CVE-2010-4417
published 2011-01-19CVE-2010-4417: Unspecified vulnerability in the Services for Beehive component in Oracle Fusion Middleware 2.0.1.0, 2.0.1.1, 2.0.1.2, 2.0.1.2.1, and 2.0.1.3 allows remote…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
78.66%
99.5th percentile
Unspecified vulnerability in the Services for Beehive component in Oracle Fusion Middleware 2.0.1.0, 2.0.1.1, 2.0.1.2, 2.0.1.2.1, and 2.0.1.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that voice-servlet/prompt-qa/Index.jspf does not properly handle null (%00) bytes in the evaluation parameter that is used in a filename, which allows attackers to create a file with an executable extension and execute arbitrary JSP code.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | beehive | — | — |
| oracle | beehive | — | — |
| oracle | beehive | — | — |
| oracle | beehive | — | — |
| oracle | beehive | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathC:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\voice-servlet\prompt-qa↗
commandGET /voice-servlet/prompt-qa/showRecxml.jsp?evaluation=<JSP_STAGER>&recxml=..\<stager_name>%00↗
- →Detect HTTP GET requests to /voice-servlet/prompt-qa/showRecxml.jsp containing a null byte (%00) in the 'recxml' parameter, which is the exploitation trigger for the path traversal/null byte injection. ↗
- →Alert on HTTP responses from /voice-servlet/prompt-qa/showRecxml.jsp containing the string 'RECXML Prompt Tester', which the exploit uses to fingerprint a vulnerable Oracle BeeHive instance. ↗
- →Monitor for new .jsp files written to the Oracle BeeHive prompt-qa web directory (C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\voice-servlet\prompt-qa\), which indicates successful stager upload. ↗
- →Detect HTTP POST requests to dynamically named .jsp files under /voice-servlet/prompt-qa/ immediately after a GET to showRecxml.jsp — this is the two-stage payload delivery pattern (stager upload then executable upload). ↗
- →Flag directory traversal sequences (e.g., '..\ ') in the 'recxml' GET parameter of requests to Oracle BeeHive voice-servlet endpoints, as the exploit uses path traversal combined with null byte truncation to place files outside the intended directory. ↗
- ·The exploit targets Oracle BeeHive running on Windows and achieves SYSTEM-level code execution; the default port is 7777 but may vary in non-default deployments. ↗
- ·The vulnerability is in the 'evaluation' parameter of voice-servlet/prompt-qa/Index.jspf; null byte (%00) handling allows attackers to bypass extension checks and write files with executable extensions (e.g., .jsp, .exe). ↗
- ·Affected Oracle Fusion Middleware versions are 2.0.1.0, 2.0.1.1, 2.0.1.2, 2.0.1.2.1, and 2.0.1.3 (Services for Beehive component). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle BeeHive 2 - 'voice-servlet processEvaluation()' Write File (Metasploit)
exploitdb·2015-12-03
CVE-2010-4417 Oracle BeeHive 2 - 'voice-servlet processEvaluation()' Write File (Metasploit)
Oracle BeeHive 2 - 'voice-servlet processEvaluation()' Write File (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method
found in voice-servlet can be abused to write a malicious file onto the target machine, and
gain remote arbitrary code execution under the context of SYSTEM.
},
'License' => MSF_LICENSE,
'Author' =>
[
'1c239c43f521145fa8385d64a9c32243', # Found the vuln first
'mr_me ', # https://twitter.com/ae0n_ (overlapped finding & PoC)
'sinn3r' # Metasploit
],
'Referenc
Metasploit
Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability
metasploit
Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability
Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability
This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM.
No writeups or analysis indexed.
http://secunia.com/advisories/42978http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.htmlhttp://www.securityfocus.com/bid/45854http://www.securitytracker.com/id?1024981http://www.vupen.com/english/advisories/2011/0143http://www.zerodayinitiative.com/advisories/ZDI-11-020/https://exchange.xforce.ibmcloud.com/vulnerabilities/64772https://www.exploit-db.com/exploits/38859/http://secunia.com/advisories/42978http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.htmlhttp://www.securityfocus.com/bid/45854http://www.securitytracker.com/id?1024981http://www.vupen.com/english/advisories/2011/0143http://www.zerodayinitiative.com/advisories/ZDI-11-020/https://exchange.xforce.ibmcloud.com/vulnerabilities/64772https://www.exploit-db.com/exploits/38859/
2011-01-19
Published