Apache Axis2 Default Credentials - Nessus

High   Plugin ID: 46740

This page contains detailed information about the Apache Axis2 Default Credentials Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 46740
Name: Apache Axis2 Default Credentials
Filename: apache_axis2_default_creds.nasl
Vulnerability Published: N/A
This Plugin Published: 2010-05-27
Last Modification Time: 2022-04-11
Plugin Version: 1.29
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies: apache_axis2_detect.nasl
Required KB Items [?]: installed_sw/Axis2
Excluded KB Items: global_settings/supplied_logins_only

Vulnerability Information

Severity: High
Vulnerability Published: N/A
Patch Published: N/A
CVE [?]: CVE-2010-0219
CPE [?]: cpe:/a:apache:axis2
Default Account Vulnerability: True

Synopsis

The remote web server hosts a web application that uses default credentials.

Description

The installation of Apache Axis2 hosted on the remote web server uses a default set of credentials to control access to its administrative console. A remote attacker can exploit this to gain administrative control.

Solution

Login via the administrative interface and change the password for the 'admin' account.

Public Exploits

Target Network Port(s): 8080
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Apache Axis2 Default Credentials vulnerability:

  1. Metasploit: exploit/multi/http/axis2_deployer
    [Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)]
  2. Metasploit: auxiliary/scanner/http/axis_login
    [Apache Axis2 Brute Force Utility]
  3. Exploit-DB: exploits/multiple/remote/16312.rb
    [EDB-16312: Axis2 - (Authenticated) Code Execution (via REST) (Metasploit)]
  4. Exploit-DB: exploits/multiple/remote/16315.rb
    [EDB-16315: Axis2 / SAP BusinessObjects - (Authenticated) Code Execution (via SOAP) (Metasploit)]
  5. GitHub: https://github.com/ACIC-Africa/metasploitable3
    [CVE-2010-0219]
  6. GitHub: https://github.com/adamziaja/vulnerability-check
    [CVE-2010-0219]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:U/RC:C
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:7.1 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.1 (High)

Go back to menu.

Plugin Source

This is the apache_axis2_default_creds.nasl nessus plugin source code. This script is Copyright (C) 2010-2022 Tenable Network Security, Inc. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(46740);
  script_version("1.29");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2010-0219");
  script_bugtraq_id(44055, 45625);
  script_xref(name:"CERT", value:"989719");

  script_name(english:"Apache Axis2 Default Credentials");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a web application that uses default
credentials.");
  script_set_attribute(attribute:"description", value:
"The installation of Apache Axis2 hosted on the remote web server uses
a default set of credentials to control access to its administrative
console. A remote attacker can exploit this to gain administrative
control.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/514284/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Oct/100");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/516029");
  script_set_attribute(attribute:"solution", value:
"Login via the administrative interface and change the password for
the 'admin' account.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_publication_date", value:"2010/05/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:axis2");
  script_set_attribute(attribute:"default_account", value:"true");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.");

  script_dependencies("apache_axis2_detect.nasl");
  script_require_keys("installed_sw/Axis2");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "Axis2";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:8080);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

user = 'admin';
pass = 'axis2';

login = FALSE;
test_login = FALSE;

# In CA ArcServe D2D, The root dir is /WebServiceImpl
if (dir == '/WebServiceImpl/axis2-web') dir = '/WebServiceImpl';
url = '/axis2-admin/';

# Check if the axis2-admin interface is installed
res = http_send_recv3(method:"GET", item:dir+url, port:port, exit_on_fail:TRUE);

if ('<title>Login to Axis2 :: Administration page</title>' >< res[2])
{
  test_login = TRUE;
}
else
{
  url = "/Login.jsp";
  res = http_send_recv3(method:"GET", item:dir+url, port:port, exit_on_fail:TRUE);

  if (res[2] =~ '<title>Login to Axis2:: (Administration|Administartion) page</title>')
  {
    test_login = TRUE;
  }
}
if (test_login)
{
  # Try GET request first
  res = http_send_recv3(
    method : "GET",
    port   : port,
    item   : dir + '/adminlogin?userName='+user+'&password='+pass+'&submit=+Login++',
    exit_on_fail : TRUE,
    follow_redirect : 1
  );
  if (
    '<title>Axis2 :: Administrations Page</title>' >< res[2] &&
    '<a href="logout">Log out<' >< res[2]
  )
  {
    login = TRUE;
    rep_url = install_url + url;
  }
  if (!login)
  {
    postdata = 'userName='+user+'&password='+pass+'&submit=+Login+';
    req = http_mk_post_req(
      port:port,
      item:dir + url + 'login',
      add_headers:make_array("Content-Type", "application/x-www-form-urlencoded"),
      data:postdata
    );
    res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE);

    if (
      '<title>Axis2 :: Administration Page</title>' >< res[2] &&
      '<p>You are now logged into the Axis2 administration console' >< res[2]
    )
    {
      login = TRUE;
      rep_url = install_url + url + 'login';
    }
  }
  if (login)
  {
    if (report_verbosity > 0)
    {
      report =
        '\nNessus was able to gain access to the administrative interface using' +
        '\nthe following information :' +
        '\n' +
        '\n  URL      : ' + rep_url +
        '\n  User     : ' + user +
        '\n  Password : ' + pass + '\n';
      security_hole(port:port, extra:report);
    }
    else security_hole(port);
    exit(0);
  }
  else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
}
else exit(0, 'The '+app+' install at  ' + install_url+' does not have an administrative interface.');

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/apache_axis2_default_creds.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\apache_axis2_default_creds.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/apache_axis2_default_creds.nasl

Go back to menu.

How to Run

Here is how to run the Apache Axis2 Default Credentials as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CGI abuses plugin family.
  6. On the right side table select Apache Axis2 Default Credentials plugin ID 46740.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl apache_axis2_default_creds.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a apache_axis2_default_creds.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - apache_axis2_default_creds.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state apache_axis2_default_creds.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: CERT | Computer Emergency Response Team: See also: Similar and related Nessus plugins:
  • 153885 - Apache HTTP Server 2.4.49 Path Traversal (CVE-2021-41773)
  • 155600 - Apache HTTP Server 2.4.49 & 2.4.50 Path Traversal (CVE-2021-42013)
  • 160297 - Apache APISIX Dashboard < 2.10.1 Authentication Bypass (Direct Check)
  • 46741 - Apache Axis2 'xsd' Parameter Directory Traversal
  • 156753 - Apache Druid Log4Shell Direct Check (CVE-2021-44228)
  • 90248 - Apache Jetspeed User Manager Service SQLi
  • 156558 - Apache JSPWiki Log4Shell Direct Check (CVE-2021-44228)
  • 156473 - Apache OFBiz Log4Shell Direct Check (CVE-2021-44228)
  • 159323 - Apache Shiro Default Cipher Key (CVE-2016-4437)
  • 131734 - Apache Solr Config API Velocity Template RCE (Direct Check)
  • 126447 - Apache Solr 5.x <= 5.5.5 or 6.x <= 6.6.5 Deserialization Vulnerability (CVE-2019-0192)
  • 132315 - Apache Solr 8.1.1, 8.2.0 Remote JMX RMI Deserialization Vulnerability
  • 156471 - Apache Solr Log4Shell Direct Check (CVE-2021-44228)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file apache_axis2_default_creds.nasl version 1.29. For more plugins, visit the Nessus Plugin Library.

Go back to menu.