Vulnerabilities > CVE-2013-7285 - OS Command Injection vulnerability in Xstream Project Xstream
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Exploit-Db
description | OpenMRS Reporting Module 0.9.7 - Remote Code Execution. CVE-2013-7285. Webapps exploit for java platform |
id | EDB-ID:39193 |
last seen | 2016-02-04 |
modified | 2016-01-07 |
published | 2016-01-07 |
reporter | Brian D. Hysell |
source | https://www.exploit-db.com/download/39193/ |
title | OpenMRS Reporting Module 0.9.7 - Remote Code Execution |
Nessus
NASL family CGI abuses NASL id ARTIFACTORY_3_1_1_1.NASL description A version of Artifactory prior to 3.1.1.1 is hosted on the remote web server. As such, it uses a library that has a known remote code execution vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 72966 published 2014-03-12 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72966 title Artifactory < 3.1.1.1 XStream Remote Code Execution NASL family CGI abuses NASL id JENKINS_1_551.NASL description The remote web server hosts a version of Jenkins or Jenkins Enterprise that is affected by multiple vulnerabilities : - A flaw in the default markup formatter allows cross-site scripting via the Description field in the user configuration. (CVE-2013-5573) - A security bypass vulnerability allows remote authenticated attackers to change configurations and execute arbitrary jobs. (CVE-2013-7285, CVE-2013-7330, CVE-2014-2058) - An unspecified flaw in the Winstone servlet allows remote attackers to hijack sessions. (CVE-2014-2060) - An input control flaw in last seen 2020-06-01 modified 2020-06-02 plugin id 72685 published 2014-02-25 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72685 title Jenkins < 1.551 / 1.532.2 and Jenkins Enterprise 1.509.x / 1.532.x < 1.509.5.1 / 1.532.2.2 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2014-2372.NASL description This update fixes remote code execution security vulnerability by applying backported upstream patch. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-02-23 plugin id 72630 published 2014-02-23 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72630 title Fedora 20 : xstream-1.3.1-9.fc20 (2014-2372) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-35.NASL description The remote host is affected by the vulnerability described in GLSA-201612-35 (XStream: Remote execution of arbitrary code) It was found that XStream would deserialize arbitrary user-supplied XML content, thus representing objects of any type. Impact : A remote attacker could pass a specially crafted XML document to XStream, possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95738 published 2016-12-13 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95738 title GLSA-201612-35 : XStream: Remote execution of arbitrary code NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0389.NASL description An updated jasperreports-server-pro package that fixes one security issue is now available. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports. XStream is a simple library used by the Red Hat Enterprise Virtualization reports package to serialize and de-serialize objects to and from XML. It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application. (CVE-2013-7285) All jasperreports-server-pro users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 79007 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79007 title RHEL 6 : jasperreports-server-pro (RHSA-2014:0389) NASL family Fedora Local Security Checks NASL id FEDORA_2014-2340.NASL description This update fixes remote code execution security vulnerability by applying backported upstream patch. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-02-23 plugin id 72629 published 2014-02-23 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72629 title Fedora 19 : xstream-1.3.1-5.1.fc19 (2014-2340) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3E0507C6961411E3B3A500E0814CAB4E.NASL description Jenkins Security Advisory reports : This advisory announces multiple security vulnerabilities that were found in Jenkins core. Please reference CVE/URL list for details last seen 2020-06-01 modified 2020-06-02 plugin id 72528 published 2014-02-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72528 title FreeBSD : jenkins -- multiple vulnerabilities (3e0507c6-9614-11e3-b3a5-00e0814cab4e)
Packetstorm
data source | https://packetstormsecurity.com/files/download/135150/openmrs-exec.txt |
id | PACKETSTORM:135150 |
last seen | 2016-12-05 |
published | 2016-01-06 |
reporter | Brian D. Hysell |
source | https://packetstormsecurity.com/files/135150/OpenMRS-Reporting-Module-0.9.7-Remote-Code-Execution.html |
title | OpenMRS Reporting Module 0.9.7 Remote Code Execution |
Redhat
rpms | jasperreports-server-pro-0:5.5.0-6.el6ev |
References
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- http://seclists.org/oss-sec/2014/q1/69
- http://seclists.org/oss-sec/2014/q1/69
- http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
- https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
- https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
- https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
- https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://x-stream.github.io/CVE-2013-7285.html
- https://x-stream.github.io/CVE-2013-7285.html