Vulnerabilities > CVE-2013-7285 - OS Command Injection vulnerability in Xstream Project Xstream

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
xstream-project
CWE-78
critical
nessus
exploit available

Summary

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Exploit-Db

descriptionOpenMRS Reporting Module 0.9.7 - Remote Code Execution. CVE-2013-7285. Webapps exploit for java platform
idEDB-ID:39193
last seen2016-02-04
modified2016-01-07
published2016-01-07
reporterBrian D. Hysell
sourcehttps://www.exploit-db.com/download/39193/
titleOpenMRS Reporting Module 0.9.7 - Remote Code Execution

Nessus

  • NASL familyCGI abuses
    NASL idARTIFACTORY_3_1_1_1.NASL
    descriptionA version of Artifactory prior to 3.1.1.1 is hosted on the remote web server. As such, it uses a library that has a known remote code execution vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id72966
    published2014-03-12
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72966
    titleArtifactory < 3.1.1.1 XStream Remote Code Execution
  • NASL familyCGI abuses
    NASL idJENKINS_1_551.NASL
    descriptionThe remote web server hosts a version of Jenkins or Jenkins Enterprise that is affected by multiple vulnerabilities : - A flaw in the default markup formatter allows cross-site scripting via the Description field in the user configuration. (CVE-2013-5573) - A security bypass vulnerability allows remote authenticated attackers to change configurations and execute arbitrary jobs. (CVE-2013-7285, CVE-2013-7330, CVE-2014-2058) - An unspecified flaw in the Winstone servlet allows remote attackers to hijack sessions. (CVE-2014-2060) - An input control flaw in
    last seen2020-06-01
    modified2020-06-02
    plugin id72685
    published2014-02-25
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72685
    titleJenkins < 1.551 / 1.532.2 and Jenkins Enterprise 1.509.x / 1.532.x < 1.509.5.1 / 1.532.2.2 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-2372.NASL
    descriptionThis update fixes remote code execution security vulnerability by applying backported upstream patch. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-02-23
    plugin id72630
    published2014-02-23
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72630
    titleFedora 20 : xstream-1.3.1-9.fc20 (2014-2372)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201612-35.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201612-35 (XStream: Remote execution of arbitrary code) It was found that XStream would deserialize arbitrary user-supplied XML content, thus representing objects of any type. Impact : A remote attacker could pass a specially crafted XML document to XStream, possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id95738
    published2016-12-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95738
    titleGLSA-201612-35 : XStream: Remote execution of arbitrary code
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-0389.NASL
    descriptionAn updated jasperreports-server-pro package that fixes one security issue is now available. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports. XStream is a simple library used by the Red Hat Enterprise Virtualization reports package to serialize and de-serialize objects to and from XML. It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application. (CVE-2013-7285) All jasperreports-server-pro users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id79007
    published2014-11-08
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79007
    titleRHEL 6 : jasperreports-server-pro (RHSA-2014:0389)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-2340.NASL
    descriptionThis update fixes remote code execution security vulnerability by applying backported upstream patch. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-02-23
    plugin id72629
    published2014-02-23
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72629
    titleFedora 19 : xstream-1.3.1-5.1.fc19 (2014-2340)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_3E0507C6961411E3B3A500E0814CAB4E.NASL
    descriptionJenkins Security Advisory reports : This advisory announces multiple security vulnerabilities that were found in Jenkins core. Please reference CVE/URL list for details
    last seen2020-06-01
    modified2020-06-02
    plugin id72528
    published2014-02-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72528
    titleFreeBSD : jenkins -- multiple vulnerabilities (3e0507c6-9614-11e3-b3a5-00e0814cab4e)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/135150/openmrs-exec.txt
idPACKETSTORM:135150
last seen2016-12-05
published2016-01-06
reporterBrian D. Hysell
sourcehttps://packetstormsecurity.com/files/135150/OpenMRS-Reporting-Module-0.9.7-Remote-Code-Execution.html
titleOpenMRS Reporting Module 0.9.7 Remote Code Execution

Redhat

rpmsjasperreports-server-pro-0:5.5.0-6.el6ev