Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/windows/local/microfocus_operations_privesc.md
Views: 11789
Vulnerable Application
This module exploits an incorrectly permissioned folder in Micro Focus Operations Bridge Manager and Operations Bridge Reporter.
An unprivileged user (such as Guest) can drop a JSP file in an exploded WAR directory and then access it without authentication by making a request to the OBM / OBR server. This will result in automatic code execution as SYSTEM. This module has been tested on OBM 2020.05 and 2019.11, but it should work out of the box on earlier versions too.
According to Micro Focus the vulnerable versions are:
Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions
Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11
Operations Bridge Reporter versions: 10.40 and possibly earlier
Installation docs are available at:
https://docs.microfocus.com/itom/Operations_Bridge_Manager:2020.05
https://docs.microfocus.com/itom/Operations_Bridge_Reporter:10.40/Home
Vulnerable versions of the software can be downloaded from Micro Focus website by requesting a demo.
Only the Windows version of the product is affected.
All details about these vulnerabilities can be obtained from the advisory:
https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md
https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md
Verification Steps
Install the application
Start msfconsole
use exploit/windows/local/microfocus_operations_privesc.rbset target TARGETset session SESSIONset lhost YOUR_IPrunYou should get a shell.