lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+i6_hUrrpygONiOx_G4P9jGBMXaf4D6nOS0qK8rM72Y3-XerA@mail.gmail.com>
Date: Fri, 19 May 2017 08:30:15 +0000
From: Harrison Neal <hneal@...tdidibreak.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] HP SiteScope 11.32: Unauthenticated JMX Console RCE

----- Issue Summary -----

In default installations of HP SiteScope 11.32, access to Java Management
Extensions (JMX) is allowed to unauthenticated users over port 28006. This
configuration allows for remote code execution exploits.


----- Additional Details -----

HP SiteScope's help pages discuss enabling authentication for JMX as an
optional step during setup, but only vaguely touch on the potential
consequences of choosing not to do this step.

The product is not secure-by-default, but rather requires that
administrators be knowledgeable enough to understand the ramifications of
allowing unauthenticated access to JMX, and for administrators to take the
steps provided by HP to change that insecure configuration.

At the same time, an attacker reading SiteScope's manual will realize that
SiteScope can be a potent target, with credentials and other details on
critical hosts in the enterprise.


----- Basic Exploitation -----

The Metasploit module exploit/multi/misc/java_jmx_server can be used to
gain remote code execution.


----- Other Attacks -----

As the code execution is occuring within the SiteScope process, we can
abuse this position to query SiteScope's configuration and steal
credentials SiteScope would use to authenticate to other hosts.

An example of such an attack can be found at:
https://github.com/hantwister/SCAT


----- Mitigation Suggestions For Users -----

Follow the instructions in SiteScope help pages to configure authentication
for JMX.


----- Mitigation Suggestions For HP -----

Configure a Java security policy that disallows unexpected MBeans from
being instantiated. Require authentication for JMX by default, with a
password randomly generated during installation, or disallow any remote JMX
access until a password is configured.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ