"exploit_multi/http/openmrs_deserialization": {

"name": "OpenMRS Java Deserialization RCE",

"fullname": "exploit/multi/http/openmrs_deserialization",

"aliases": [

],

"rank": 300,

"disclosure_date": "2019-02-04",

"type": "exploit",

"author": [

"Nicolas Serra",

"mpgn",

"Shelby Pace"

],

"description": "OpenMRS is an open-source platform that supplies\n users with a customizable medical record system.\n\n There exists an object deserialization vulnerability\n in the `webservices.rest` module used in OpenMRS Platform.\n Unauthenticated remote code execution can be achieved\n by sending a malicious XML payload to a Rest API endpoint\n such as `/ws/rest/v1/concept`.\n\n This module uses an XML payload generated with Marshalsec\n that targets the ImageIO component of the XStream library.\n\n Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java\n 8 and Java 9.",

"references": [

"CVE-2018-19276",

"URL-https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607",

"URL-https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization",

"URL-https://github.com/mpgn/CVE-2018-19276/"

],

"platform": "Linux,Unix",

"arch": "x86, x64",

"rport": 8081,

"autofilter_ports": [

80,

8080,

443,

8000,

8888,

8880,

8008,

3000,

8443

],

"autofilter_services": [

"http",

"https"

],

"targets": [

"Linux"

],

"mod_time": "2019-12-04 12:17:35 +0000",

"path": "/modules/exploits/multi/http/openmrs_deserialization.rb",

"is_install_path": true,

"ref_name": "multi/http/openmrs_deserialization",

"check": true,

"post_auth": false,

"default_credential": false,

"notes": {

},

"needs_cleanup": null

},