic realm="JBoss HTTP Invoker"' >!< res[1] ||
        "404 Not Found" >!< res[1]
      )
    ) vuln_urls = make_list(vuln_urls, build_url(qs:url, port:port));
  }

  if (max_index(vuln_urls) > 0)
  {
    if (max_index(vuln_urls) > 1) request = "URLs";
    else request = "URL";

    if (report_verbosity > 0)
    {
      report =
        '\n' +'Nessus was able to verify the issue exists using the following '+
        '\n' + request + ' :' +
        '\n' +
        '\n' + join(vuln_urls, sep:'\n') + '\n';

      security_hole(port:port, extra:report);
    }
    else security_hole(port);
  }
  else non_vuln = make_list(non_vuln, port);
}

if (max_index(non_vuln) == 1) exit(0, "The web server tested on port " + port + " is not affected.");
else if (max_index(non_vuln) > 1)  exit(0, "None of the ports tested (" +join(non_vuln, sep:", ")+ ") contain web servers that are affected.");

Saint

bid62854
descriptionMcAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution
osvdb97153
titlemcafee_web_reporter_jboss_ejbinvokerservlet
typeremote

The Hacker News

idTHN:8573602ED2B18F90AC04D8BA8D25E682
last seen2017-01-08
modified2013-11-21
published2013-11-21
reporterPierluigi Paganini
sourcehttp://thehackernews.com/2013/11/Vulnerability-JBoss-Application-Servers-exploit-code.html
titleTwo-year-old vulnerability in JBoss Application Servers enables Remote Shell for Hackers