cbcvebase.
CVE-2016-2510
published 2016-04-07

CVE-2016-2510: BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute…

PriorityP268high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
70.43%
99.3th percentile
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

Affected

8 ranges
VendorProductVersion rangeFixed in
beanshellbeanshell
beanshellbeanshell
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianbsh< bsh 2.0b4-16 (bookworm)bsh 2.0b4-16 (bookworm)
debiandebian_linux
debiandebian_linux

Detection & IOCsextracted from sources · hover to see the quote

path/monitor/messagebroker/amf
urlhttps://github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb
urlhttps://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
urlhttps://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
snort
ET EXPLOIT TIBCO Data Virtualization [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/monitor/messagebroker/amf"; nocase; http.request_body; content:"|00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00|"; fast_pattern; reference:url,github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb; reference:url,twitter.com/pedrib1337/status/1415862996786548736; reference:cve,2016-2510; classtype:attempted-admin; sid:2033605; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2016_2510, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00
  • Exploit traffic targets HTTP POST requests to the /monitor/messagebroker/amf endpoint with a crafted AMF body containing a serialized org.apache.axis2.util.MetaDataEntry gadget chain payload.
  • The vulnerability is triggered via Java deserialization or XStream deserialization of crafted serialized data involving the XThis.Handler class in BeanShell; monitor inbound deserialization streams for BeanShell class references.
  • A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands; alert on unexpected child processes spawned from Java application servers.
  • ·The vulnerability only manifests if BeanShell (bsh) is present on the classpath AND the application performs Java serialization or XStream deserialization of untrusted data; BeanShell alone is not sufficient.
  • ·The Snort/ET rule (sid:2033605) is scoped specifically to TIBCO Data Virtualization <= 8.3 and its /monitor/messagebroker/amf endpoint; other vulnerable applications using BeanShell deserialization will not be caught by this rule alone.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.1HIGH
vendor_debian8.1HIGH
vendor_oracle8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.