lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 09 Oct 2017 02:16:43 +0000
From: Harrison Neal <hneal@...tdidibreak.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] ArcGIS Server 10.3.1: RMIClassLoader useCodebaseOnly=false RCE

Using an Esri-provided image on Azure's Marketplace, ArcGIS Server 10.3.1
started Java's rmid on port 1098 and explicitly set the
property java.rmi.server.useCodebaseOnly equal to false.

Screenshot:
https://www.dropbox.com/s/xz9ugal3ixnfh1c/10.3.1_rmid_useCodebaseOnly%3Dfalse.png?dl=0

As discussed on Oracle's website, the default value of
java.rmi.server.useCodebaseOnly was changed to true in Java 7 Update 21,
with a remark that setting it to false could create a risk of RCE.

Link:
http://docs.oracle.com/javase/7/docs/technotes/guides/rmi/enhancements-7.html

While the version of Java included in ArcGIS Server 10.3.1 appears to be
Java 7 Update 76, which would have the more secure default setting, that is
irrelevant due to the ArcGIS solution manually changing it.

Screenshot:
https://www.dropbox.com/s/5reh81dwwp9e4dz/10.3.1_rmid_java7u76.png?dl=0

When an attacker can remotely reach rmid on the victim server, and the
victim server can reach a web server on a machine controlled by the
attacker, this is relatively easily exploited to gain RCE.

Video:
https://www.dropbox.com/s/t4fmxwzjzzo7yhe/ArcGIS_useCodebaseOnly%3Dfalse_exploitation.wmv?dl=0

Administrators are encouraged to use a tool such as Process Explorer or
wmic to ensure that the command line arguments passed to rmid have the
java.rmi.server.useCodebaseOnly property equal to true.

During testing, Esri-provided images on Azure's Marketplace for ArcGIS
Server 10.4.1 and 10.5.1 were found to set that property to true;
administrators may try updating to a newer version of ArcGIS Server, and/or
contacting Esri for assistance.

If an update is required but not immediately possible, consider firewall
rules to block access to rmid from systems that have no need to connect to
it.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ