10
CVSSv2

CVE-2009-4188

Published: 03/12/2009 Updated: 04/12/2009
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

HP Operations Dashboard has a default password of j2deployer for the j2deployer account, which allows remote malicious users to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3098.

Affected Products

Vendor Product Versions
HpOperations Dashboard*

Exploits

source: wwwsecurityfocuscom/bid/36258/info HP Operations Dashboard is prone to a remote security vulnerability Operations Dashboard 21 for Windows is vulnerable; other versions may also be vulnerable Attackers can exploit this issue using readily available tools The following authentication credentials are available: j2deployer:j2 ...
## # $Id: tomcat_mgr_deployrb 11330 2010-12-14 17:26:44Z egypt $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' cla ...

Metasploit Modules

Apache Tomcat Manager Application Deployer Authenticated Code Execution

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

msf > use exploit/multi/http/tomcat_mgr_deploy
      msf exploit(tomcat_mgr_deploy) > show targets
            ...targets...
      msf exploit(tomcat_mgr_deploy) > set TARGET <target-id>
      msf exploit(tomcat_mgr_deploy) > show options
            ...show and set options...
      msf exploit(tomcat_mgr_deploy) > exploit
Apache Tomcat Manager Authenticated Upload Code Execution

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

msf > use exploit/multi/http/tomcat_mgr_upload
      msf exploit(tomcat_mgr_upload) > show targets
            ...targets...
      msf exploit(tomcat_mgr_upload) > set TARGET <target-id>
      msf exploit(tomcat_mgr_upload) > show options
            ...show and set options...
      msf exploit(tomcat_mgr_upload) > exploit
Tomcat Application Manager Login Utility

This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.

msf > use auxiliary/scanner/http/tomcat_mgr_login
      msf auxiliary(tomcat_mgr_login) > show actions
            ...actions...
      msf auxiliary(tomcat_mgr_login) > set ACTION <action-name>
      msf auxiliary(tomcat_mgr_login) > show options
            ...show and set options...
      msf auxiliary(tomcat_mgr_login) > run