In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible
This module uses an unauthenticated file upload vulnerability via uploadova plugin in VMware vCenter Server to upload and extract a TAR file. This TAR file contains a path traversal that allows writing files at arbitraries locations. In the vulnerable 6.5.X and 6.7.X (build 13010631 and lower) versions of VMware vCenter Server, a JSP file is deployed to gain arbitrary code execution. In the vulnerable 6.7.X (build 13643870 and greater) and 7.X versions, a file with public keys are uploaded to the vsphere-ui user home directory and then used to deploy an agent via SSH. Notice that in 6.7.X versions SSH access is disabled by default.
This module first exploits a server side request forgery vulnerability present in Microsoft.Exchange.HttpProxy of Microsoft Exchange Server to bypass authentication. Then an arbitrary file write vulnerability present in WriteFileActivity of Microsoft.Exchange.Management.ControlPanel.DIService is used to deploy a .aspx file and execute commands. The deployed agent will run with the SYSTEM privileges.
Subscribe to Windows