The following advisory describes a remote code execution vulnerability found in ScrumWorks Pro version 6.7.0.
“CollabNet ScrumWorks Pro is an Agile Project Management for Developers, Scrum Masters, and Business”.
A trial version can be downloaded from the vendor site.
Collab was informed of the vulnerability, and responded to it that – “We had a check with our Scrumworks Engineering team and after initial analysis, they’ve concluded that the Vulnerability which was reported will be considered of least priority from our end and it might be fixed in the future, however, We can’t assure you on the time line as our team is working with more priority issues at the moment.”
ScumWorks Pro provides a web interface and a Java client that can be started via Java Web Start (JNLP).
The Java client sends serialized Java objects to the /UFC endpoint of the application server.
These requests are handled by the class com.danube.scrumworks.controller.FrontController, method “doPost”:
Before the first try block, the http POST body is ZIP decompressed and then used to read a Java object via readObject, making the application vulnerable to Java deserialization attacks if a suitable gadget is available. As many other applications, ScrumWorks Pro ships with a vulnerable version of Apache CommonsCollections (3.2.1) that can be used to execute arbitrary code with the permissions of the ScrumWorks application server.
Proof of Concept
The following Python script requires jython (at least version 2.5.3) and a local copy of the ysoserial library.