CVE-2014-1649
published 2014-05-16CVE-2014-1649: The server in Symantec Workspace Streaming (SWS) before 7.5.0.749 allows remote attackers to access files and functionality by sending a crafted XMLRPC request…
PriorityP263high7.9CVSS 2.0
AVAACMAuNCCICAC
EXPLOIT
EPSS
42.31%
98.5th percentile
The server in Symantec Workspace Streaming (SWS) before 7.5.0.749 allows remote attackers to access files and functionality by sending a crafted XMLRPC request over HTTPS.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec | workspace_streaming | <= 7.5.0 | — |
| symantec | workspace_streaming | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xac\xed\x00\x05
- →Detect unauthenticated HTTPS POST requests to /xmlrpc on port 9855 containing XMLRPC method calls to ManagementAgentServer.putFile or ManagementAgentServer.getFile — these indicate exploitation of CVE-2014-1649. ↗
- →Look for Java serialized object streams (magic bytes 0xACED0005) in XMLRPC POST body payloads to /xmlrpc on port 9855, indicating a serialized com.appstream.cm.general.FileInfo object being uploaded. ↗
- →Alert on the server root token '*AWESE' appearing in XMLRPC request bodies to the as_agent.exe service — this is a fixed exploit artifact used to reference the server root directory. ↗
- →Monitor for WAR file creation or HTTP requests to the JBoss auto-deploy path ../server/appstream/deploy/ on port 9832 (as_ste.exe), which indicates the second stage of the exploit achieving RCE. ↗
- →Monitor for the class name 'com.appstream.cm.general.FileInfo' in network traffic or serialized payloads, as it is the specific Java class used to wrap the malicious file upload. ↗
- ·The exploit targets port 9855 (as_agent.exe) for the initial XMLRPC file upload and port 9832 (as_ste.exe/JBoss) for WAR auto-deploy RCE. Both ports must be monitored; the attack is a two-stage chain across these two services. ↗
- ·The vulnerability is exploitable in both single-machine and multi-machine (backend role) deployments of Symantec Workspace Streaming, so detection rules should not be scoped only to standalone servers. ↗
- ·The exploit is delivered over HTTPS, so TLS inspection is required to detect the malicious XMLRPC payload in transit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Symantec Workspace Streaming - Arbitrary File Upload (Metasploit)
exploitdb·2014-05-26
CVE-2014-1649 Symantec Workspace Streaming - Arbitrary File Upload (Metasploit)
Symantec Workspace Streaming - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 'Symantec Workspace Streaming Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Symantec Workspace Streaming. The
vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the
as_agent.exe service, which allows for uploading arbitrary files under the server root.
This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order
to achieve remote code execution. This module has been tested successfully on Symantec
Workspace Streaming 6.1 SP8
Metasploit
Symantec Workspace Streaming ManagementAgentServer.putFile XMLRPC Request Arbitrary File Upload
metasploit
Symantec Workspace Streaming ManagementAgentServer.putFile XMLRPC Request Arbitrary File Upload
Symantec Workspace Streaming ManagementAgentServer.putFile XMLRPC Request Arbitrary File Upload
This module exploits a code execution flaw in Symantec Workspace Streaming. The vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the as_agent.exe service, which allows for uploading arbitrary files under the server root. This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order to achieve remote code execution. This module has been tested successfully on Symantec Workspace Streaming 6.1 SP8 and Windows 2003 SP2, and reported to affect 7.5.0.x. Abused services listen on a single-machine deployment and also in the backend role in a multiple-machine deployment.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/33521http://www.securityfocus.com/bid/67189http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00http://zerodayinitiative.com/advisories/ZDI-14-127/http://www.exploit-db.com/exploits/33521http://www.securityfocus.com/bid/67189http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00http://zerodayinitiative.com/advisories/ZDI-14-127/
2014-05-16
Published