v-p-b (9)
Last Login: February 25, 2024
v-p-b's Latest (5) Contributions
Technical Analysis
Based on vendor assessment the vulnerability (deserialization of untrusted data) is present in Active MQ Artemis too, but the Spring class used in the public exploit is not available in this flavor of the software (only works against ActiveMQ Classic). Exploitability of Artemis needs further research.
Based on the proposed workaround (require authentication on /setup/ paths) and IOC’s provided in the link above:
- “requests to /setup/*.action in network access logs”
- “presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory”
… it seems that setup pages remain accessible after installation, allowing the creation of new users.
Technical Analysis
Based on the published details the vulnerable program object executes with *OWNER privileges (similarly to how SUID executables work), but use the Library List (similar to the PATH environment variable) of the executing user, who can thus replace program dependencies to make their code execute in the context of a different user profile. This other user profile (QAUTPROF) has authority to impersonate QFAXMSF (also installed as part of the vulnerable software package), that has *ALLOBJ (“All Object” – similar to uid=0) special authority on the system. This is a local privilege escalation from any user profile (with command line access) to complete control over the system.
Technical Analysis
Based on the published vulnerability details authentication bypass is possible likely because the DDM service fails to terminate the session as an authentication error is detected, but proceeds to parse subsequent commands incoming from the connection. The commands sent by the attacking client can include instructions for command execution, making this an unauthenticated RCE.
The
allow_url_include
trick highlighted here works for EX series devices too, with the addition that you have to POST to an existing .php script path, such as/about.php?PHPRC=...