Twenty Year Anniversary

ArcGIS Server 10.3.1 RMIClassLoader useCodebaseOnly=false Code Execution

ArcGIS Server 10.3.1 RMIClassLoader useCodebaseOnly=false Code Execution
Posted Oct 10, 2017
Authored by Harrison Neal

ArcGIS Server version 10.3.1 suffers from an RMIClassLoader useCodebaseOnly=false remote code execution vulnerability.

tags | advisory, remote, code execution
MD5 | 09c12eb4a5e480b1ceb5f94f48af3943

ArcGIS Server 10.3.1 RMIClassLoader useCodebaseOnly=false Code Execution

Change Mirror Download
Using an Esri-provided image on Azure's Marketplace, ArcGIS Server 10.3.1
started Java's rmid on port 1098 and explicitly set the
property java.rmi.server.useCodebaseOnly equal to false.

Screenshot:
https://www.dropbox.com/s/xz9ugal3ixnfh1c/10.3.1_rmid_useCodebaseOnly%3Dfalse.png?dl=0

As discussed on Oracle's website, the default value of
java.rmi.server.useCodebaseOnly was changed to true in Java 7 Update 21,
with a remark that setting it to false could create a risk of RCE.

Link:
http://docs.oracle.com/javase/7/docs/technotes/guides/rmi/enhancements-7.html

While the version of Java included in ArcGIS Server 10.3.1 appears to be
Java 7 Update 76, which would have the more secure default setting, that is
irrelevant due to the ArcGIS solution manually changing it.

Screenshot:
https://www.dropbox.com/s/5reh81dwwp9e4dz/10.3.1_rmid_java7u76.png?dl=0

When an attacker can remotely reach rmid on the victim server, and the
victim server can reach a web server on a machine controlled by the
attacker, this is relatively easily exploited to gain RCE.

Video:
https://www.dropbox.com/s/t4fmxwzjzzo7yhe/ArcGIS_useCodebaseOnly%3Dfalse_exploitation.wmv?dl=0

Administrators are encouraged to use a tool such as Process Explorer or
wmic to ensure that the command line arguments passed to rmid have the
java.rmi.server.useCodebaseOnly property equal to true.

During testing, Esri-provided images on Azure's Marketplace for ArcGIS
Server 10.4.1 and 10.5.1 were found to set that property to true;
administrators may try updating to a newer version of ArcGIS Server, and/or
contacting Esri for assistance.

If an update is required but not immediately possible, consider firewall
rules to block access to rmid from systems that have no need to connect to
it.


-------
Supplemental informatio:

After playing with this for a few more hours, it turns out that you don't
need the victim to be able to reach an attacker-controlled web server if
you can take advantage of gadgets already present on the victim server.

For example, on the Azure Marketplace image for ArcGIS Server 10.3.1, there
are copies of several out-of-date libraries that the ysoserial project
targets.

Link: https://github.com/frohoff/ysoserial

You'll want to add lines similar to the following to the beginning of the
main method of ysoserial.exploit.RMIRegistryExploit, and then recompile:

System.setProperty("java.rmi.server.codebase",
"file:///C:/ArcGIS/Server/geronimo/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar");
System.setProperty("java.rmi.server.useCodebaseOnly", "false");

This will have ysoserial suggest to rmid on the victim server where it can
load vulnerable copies of the Apache Commons Collections classes from.
Then, you simply exploit the remote server with something like:

java.exe -cp ysoserial-0.0.6-SNAPSHOT-all.jar
ysoserial.exploit.RMIRegistryExploit 10.x.y.z 1098 CommonsCollections1 calc

And you should notice calc running as a child process of rmid on the victim
server, without having required the victim server contact some other web
server. That said, this is based on the image in Azure Marketplace; your
mileage on other systems may vary.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close