lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201012301104.oBUB4Nhb020288@www5.securityfocus.com>
Date: Thu, 30 Dec 2010 04:04:23 -0700
From: ipsdix@...il.com
To: bugtraq@...urityfocus.com
Subject: CA ARCserve D2D r15 Web Service Apache Axis2 World Accessible
 Servlet  Code Execution Vulnerability Poc

Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet 
Code Execution Vulnerability Poc

product homepage:
https://support.ca.com/phpdocs/0/8363/support/arcserved2d_support.html

vulnerability:
The Tomcat Server, which listens for incoming connections on port 8014,
carries a world accessible Apache Axis2 Web Service with default credentials.
Also, the web service port is added to firewall exceptions, allowing all 
computers, including those on the internet, to access the default Axis2 instance.

Check :
C:\Program Files\CA\ARCserve D2D\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml

It shows: 
<parameter name="userName">admin</parameter>
<parameter name="password">axis2</parameter>

By uploading a well-constructed .aar (axis2 service) file
by accessing the 

http://host:8014/WebServiceImpl/axis2-admin/upload

url, then interrogating it trough a SOAP request, is possible to execute arbitrary
code with NT AUTHOTITY\SYSTEM privileges.

poc:
as attachment a proof-of-concept written in php which automates the process
and an .aar file which remotely executes calc.exe

note:
this poc was sent to zdi vulnerability research program on 2010-07-03
together with pocs for the same vulnerability in:

- Hewlett Packard Universal CMDB Server 9.0 
- SAP BusinessObjects Crystal Reports Server 2008 

but refused with the motivation that they don't accept axis2 default credentials
vulnerabilities.
Note that in HP Universal CMDB this is limited by the presence of a basic auth
box on axis2 web services. However there is also a default user/password for this
which is 'admin/admin'.

I remember that this was reported in SAP by HD Moore and the Metasploit crew.

However, here we are. And two of three are unpatched.

proof of concept:

http://retrogod.altervista.org/9sg_cad2d_poc.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ