Welcome to the Wallarm weekly web exploits digest! Since this week, we will publish our weekly digests consists of web exploits with CVSS scores higher than 5. It will be followed by explanations, risks analysis, related stories and news. So, here we go!

The most sophisticated and interesting exploit was out of this score for some reason, but who we are to argue with CVSS score 😉 This is the Apache OFBiz XML-RPC Java Serialization Remote Code Execution issues https://vulners.com/packetstorm/PACKETSTORM:161769 where you can find a XML-packed and Base64 encoded Java deserialization payload:

<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">#{Rex::Text.encode_base64(data)}</serializable>  

This nutshell bypass WAFs, IPS/IDS, and NGFW systems by default since the malicious payload can be actually encoded there twice – by the Base64 first and then by XML encodings like built-in or defined entities.

The most dangerous exploit released last week was definitely a VMware vCenter RCE.

In general, last week our harvest of exploits to CVSS 5+ scored vulnerabilities looks in the following way concerning their types:

File upload2
PHP Object Injection2
SQL Injection2
Buffer overflow1
The week of March 8th – 15th web exploits stats, CVSS >5

So, the hackers’ arsenal has been reinforced between dates of 2021-03-08 and 2021-03-15 with exploitation tools for the next software:

  • VMware vCenter Server – This one is the winner of the week having 10 points severity score
  • QCubed 3.1.1 – Three high-severity exploits arrived for this product
  • Golden FTP Server 4.70
  • HPE Systems Insight Manager
  • Joomla JCK Editor
  • SonLogger
  • Microsoft Exchange 2019
  • ForkCMS
  • Atlassian JIRA

Here is the list of the hi-scored reinforcements and a short brief for the headliners’ mechanics:

VMware vCenter Server File Upload / Remote Code Execution
Score: CVSS 10
Type: File upload
Metasploit +

This new high-scored RCE metasploit module exploits an unauthenticated OVA file upload and a path traversal vulnerability in VMware vCenter Server. It writes a JSP payload to a web-accessible directory, and vulnerable Linux versions aren’t exploitable via a web shell. Writing an SSH public key to authorized_keys works okay, but due to the user’s non-existent password expiration in 90 days after install, this technique quite useless when applied in a production environment. Nevertheless, it works well with Windows appliances and older Linux versions.
Why WAFs can’t catch VMware CVE-2021-21972

Golden FTP Server 4.70 Buffer Overflow
Score: CVSS 7.5
Type: Buffer overflow

A buffer overflow exists in GoldenFTP authentication procedure. Note that the source IP address of the user performing the authentication forms part of the buffer and, as such, must be accounted for when calculating the appropriate offset. It should also be noted that the exploit is somewhat unstable, and if exploitation fails, GoldenFTP will be left in a state where it will still accept connections, but it will be unable to handle or process them in any way, so be careful.

HPE Systems Insight Manager AMF Deserialization Remote Code Execution
CVSS 7.5
Type: Deserialization

A remotely exploitable vulnerability exists within HPE System Insight Manager (SIM) version 7.6.x that can be leveraged remotely by an unauthenticated attacker to execute code within the context of HPE System Insight Manager’s hpsimsvc.exe process, which runs with administrative privileges. The vulnerability occurs due to a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page. The module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM to gain RCE as the administrative user running HPE SIM.

QCubed 3.1.1 PHP Object Injection
Score: CVSS 7.5
Type: PHP Object Injection

A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable “strProfileData” and allows an unauthenticated attacker to execute code remotely via a crafted POST request.

QCubed 3.1.1 SQL Injection
Score: CVSS 7.5
Type: SQL Injection

An SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request. As a result, an unauthenticated attacker can get access the database remotely. In worst-case scenarios, an attacker might be able to execute code on the remote machine.

Joomla JCK Editor 6.4.4 SQL Injection
Score: CVSS 7.5
Type: SQL Injection

SonLogger Shell Upload (Unauthenticated Arbitrary File Upload)
Score: CVSS 7.5
Type: File upload
Metasploit +

Microsoft Exchange 2019 – SSRF to Arbitrary File Write (Proxylogon)
Score: CVSS 7.5
Type: SSRF

QCubed 3.1.1 Cross Site Scripting
Score: CVSS 7.5
Type: XSS

ForkCMS PHP Object Injection
Score: CVSS 6.5
Type: PHP Object Injection

Atlassian JIRA 8.11.1 User Enumeration
Score: CVSS 6.1
Type: Enumeraion