CVE-2015-7611
published 2016-06-07CVE-2015-7611: Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.
PriorityP275high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
68.60%
99.3th percentile
Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | james_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal usernames being created via the Apache James Remote Administration Tool on port 4555. Look for 'adduser' commands containing '../' sequences targeting /etc/cron.d or /etc/bash_completion.d. ↗
- →Monitor SMTP traffic (port 25) for mail addressed to recipients containing directory traversal sequences (e.g., '../../../../../../../../etc/'), which is used to drop payload files into /etc/cron.d or /etc/bash_completion.d. ↗
- →Alert on unexpected file creation events under /etc/bash_completion.d or /etc/cron.d originating from the Apache James mail server process, as these are the two exploitation paths used by this CVE. ↗
- →Check for SMTP banner string 'JAMES SMTP Server' on port 25 combined with 'JAMES Remote Administration Tool' on port 4555 to identify exposed vulnerable instances. ↗
- →Monitor POP3 (port 110) login attempts using usernames containing path traversal strings such as '../../../../../../../../etc/cron.d', which is used during the cleanup/delivery phase of exploitation. ↗
- ·This vulnerability only affects Apache James Server 2.3.2 instances configured with file-based user repositories. Servers using other repository types are not affected. ↗
- ·The cron exploitation method may not work on certain Linux distributions such as Ubuntu; the Bash Completion target may be more reliable in those environments. ↗
- ·The Bash Completion exploitation method requires bash completion to be enabled on the target system to achieve code execution. ↗
- ·The default credentials for the James Remote Administration Tool are root/root; exploitation relies on these defaults being unchanged. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache James Server OS Command Injection
ghsa·2022-05-14
CVE-2015-7611 [HIGH] CWE-78 Apache James Server OS Command Injection
Apache James Server OS Command Injection
Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.
OSV
Apache James Server OS Command Injection
osv·2022-05-14
CVE-2015-7611 [HIGH] Apache James Server OS Command Injection
Apache James Server OS Command Injection
Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.
No detection rules found.
Exploit-DB
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)
exploitdb·2020-02-24
CVE-2015-7611 Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
'Description' => %q{
This module exploits a vulnerability that exists due to a lack of input
validation when creating a user. Messages for a given user are stored
in a directory partially defined by the username. By creating a user
with a directory traversal payload as the username, commands can be
written to a given directory. To use this module with the cron
exploitation method, run the exploit using the given payload, host, and
port. After running the exploit, the p
Metasploit
Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write
metasploit
Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write
Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write
This module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory. To use this module with the cron exploitation method, run the exploit using the given payload, host, and port. After running the exploit, the payload will be executed within 60 seconds. Due to differences in how cron may run in certain Linux operating systems such as Ubuntu, it may be preferable to set the target to Bash Completion as the cron method may not work. If the target is set to Bash completion, start a list
http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.htmlhttp://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.htmlhttp://www.openwall.com/lists/oss-security/2015/09/30/7http://www.openwall.com/lists/oss-security/2015/10/01/2http://www.securityfocus.com/archive/1/536575/100/0/threadedhttps://blogs.apache.org/james/entry/apache_james_server_2_3http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.htmlhttp://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.htmlhttp://www.openwall.com/lists/oss-security/2015/09/30/7http://www.openwall.com/lists/oss-security/2015/10/01/2http://www.securityfocus.com/archive/1/536575/100/0/threadedhttps://blogs.apache.org/james/entry/apache_james_server_2_3
2016-06-07
Published