This module exploits a remote code execution vulnerability in the XWork component of Atlassian FishEye, by sending specially crafted HTTP requests to the port 8060/TCP. The ParametersInterceptor class of the XWork framework, part of the Struts 2 web framework, as shipped with Atlassian FishEye, does not properly restrict access to server-side objects. This can be exploited by remote unauthenticated attackers to modify server-side objects and finally execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language) expressions.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing ASUS Remote Console. The vulnerability is caused due to a boundary error within ASUS Remote Console. A buffer-overflow vulnerability is located in the function which gets the data received from the client, store it in a stack buffer of about 1024 bytes and checks the presence of an end of line delimiter (carriage return).
This exploit takes advantage of various vulnerabilities and default permissions in the affected versions of the Arkeia Network Backup Software. In the target setup the exploit attempts to gather specific information about the target: the remote operating system, the Arkeia Network Backup version, the target system's name; and attempts to download and analyze a loaded PE file by the Arkeia Network Backup Client to find certain patterns of reusable code loaded in memory. In the attack setup the exploit decides how the target will be exploited in the most successful way using the information gathered in the attack setup.
The best practice for web applications built on top of the Apache Struts 2 framework is to switch off Developer Mode (struts.devMode parameter in the struts.xml configuration file) before going into production. When devMode is left enabled, attackers can gain remote code execution by setting the 'debug=command' URL parameter and sending OGNL expressions through the 'expression' URL parameter. This module takes advantage of this misconfiguration scenario in order to deploy an agent in the target system.
The DefaultActionMapper class in Apache Struts 2 supports a method for short-circuit navigation state changes by prefixing parameters like "redirect:" or "redirect-action:". The information contained in these prefixes is not properly sanitized before being evaluated as OGNL expressions on the server side, which allows remote attackers to execute arbitrary Java code on the server. This module exploits the vulnerability in any web application built on top of vulnerable versions of the Apache Struts 2 framework.
After successful exploitation an agent will be installed. Usually Apache is ran as the user nobody, or some other low privileged user. After exploitation, the agent will be running as this user. Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allow remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.
Subscribe to Windows