Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IBM Websphere Application Server Network Deployment RCE (CVE-2019-4279) #11841

Merged
merged 3 commits into from Jun 4, 2019

Conversation

Projects
None yet
9 participants
@securifera
Copy link

commented May 16, 2019

This module exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an arbitrary command and upload of an arbitrary file as SYSTEM. The module serializes the required Java objects expected by the IBM Websphere server.

Verification

List the steps needed to make sure this thing works

  1. Install the IBM Websphere Application Server Network Deployment on a host.
  2. Ensure that the service is running and listening on TCP port 11002, 11004, or 11006.
  3. Launch msfconsole.
  4. Load the module use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce.
  5. Set the remote host ip to execute set RHOSTS 192.168.162.133.
  6. Set the command to execute set CMD "calc.exe".
  7. Run the exploit exploit.

rwincey added some commits May 16, 2019

@securifera securifera changed the title IBM Websphere Application Server Network Deployment RCE IBM Websphere Application Server Network Deployment RCE (CVE-2019-4279) May 16, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

@securifera, I might be wrong but it looks like you have to be a customer (for IBM) to obtain the software? If that's the case, could you please email us a pcap of the exploit working? Thank you.

The email address: msfdev[at]metasploit.com

@rwincey

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

Trial versions are available.

Download IBM Installation Manager (https://www-01.ibm.com/support/docview.wss?uid=swg27025142)
Add repository for http://www.ibm.com/software/repositorymanager/V9WASND
Add repository for http://www.ibm.com/software/repositorymanager/V9WASBase
Install version 9.0.0.10 of IBM WAS Network Deployment
Execute "Profile Management Tool" from IBM Websphere Application Server V9.0 in "Start Menu"
Click Create
Select "Cell"
Select "Typical profile creation" radio button
Click Next -> Finish


def construct_bcast_task_msg(node_port, filename, byte_str, cmd)
# Add upload file argument
byte_arr = byte_str.unpack("C*")

This comment has been minimized.

Copy link
@Chiggins

Chiggins May 20, 2019

Contributor

If you have a payload set such as windows/meterpreter/reverse_https, and if CMD is emply, then byte_str isn't a string and is instead an array (based off of line 110}. With it being an array, it'll throw a NoMethodError for the unpack.

This comment has been minimized.

Copy link
@securifera

securifera May 21, 2019

Author

Nice catch, the call to ".bytes.to_a" snuck in there during testing.

@Chiggins

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

Following the instruction of @rwincey, I've got the vulnerable version of the software up and running. Going based on the verification steps provided, I didn't end up getting calc.exe to run. I haven't spent enough time to validate why it's not running, but I figured I'd throw up a comment with my testing results thus far.

I did try getting Meterpreter running, but as I mentioned in my review comment, specifying a payload and not a CMD will cause an exception to fire.

@rwincey

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

@securifera, I might be wrong but it looks like you have to be a customer (for IBM) to obtain the software? If that's the case, could you please email us a pcap of the exploit working? Thank you.

The email address: msfdev[at]metasploit.com

The comms are encrypted. Would a video suffice?

@jrobles-r7 jrobles-r7 self-assigned this May 29, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

I opened PR rwincey#2, which updates the command target and how the checks are implemented. By requiring the use of the generic command module the payload handling can be removed since the generic command payload disables the handler automatically.

@rwincey

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

I opened PR rwincey#2, which updates the command target and how the checks are implemented. By requiring the use of the generic command module the payload handling can be removed since the generic command payload disables the handler automatically.

Tested and works as intended. I wish we could have figured this out on this one. I was having issues getting handler types and commands working together without spawning unused handlers. Nice work.

@jrobles-r7 jrobles-r7 merged commit 99f3f6c into rapid7:master Jun 4, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Jun 4, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 4, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

Release Notes

A module that targets CVE-2019-4279 is now available. It exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an arbitrary command and upload of an arbitrary file as SYSTEM.

@tdoan-r7 tdoan-r7 added the rn-modules label Jun 11, 2019

@Teokid

This comment has been minimized.

Copy link

commented Jun 19, 2019

Hello,
We already have the IBM Websphere Application Server and Metasploit installed . But I can not find it on my Metasploit. How can I download this exploit? Thanks

@timwr

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2019

Which version of metasploit do you have? You may need to update it as this was added recently

@Teokid

This comment has been minimized.

Copy link

commented Jun 19, 2019

@Teokid

This comment has been minimized.

Copy link

commented Jun 19, 2019

@rwincey

This comment has been minimized.

Copy link
Contributor

commented Jun 21, 2019

Hello, Would it be possible to download the exploit: exploit/windows/ibm/ibm_was_ dmgr_java_deserialization_rce Thanks. Regards El mar., 18 de jun. de 2019, 10:42 p.m., Luis Campos Mercado < camposmercadoluis@gmail.com> escribió:

Thanks for your response. I have Metasploit v5.0.26-dev. I updated but no changes at all. Regards El mar., 18 de jun. de 2019, 10:04 p.m., Tim @.***> escribió: > Which version of metasploit do you have? You may need to update it as > this was added recently > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <#11841?email_source=notifications&email_token=AMMHYA5ZAMVENFD35KQIEZTP3GO3BA5CNFSM4HNIYP6KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYARIFQ#issuecomment-503387158>, > or mute the thread > https://github.com/notifications/unsubscribe-auth/AMMHYA5SWC5CSGGPYPVCZJLP3GO3BANCNFSM4HNIYP6A > . >

The module should be located at /usr/share/metasploit-framework/modules/exploits/windows/ibm/ibm_was_dmgr_java_deserialization_rce.rb on a default kali build. If not I would update or pull the branch specifically.

@Teokid

This comment has been minimized.

Copy link

commented Jun 21, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.