Menu

Search for hundreds of thousands of exploits

"PowerFolder Server 10.4.321 - Remote Code Execution"

Author

Exploit author

"Hans-Martin Muench"

Platform

Exploit platform

java

Release date

Exploit published date

2016-05-25

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
Mogwai Security Advisory MSA-2016-01
----------------------------------------------------------------------
  Title:              PowerFolder Remote Code Execution Vulnerability
  Product:            PowerFolder Server
  Affected versions:  10.4.321 (Linux/Windows) (Other version might be also affected)
  Impact:             high
  Remote:             yes
  Product link:       https://www.powerfolder.com
  Reported:           02/03/2016
  by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)


Vendor's Description of the Software:
----------------------------------------------------------------------
PowerFolder is the leading on-premise solution for file synchronization
and collaboration in your organization. PowerFolder Business Suite and
PowerFolder Enterprise Suite both offer a fully integrated and secure
solution for backup, synchronization and collaboration.

Support for federated RADIUS, LDAP and RESTful APIs allow PowerFolder
to blend in perfectly into your environment while all data is stored
on your own IT infrastructure, ensuring that your data remains 100%
under your control.


Business recommendation:
-----------------------------------------------------------------------
Apply patches that are provided by the vendor. Restrict access to the
PowerFolder port, as the vulnerability might be exploited with other gadgets.

CVSS2 Ratings
-----------------------------------------------------------------------
CVSS Base Score: 9.3
Impact Subscore: 10
Exploitability Subscore: 8.6
CVSS v2 Vector (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-----------------------------------------------------------------------


Vulnerability description:
----------------------------------------------------------------------
The PowerFolder server and client are written in Java. Data exchange is mainly
done via serialized objects that are send over a dedicated port (TCP port 1337).
This service allows deserialization of untrusted data, which can be exploited to
execute arbitrary code.[1][2]

The tested PowerFolder version contains a modified version of the Java
library "ApacheCommons". In this version, the PowerFolder developers removed
certain dangerous classes like
org.apache.commons.collections.functors.InvokerTransformer
however, exploitation is still possible using another gadget chain [3].

Proof of concept:
----------------------------------------------------------------------
A simple PoC can be found here: 

https://github.com/h0ng10/powerfolder-exploit-poc
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39854.zip

Disclosure timeline:
----------------------------------------------------------------------
10/02/2016: Bug discovered during pentest preparation
02/03/2016: Initial contact via vendor support form
02/03/2016: Response from vendor, asking for additional details
02/03/2016: Sending description, including a very simple PoC
07/03/2016: Response from PowerFolder developers, they are unable to reproduce
the issue
07/03/2016: Response from Mogwai Security, will develop a improved PoC exploit
12/03/2016: Providing an improved exploit PoC that does not only work in LAN
networks
21/03/2016: Requesting an update from the developers
21/03/2016: Phone call with PowerFolder developers
21/03/2016: Additional response from PowerFolder, they plan to release a
security update at the end of the month
01/04/2016: Release of PowerFolder 10 SP5, including vulnerability
acknowledgement [4]

References:
----------------------------------------------------------------------
[1] https://frohoff.github.io/appseccali-marshalling-pickles/
[2] https://www.youtube.com/watch?v=VviY3O-euVQ
[3] https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections3.java
[4] https://wiki.powerfolder.com/display/PFC/PowerFolder+Client+10+SP5


Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab


----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Gutenbergstrasse 2
89231 Neu-Ulm (Germany)

info@mogwaisecurity.de
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-02 "Apache Flink 1.9.x - File Upload RCE (Unauthenticated)" webapps java bigger.wing
2020-10-29 "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request" webapps java "Mohammed Althibyani"
2020-10-20 "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution" webapps java "Jonatas Fil"
2020-10-19 "Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in" webapps java "Daniel Morris"
2020-09-09 "Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)" webapps java V1n1v131r4
2020-09-07 "ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)" webapps java Hodorsec
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2020-07-26 "ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection" webapps java aldorm
2020-07-07 "Exhibitor Web UI 1.7.1 - Remote Code Execution" webapps java "Logan Sanderson"
2020-06-04 "VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution" webapps java "Tomas Melicher"
Release Date Title Type Platform Author
2016-05-25 "PowerFolder Server 10.4.321 - Remote Code Execution" remote java "Hans-Martin Muench"
2015-02-03 "Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass" webapps windows "Hans-Martin Muench"
2015-01-20 "WordPress Plugin Pixarbay Images 2.3 - Multiple Vulnerabilities" webapps php "Hans-Martin Muench"
2014-09-01 "ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)" webapps jsp "Hans-Martin Muench" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected