CVE-2010-0219
published 2010-10-18CVE-2010-0219: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for…
PriorityP184critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
89.87%
99.8th percentile
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | axis2 | — | — |
| apache | axis2 | — | — |
| apache | axis2 | — | — |
| apache | axis2 | — | — |
| apache | axis2 | — | — |
| apache | axis2 | — | — |
| apache | axis2 | — | — |
| sap | businessobjects | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect successful Axis2 admin login by matching response body for the string 'Welcome to Axis2 Web Admin Module !!' ↗
- →Monitor for POST requests to /axis2-admin/login or /axis2/axis2-admin/login with credentials admin:axis2 (default credential abuse) ↗
- →Monitor for multipart/form-data POST uploads to /axis2-admin/upload paths, which is the mechanism used to deploy malicious .aar web service files ↗
- →Alert on HTTP GET requests to /axis2/services/<random_name>/run after an upload, indicating payload execution polling ↗
- →Use Shodan/FOFA queries to identify exposed Axis2 instances: http.html:"Apache Axis" or body="apache axis" ↗
- →On CA ARCserve D2D hosts, check for world-accessible Axis2 on port 8014 with firewall exception; the port is added to firewall exceptions allowing internet access ↗
- →Inspect axis2.xml for default credentials: look for admin/axis2 entries indicating unpatched default configuration ↗
- →Detect SOAP-based payload execution: monitor POST requests to /axis2/services/<name> with SOAPAction header containing 'http://session.dsws.businessobjects.com/2007/06/01/run' ↗
- ·The SAP BusinessObjects path uses /dswsbobje instead of /axis2 as the Axis2 app root; detection rules must account for both paths ↗
- ·HP Universal CMDB uses an additional HTTP Basic Auth layer on top of Axis2 with default credentials admin/admin, requiring a two-stage authentication check ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9x38-862g-jg8w: Apache Axis2, as used in dswsbobje
ghsa_unreviewed·2022-05-02
CVE-2010-0219 [HIGH] GHSA-9x38-862g-jg8w: Apache Axis2, as used in dswsbobje
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
VulnCheck
Apache Axis2 dswsbobje.war Remote Code Execution
vulncheck·2010·CVSS 10.0
CVE-2010-0219 [CRITICAL] Apache Axis2 dswsbobje.war Remote Code Execution
Apache Axis2 dswsbobje.war Remote Code Execution
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Affected: Apache axis2
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2010-0219; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-16&host_type=src&vulnerability=cve-2010-021
Suricata
GPL FTP CWD overflow attempt
suricata·2010-09-23
CVE-1999-0219 GPL FTP CWD overflow attempt
GPL FTP CWD overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD overflow attempt"; flow:established,to_server; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:2101919; rev:25; metadata:created_at 2010_09_23, cve CVE_1999_0219, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Exploit-DB
CA ARCserve D2D r15 - Web Service Servlet Code Execution
exploitdb·2010-12-30
CVE-2010-0219 CA ARCserve D2D r15 - Web Service Servlet Code Execution
CA ARCserve D2D r15 - Web Service Servlet Code Execution
---
Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet
Code Execution Vulnerability Poc
product homepage:
https://support.ca.com/phpdocs/0/8363/support/arcserved2d_support.html
vulnerability:
The Tomcat Server, which listens for incoming connections on port 8014,
carries a world accessible Apache Axis2 Web Service with default credentials.
Also, the web service port is added to firewall exceptions, allowing all
computers, including those on the internet, to access the default Axis2 instance.
Check :
C:\Program Files\CA\ARCserve D2D\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml
It shows:
admin
axis2
By uploading a well-constructed .aar (axis2 service) file
by accessing the
http://host
Exploit-DB
Axis2 - (Authenticated) Code Execution (via REST) (Metasploit)
exploitdb·2010-12-14
CVE-2010-0219 Axis2 - (Authenticated) Code Execution (via REST) (Metasploit)
Axis2 - (Authenticated) Code Execution (via REST) (Metasploit)
---
##
# $Id: axis2_deployer_rest.rb 11330 2010-12-14 17:26:44Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Apache.*(Coyote|Tomcat)/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Axis2 Authenticated Code Execution (via REST)',
'Version' => '$Revision: 11330 $',
'Description' => %q{
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass
and uploads and executes commands via
Exploit-DB
Axis2 / SAP BusinessObjects - (Authenticated) Code Execution (via SOAP) (Metasploit)
exploitdb·2010-12-14
CVE-2010-0219 Axis2 / SAP BusinessObjects - (Authenticated) Code Execution (via SOAP) (Metasploit)
Axis2 / SAP BusinessObjects - (Authenticated) Code Execution (via SOAP) (Metasploit)
---
##
# $Id: axis2_deployer.rb 11330 2010-12-14 17:26:44Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Apache.*(Coyote|Tomcat)/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)',
'Version' => '$Revision: 11330 $',
'Description' => %q{
This module logs in to an Axis2 Web Admin Module instance using a specific user/pas
Metasploit
Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)
metasploit
Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)
Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
Nuclei
Apache Axis2 Default Login
nuclei·CVSS 10.0
CVE-2010-0219 [CRITICAL] Apache Axis2 Default Login
Apache Axis2 Default Login
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Template:
id: CVE-2010-0219
info:
name: Apache Axis2 Default Login
author: pikpikcu
severity: critical
description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access t
Metasploit
Apache Axis2 Brute Force Utility
metasploit
Apache Axis2 Brute Force Utility
Apache Axis2 Brute Force Utility
This module attempts to login to an Apache Axis2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It has been verified to work on at least versions 1.4.1 and 1.6.2.
No writeups or analysis indexed.
http://retrogod.altervista.org/9sg_ca_d2d.htmlhttp://secunia.com/advisories/41799http://secunia.com/advisories/42763http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdfhttp://www.exploit-db.com/exploits/15869http://www.kb.cert.org/vuls/id/989719http://www.osvdb.org/70233http://www.rapid7.com/security-center/advisories/R7-0037.jsphttp://www.securityfocus.com/archive/1/514284/100/0/threadedhttp://www.securitytracker.com/id?1024929http://www.vupen.com/english/advisories/2010/2673https://exchange.xforce.ibmcloud.com/vulnerabilities/62523https://kb.juniper.net/KB27373https://service.sap.com/sap/support/notes/1432881http://retrogod.altervista.org/9sg_ca_d2d.htmlhttp://secunia.com/advisories/41799http://secunia.com/advisories/42763http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdfhttp://www.exploit-db.com/exploits/15869http://www.kb.cert.org/vuls/id/989719http://www.osvdb.org/70233http://www.rapid7.com/security-center/advisories/R7-0037.jsphttp://www.securityfocus.com/archive/1/514284/100/0/threadedhttp://www.securitytracker.com/id?1024929http://www.vupen.com/english/advisories/2010/2673https://exchange.xforce.ibmcloud.com/vulnerabilities/62523https://kb.juniper.net/KB27373https://service.sap.com/sap/support/notes/1432881
2010-10-18
Published
Exploited in the wild