Remote Code Execution without Privilege Application
The remote code execution web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
A remote code execution vulnerability has been discovered in the JDWP protocol of the PayPal Inc Marketing online service web-server.
The vulnerability allows remote attackers to execute system specific code against a target system to compromise the webserver.
The Java Debug Wire Protocol (JDWP) is the protocol used for communication between a debugger and the Java virtual machine (VM) which it
debugs (hereafter called the target VM). JDWP is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any
authentication and could be abused by an attacker to execute arbitrary code on the affected server.
The tool that i used to disclose is the jdwp-shellifier. I scanned the marketing site and it had opened port 8000 (pre-auth) than i just
executed after accepted connection my commands and finally disclosed a remote code execution issue.
Vulnerable Protocol(s):
[+] JDWP
Port(s):
[+] 8000
The Vulnerbility was patched by PayPal Developer Team on 2015-04-09.
