[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Red Hat JBoss EAP - Deserialization of Untrusted Data Vulnerability

Author
Federico Dotta
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-26428
Category
web applications
Date add
29-11-2016
CVE
CVE-2016-7065
Platform
java
Security Advisory           @ Mediaservice.net Srl
(#05, 23/11/2016)           Data Security Division
  
         Title: Red Hat JBoss EAP deserialization of untrusted data 
   Application: JBoss EAP 5.2.X and prior versions
   Description: The application server deserializes untrusted data via the
                JMX Invoker Servlet. This can lead to a DoS via resource
                exhaustion and potentially remote code execution.
        Author: Federico Dotta <federico.dotta@mediaservice.net>
                Maurizio Agazzini <inode@mediaservice.net>
 Vendor Status: Will not fix
 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
                the name CVE-2016-7065 to this issue.     
    References: http://lab.mediaservice.net/advisory/2016-05-jboss.txt
                http://lab.mediaservice.net/code/jboss_payload.zip
                https://bugzilla.redhat.com/show_bug.cgi?id=1382534
 
1. Abstract.
 
JBoss EAP's JMX Invoker Servlet is exposed by default on port 8080/TCP. The
communication employs serialized Java objects, encapsulated in HTTP
requests and responses.
 
The server deserializes these objects without checking the object type. This 
behavior can be exploited to cause a denial of service and potentially 
execute arbitrary code.
 
The objects that can cause the DoS are based on known disclosed payloads
taken from:
 
- https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
 
Currently there is no known chain that allows code execution on JBoss EAP,
however new chains are discovered every day.
 
2. Example Attack Session.
 
Submit an authenticated POST request to the JMX Invoker Servlet URL (for 
example: http://localhost:8080/invoker/JMXInvokerServlet) with one of the 
following objects in the body of the request:
 
    * 01_BigString_limited.ser: it's a string object; the server will
      reply in a normal way (object size similar to the next one).
    * 02_SerialDOS_limited.ser: the application server will require
      about 2 minutes to execute the request with 100% CPU usage.
    * 03_BigString.ser: it's a string object; the server will
      reply in a normal way (object size similar to the next one).
    * 04_SerialDOS.ser: the application server will require an 
      unknown amount of time to execute the request with 100% CPU usage.
 
3. Affected Platforms.
 
This vulnerability affects versions 4 and 5 of JBoss EAP.
 
4. Fix.
 
Red Hat will not fix the issue because JBoss EAP 4 is out of maintenance 
support and JBoss EAP 5 is close to the end of its maintenance period. 
 
5. Proof Of Concept.
 
See jboss_payload.zip (40842.zip) and Example Attack Session above.
 
http://lab.mediaservice.net/code/jboss_payload.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40842.zip
 
6. Timeline
 
06/10/2016 - First communication sent to Red Hat Security Response Team
07/10/2016 - Red Hat Security Response Team response, Bug 1382534 
23/11/2016 - Security Advisory released
 
Copyright (c) 2016 @ Mediaservice.net Srl. All rights reserved.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40842.zip

#  0day.today [2024-11-16]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team