Exploiting Java RMI Server
Long time back while I was doing the pentest I came across Java RMI Server insecure default configuration Java code execution vulnerability. Still i find this vulnerability exists in many
machines while doing enumeration. The same bug is hidden inside them waiting
for someone to exploit it. Let first discuss about this vulnerability
and later we can exploit it.
RMI stands for remote method invocation. RMI allows object
stored in one system to access object running in another system.RMI helps to establish a remote connection between java program.
Java Remote invocation service allows running and execute java classes from the remote URL using RMI.
Java RMI is a remote method
invocation service allows the remote user to run arbitrary java classes through Class
loader thus giving the advantage to the attacker. Attackers can use Java classes
to write and run various commands and also can get stored passwords from memory. By default RMI services will run with high privileges under the user context.
What is the solution for it?
At least you need to be upgrade to Java 7.21 because in this version RMI property is changed to java.rmi.server.usercodebaseonly true.
By setting this property true we can prevent client VM from dynamically loading
byte code from the remote codebase.
Now i think this information is enough to go and exploit the target machine.
Let's run our all-time favorite Nmap tool
Nmap –sV 192.168.111.131
\
Yes we found Java-rmi running on port 1099
The good thing is we don’t need to write exploitation code for it
because it already exists in Metasploit. Let use it
Use exploit/multi/misc/java_rmi_server
All parameters are set.
Ammos is loaded its
time to fire up.
We are in the machine as root isn't that great. J
I have shared a good cheat sheet about Java Deserialization it will come handy to the pentester and researcher. Thank you for
reading.
Comments
Post a Comment