Skip to content
Nuclei Templates

Jboss Application Server - Remote Code Execution

ID: CVE-2017-12149

Severity: critical

Author: fopina,s0obi

Tags: cve2017,cve,java,rce,deserialization,kev,vulhub,jboss,intrusive,redhat

Description

Section titled “Description”

Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, thus allowing an attacker to execute arbitrary code via crafted serialized data.

YAML Source

Section titled “YAML Source”
id: CVE-2017-12149


info:
  name: Jboss Application Server - Remote Code Execution
  author: fopina,s0obi
  severity: critical
  description: Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because  the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, thus allowing an attacker to execute arbitrary code via crafted serialized data.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized remote code execution on the affected server.
  remediation: |
    Apply the latest security patches and updates provided by Jboss to fix this vulnerability.
  reference:
    - https://chowdera.com/2020/12/20201229190934023w.html
    - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
    - https://nvd.nist.gov/vuln/detail/CVE-2017-12149
    - https://bugzilla.redhat.com/show_bug.cgi?id=1486220
    - https://access.redhat.com/errata/RHSA-2018:1607
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-12149
    cwe-id: CWE-502
    epss-score: 0.9719
    epss-percentile: 0.9982
    cpe: cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: redhat
    product: jboss_enterprise_application_platform
    shodan-query:
      - http.title:"jboss"
      - cpe:"cpe:2.3:a:redhat:jboss_enterprise_application_platform"
    fofa-query: title="jboss"
    google-query: intitle:"jboss"
  tags: cve2017,cve,java,rce,deserialization,kev,vulhub,jboss,intrusive,redhat


http:
  - raw:
      - |
        POST /invoker/JMXInvokerServlet/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream


        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
      - |
        POST /invoker/EJBInvokerServlet/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream


        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
      - |
        POST /invoker/readonly HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream


        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}


    matchers-condition: and
    matchers:
      - type: word
        part: response
        words:
          - JBoss
          - ClassCastException
        condition: and
        case-insensitive: true


      - type: status
        status:
          - 200
          - 500
# digest: 4a0a00473045022014ff392b0d0e4b404d8d51763fc318917c2de71cb9aed60ddf37ae9a237f5f1a0221009ddadf005ca6beee4aee1ab40750c9abe299b8004b620e9f49c1cdf96c10d78a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-12149.yaml"

View on Github