Java Remoting: Sign Me Up!
This is a pretty exciting week for advancing the state of the art of penetration testing with Metasploit, thanks in large part to Juan Vazquez's work on the new protocol-level support for Java Remote Method Invocation (RMI). If you've never heard of it before, it's probably because, like me, you haven't done much (or any) Java programming since school. Java RMI is essentially a network-exposed API, usually listening on 1617/TCP, and, as it turns out, often enabled by accident due to some misconceptions around the native security offered. While Oracle's documentation (and other sources) suggest using an SSL or SSH tunneling mechanism to secure RMI, it looks like there are more than a few implementations where there was some... confusion... regarding the difference between a merely encoded protocol, and an encrypted protocol.
Keeping up on this kind of application protocol research is pretty crucial in exposing new (to you) sources of weakness and avenues of attack in an enterprise network. After all, there are only so many CSRFs and XSSes you can report on before the client starts getting a little glassy-eyed and wondering if there's anything else to worry about in the network under test.
You can read up on Juan's working notes on the original pull request, PR4560, but if you're really serious about learning up on using this stuff on your next engagement, you should register at InfoSec Southwest, coming up in April here in Austin -- Juan will be discussing all this at length in his talk, Reviewing and Abusing Java Remote Interfaces (Server-side Attacks). It's a gripper, and you'll be better prepared to tackle it when it pops up on your next port scan.
Since last week's blog post, we have 4 new exploits and 4 new auxiliary modules, including not only the Java RMI, but a pair of modules targeting Google's Chromecast and Amazon's Fire TV devices. That William Vu guy just seems pretty obsessed with forcing you to watch what he wants to watch if you're glued to a networked TV screen. At least he's not eavesdropping on your private conversations (yet). We also have some bruteforcing modules for Splunk, Zabbix, and Chef, three popular operations suites for managing loads of data, servers, and configurations, from the reclusive and possibly mythical Metasploit Jedi HD Moore.
- Java JMX Server Insecure Configuration Java Code Execution by juan vazquez and Braden Thomas
- Maarch LetterBox Unrestricted File Upload by Rob Carr exploits CVE-2015-1587
- WordPress Photo Gallery Unrestricted File Upload by Kacper Szurek and Rob Carr exploits CVE-2014-9312
- X360 VideoPlayer ActiveX Control Buffer Overflow by juan vazquez and Rh0
Auxiliary and post modules
- Amazon Fire TV YouTube Remote Control by wvu
- Chef Web UI Brute Force Utility by hdm
- Chromecast Web Server Scanner by wvu
- Zabbix Server Brute Force Utility by hdm