CVE-2013-3520
published 2013-06-17CVE-2013-3520: VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via…
PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.64%
98.9th percentile
VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via unspecified vectors.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | vcenter_chargeback_manager | <= 2.5.0 | — |
| vmware | vcenter_chargeback_manager | — | — |
| vmware | vcenter_chargeback_manager | — | — |
| vmware | vcenter_chargeback_manager | — | — |
| vmware | vcenter_chargeback_manager | — | — |
| vmware | vcenter_chargeback_manager | — | — |
| vmware | vcenter_chargeback_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated multipart POST requests to /cbmui/ImageUploadServlet — no prior authentication is required, making any POST to this endpoint suspicious. ↗
- →Alert on multipart/form-data POST to /cbmui/ImageUploadServlet where the uploaded filename ends in .jsp, indicating attempted JSP webshell placement. ↗
- →Alert on subsequent GET requests to /cbmui/images/*.jsp, which indicates execution of an uploaded JSP payload. ↗
- →Check response body of the vCenter Chargeback Manager login/index page for the string 'vCenter Chargeback Manager' to confirm a vulnerable instance is exposed. ↗
- →The exploit requires SSL (HTTPS on port 443); monitor HTTPS traffic to /cbmui/ImageUploadServlet for multipart uploads not associated with authenticated sessions. ↗
- ·The Metasploit module targets specifically VMware vCenter Chargeback Manager 2.0.1 on Windows 2003 SP2; exploitation on other versions or OS platforms is not confirmed by the module. ↗
- ·The module's target filter restricts to Apache on Win32 servers; non-Windows deployments are excluded from this exploit path. ↗
- ·The vulnerability affects VMware vCenter Chargeback Manager versions before 2.5.1; versions 2.5.1 and later are patched. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g5m4-7cmw-qxm9: VMware vCenter Chargeback Manager (aka CBM) before 2
ghsa_unreviewed·2022-05-17
CVE-2013-3520 [HIGH] CWE-94 GHSA-g5m4-7cmw-qxm9: VMware vCenter Chargeback Manager (aka CBM) before 2
VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via unspecified vectors.
Red Hat
openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id
vendor_redhat·2014-07-02·CVSS 6.5
CVE-2014-3520 [MEDIUM] CWE-863 openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id
openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.
A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project.
Package: openstack-keystone (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Affected
VMware
VMware vCenter Chargeback Manager Remote Code Execution
vendor_vmware·2013-06-11·CVSS 5.0
CVE-2013-0166 [MEDIUM] VMware vCenter Chargeback Manager Remote Code Execution
VMSA-2013-0008: VMware vCenter Chargeback Manager Remote Code Execution
a. vCenter Chargeback Manager Remote Code Execution The vCenter Chargeback Manager (CBM) contains a flaw in its handling of file uploads. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely. VMware would like to thank Andrea Micalizzi, aka rgod, for reporting this issue to us through HP's Zero Day Initiative (ZDI). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3520 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Replace with / Apply Patch VMware Product CBM Product Version 2.01 Running on an
No detection rules found.
Exploit-DB
VMware vCenter - Chargeback Manager ImageUploadServlet Arbitrary File Upload (Metasploit)
exploitdb·2013-07-23
CVE-2013-3520 VMware vCenter - Chargeback Manager ImageUploadServlet Arbitrary File Upload (Metasploit)
VMware vCenter - Chargeback Manager ImageUploadServlet Arbitrary File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 [ /Apache.*Win32/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in VMware vCenter Chargeback Manager,
where the ImageUploadServlet servlet allows unauthenticated file
Metasploit
VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload
metasploit
VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload
VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload
This module exploits a code execution flaw in VMware vCenter Chargeback Manager, where the ImageUploadServlet servlet allows unauthenticated file upload. The files are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed. The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1 on Windows 2003 SP2.
2013-06-17
Published