Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2017-12149

Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

POC

Reference

- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149

Github

- https://github.com/0day666/Vulnerability-verification

- https://github.com/1337g/CVE-2017-10271

- https://github.com/1337g/CVE-2017-12149

- https://github.com/1337g/CVE-2017-17215

- https://github.com/20142995/nuclei-templates

- https://github.com/20142995/pocsuite

- https://github.com/20142995/sectool

- https://github.com/ARPSyndicate/cvemon

- https://github.com/ARPSyndicate/kenzer-templates

- https://github.com/AabyssZG/AWD-Guide

- https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet

- https://github.com/Awrrays/FrameVul

- https://github.com/BarrettWyman/JavaTools

- https://github.com/BrittanyKuhn/javascript-tutorial

- https://github.com/CVEDB/PoC-List

- https://github.com/CVEDB/awesome-cve-repo

- https://github.com/CVEDB/top

- https://github.com/CnHack3r/Penetration_PoC

- https://github.com/CrackerCat/myhktools

- https://github.com/DSO-Lab/pocscan

- https://github.com/EchoGin404/-

- https://github.com/EchoGin404/gongkaishouji

- https://github.com/Elsfa7-110/kenzer-templates

- https://github.com/GGyao/jbossScan

- https://github.com/GhostTroops/TOP

- https://github.com/GhostTroops/myhktools

- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

- https://github.com/HimmelAward/Goby_POC

- https://github.com/J1ezds/Vulnerability-Wiki-page

- https://github.com/JERRY123S/all-poc

- https://github.com/JFR-C/Windows-Penetration-Testing

- https://github.com/Jean-Francois-C/Windows-Penetration-Testing

- https://github.com/JesseClarkND/CVE-2017-12149

- https://github.com/Mr-xn/Penetration_Testing_POC

- https://github.com/MrE-Fog/jboss-_CVE-2017-12149

- https://github.com/MrE-Fog/jbossScan

- https://github.com/NCSU-DANCE-Research-Group/CDL

- https://github.com/NetW0rK1le3r/awesome-hacking-lists

- https://github.com/NyxAzrael/Goby_POC

- https://github.com/Ostorlab/KEV

- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors

- https://github.com/PalindromeLabs/Java-Deserialization-CVEs

- https://github.com/Sathyasri1/JavaDeserH2HC

- https://github.com/SexyBeast233/SecBooks

- https://github.com/TSY244/scan_node

- https://github.com/Threekiii/Awesome-POC

- https://github.com/Threekiii/Vulhub-Reproduce

- https://github.com/TrojanAZhen/Self_Back

- https://github.com/Tyro-Shan/gongkaishouji

- https://github.com/VVeakee/CVE-2017-12149

- https://github.com/Weik1/Artillery

- https://github.com/Xcatolin/jboss-deserialization

- https://github.com/XiaomingX/awesome-poc-for-red-team

- https://github.com/YIXINSHUWU/Penetration_Testing_POC

- https://github.com/Z0fhack/Goby_POC

- https://github.com/ZTK-009/Penetration_PoC

- https://github.com/ZTK-009/RedTeamer

- https://github.com/Zero094/Vulnerability-verification

- https://github.com/aymankhder/Windows-Penetration-Testing

- https://github.com/bakery312/Vulhub-Reproduce

- https://github.com/bfengj/CTF

- https://github.com/bright-angel/sec-repos

- https://github.com/cc8700619/poc

- https://github.com/chalern/Pentest-Tools

- https://github.com/cyberanand1337x/bug-bounty-2022

- https://github.com/do0dl3/myhktools

- https://github.com/dudek-marcin/Poc-Exp

- https://github.com/enomothem/PenTestNote

- https://github.com/fengjixuchui/RedTeamer

- https://github.com/fupinglee/JavaTools

- https://github.com/g1san/Agents-for-Vulnerable-Dockers-and-related-Benchmarks

- https://github.com/gallopsec/JBossScan

- https://github.com/getanehAl/Windows-Penetration-Testing

- https://github.com/hasee2018/Penetration_Testing_POC

- https://github.com/hktalent/TOP

- https://github.com/hktalent/bug-bounty

- https://github.com/hktalent/myhktools

- https://github.com/huike007/penetration_poc

- https://github.com/huike007/poc

- https://github.com/huisetiankong478/penetration_poc

- https://github.com/huisetiankong478/poc

- https://github.com/hungslab/awd-tools

- https://github.com/ianxtianxt/CVE-2015-7501

- https://github.com/ilmila/J2EEScan

- https://github.com/iqrok/myhktools

- https://github.com/jbmihoub/all-poc

- https://github.com/jiangsir404/POC-S

- https://github.com/jinhaozcp/weblogic

- https://github.com/joaomatosf/JavaDeserH2HC

- https://github.com/jreppiks/CVE-2017-12149

- https://github.com/jstang9527/gofor

- https://github.com/jweny/pocassistdb

- https://github.com/kaizer168/Security-03-04

- https://github.com/klausware/Java-Deserialization-Cheat-Sheet

- https://github.com/koutto/jok3r-pocs

- https://github.com/lions2012/Penetration_Testing_POC

- https://github.com/lnick2023/nicenice

- https://github.com/merlinepedra/JavaDeserH2HC

- https://github.com/merlinepedra25/JavaDeserH2HC

- https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet

- https://github.com/nihaohello/N-MiddlewareScan

- https://github.com/onewinner/VulToolsKit

- https://github.com/ozkanbilge/Java-Reverse-Shell

- https://github.com/password520/Penetration_PoC

- https://github.com/password520/RedTeamer

- https://github.com/pen4uin/awesome-vulnerability-research

- https://github.com/pen4uin/vulnerability-research

- https://github.com/pen4uin/vulnerability-research-list

- https://github.com/pentration/gongkaishouji

- https://github.com/qazbnm456/awesome-cve-poc

- https://github.com/r0eXpeR/redteam_vul

- https://github.com/readloud/Awesome-Stars

- https://github.com/ronoski/j2ee-rscan

- https://github.com/sevck/CVE-2017-12149

- https://github.com/suizhibo/MemShellGene

- https://github.com/superfish9/pt

- https://github.com/superlink996/chunqiuyunjingbachang

- https://github.com/taielab/awesome-hacking-lists

- https://github.com/tanjiti/sec_profile

- https://github.com/tdcoming/Vulnerability-engine

- https://github.com/touchmycrazyredhat/myhktools

- https://github.com/tranphuc2005/Privilege-Escalation-Linux-with-JBoss

- https://github.com/tranphuc2005/leoquyen_linux

- https://github.com/trhacknon/myhktools

- https://github.com/veo/vscan

- https://github.com/weeka10/-hktalent-TOP

- https://github.com/winterwolf32/CVE-S---Penetration_Testing_POC-

- https://github.com/x-f1v3/Vulnerability_Environment

- https://github.com/xbl2022/awesome-hacking-lists

- https://github.com/xbl3/awesome-cve-poc_qazbnm456

- https://github.com/xuetusummer/Penetration_Testing_POC

- https://github.com/yedada-wei/-

- https://github.com/yedada-wei/gongkaishouji

- https://github.com/youtu0/yirou-doujia--M5q76SoDzCg9bNLl

- https://github.com/yunxu1/jboss-_CVE-2017-12149

- https://github.com/zesnd/cve-2017-12149

- https://github.com/znznzn-oss/Jboss