Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix java_jmx_server exploit #9413

Merged
merged 3 commits into from
Jan 22, 2018
Merged

Fix java_jmx_server exploit #9413

merged 3 commits into from
Jan 22, 2018

Conversation

tranca
Copy link

@tranca tranca commented Jan 15, 2018
edited
Loading

Add test case when discovering RMI endpoint as the previous one was not complete

During a security assessment I encountered a problem with the "java_jmx_server" exploit. After looking at the code I found that the property "javax.management.remote.rmi.RMIServerImpl_Stub" was different than the object that I had: "javax.management.remote.rmi.RMIServer". After adding this test case, the exploit worked.

Here are some additional information about the environment :

  • Virtual Machine: IBM J9 VM version 2.6
  • Operating System: AIX 7.1
  • Java: Version 7 - 64bits

Fix java_jmx_server exploit
dfb9941 
Add test case when discovering RMI endpoint as the previous one was not complete
@jmartin-tech
Copy link
Contributor

@tranca, can you provide any more details about the stack you used this against. I don't see much harm in expanding the check, but it would be valuable to have an example environment we can target to test against.

Something like OS version, JVM version, and maybe the web server framework used would be enough for us to generate our own vulnerable server.

@jmartin-tech jmartin-tech self-assigned this Jan 16, 2018
@busterb
Copy link
Member

busterb commented Jan 17, 2018

It looks like we could just add all of the classes in javax.management.remote.rmi that implement RMIServer.

@tranca
Copy link
Author

tranca commented Jan 17, 2018
edited
Loading

@jmartin-r7 I updated my PR with the additional information you requested !
@busterb Great idea, I added all the classes I found on "https://docs.oracle.com/javase/7/docs/api/javax/management/remote/rmi/package-summary.html", but I also added the RMI interfaces since this was the problem I encountered

@busterb
Copy link
Member

busterb commented Jan 17, 2018

Right on @tranca that looks a lot nicer.

@busterb busterb self-assigned this Jan 22, 2018
@busterb busterb merged commit 35bec8d into rapid7:master Jan 22, 2018
busterb added a commit that referenced this pull request Jan 22, 2018
@busterb
Land #9413, Expand the number of class names searched when checking f…
d1569f8 
…or an exploitable JMX server
@busterb
Copy link
Member

busterb commented Jan 22, 2018
edited by allrosenthal-r7
Loading

Release Notes

The exploits/multi/misc/java_jmx_server module now works in more environments.

jmartin-tech pushed a commit to jmartin-tech/metasploit-framework that referenced this pull request Jan 24, 2018
@busterb @jmartin-tech
Land rapid7#9413, Expand the number of class names searched when chec…
aea4fac 
…king for an exploitable JMX server
jmartin-tech pushed a commit to jmartin-tech/metasploit-framework that referenced this pull request Jan 24, 2018
@busterb @jmartin-tech
Land rapid7#9413, Expand the number of class names searched when chec…
294a8e0 
…king for an exploitable JMX server
@allrosenthal-r7 allrosenthal-r7 added the rn-enhancement release notes enhancement label Feb 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@busterb busterb

@jmartin-tech jmartin-tech

Labels
enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@tranca @jmartin-tech @busterb @bcoles @allrosenthal-r7