One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 8319906 |
| Date de publication | 2023-03-20 12:30:04 (vue: 2023-03-20 12:05:30) |
| Titre | JMX Exploitation Revisited |
| Texte | The Java Management Extensions (JMX) are used by many if not all enterprise level applications in Java for managing and monitoring of application settings and metrics. While exploiting an accessible JMX endpoint is well known and there are several free tools available, this blog post will present new insights and a novel exploitation technique that allows for instant Remote Code Execution with no further requirements, such as outgoing connections or the existence of application specific MBeans. Introduction How to exploit remote JMX services is well known. For instance, Attacking RMI based JMX services by Hans-Martin Münch gives a pretty good introduction to JMX as well as a historical overview of attacks against exposed JMX services. You may want to read it before proceeding so that we're on the same page. And then there are also JMX exploitation tools such as mjet (formerly also known as sjet, also by Hans-Martin Münch) and beanshooter by my colleague Tobias Neitzel, which both can be used to exploit known vulnerabilities and JMX services and MBeans. However, some aspects are either no longer possible in current Java versions (e. g., pre-authenticated arbitrary Java deserialization via RMIServer.newClient(Object)) or they require certain MBeans being present or conditions such as the server being able to connect back to the attacker (e. g., MLet with HTTP URL). In this blog post we will look into two other default MBean classes that can be leveraged for pretty unexpected behavior: remote invocation of arbitrary instance methods on arbitrary serializable objects remote invocation of arbitrary static methods on arbitrary classes Tobias has implemented some of the gained insights into his tool beanshooter. Thanks! Read The Fine Manual By default, MBean classes are required to fulfill one of the following: follow certain design patterns implement certain interfaces For example, the javax.management.loading.MLet class implements the javax.management.loading.MLetMBean, which fulfills the first requirement that it implements an interface whose name of the same name but ends with MBean. The two specific MBean classes we will be looking at fulfill the second requirement: javax.management.StandardMBean javax.management.modelmbean.RequiredModelMBean Both classes provide features that don't seem to have gotten much attention yet, but are pretty powerful and allow interaction with the MBean server and MBeans that may even violate the JMX specification. The Standard MBean Class StandardMBean The StandardMBean was added to JMX 1.2 with the following description: […] the javax.management.StandardMBean class can be used to define standard MBeans with an interface whose name is not necessarily related to the class name of the MBean. – Java™ Management Extensions (JMX™) (Maintenance Release 2) Also: An MBean whose management interface is determined by reflection on a Java interface. – |
| Envoyé | Oui |
| Condensat | – java™ – method – requiredmodelmbean – standardmbean GetTransLetindex Newtransformer Templatesimpl able accessible achieve acquaintance actually added additional after again against agent all allow allows already also also: any apparently application applications arbitrary are argument arguments aspects assumption assumptions attacker attacking attacks attention attribute attributes authenticated available awesome back baffled based basically beanshooter because before behavior behavior: being blog both but byte bytecodes: call calling can case certain check choice class classes code colleague common comprehensively conclusion conditions connect connections connectors/adaptors constructor convention conventions corresponding create creatembean creating current declared deep default define defined demonstrates: described description: descriptor descriptors deserialization design determine determined directly dive don during ease either embedded endpoint ends enterprise entirely etc even every everyone example execution existence exploit exploitation exploiting exposed extensions extensive features field figured file final finding fine first follow following following: formerly free from fulfill fulfills fully further furthermore gadgets gained generally getclass getoutputpROPERTIES getoutputproperties getter getters given gives good gotten granted had hans has have having here his historical holds how however http ignored implement implementation implemented implements infamous information insights instance instant instantiate instead instrumentation intended interaction interface interfaces introduction invocation invokable invoke invoking java javabeans™ javax jmx jmx™ known last level leveraged like loading longer look looked looking maintenance makes manageable managed management managing manual manual: many martin may mbean mbeaninfo mbeans mbeanserver means meet method methods metrics might mjet mlet mletmbean model modelmbean modelmbeanattributeinfo modelmbeaninfo modelmbeanoperationinfo monitoring more much must münch name necessarily need needs neitzel new newclient newtransformer not novel null obj object objects obtained old one only operations other otherwise out outgoing outputproperties overrides overview page part patterns perfect place platform pointed possible post powerful pre present pretty private proceeding process process: provide provided providing public read reading reflection regardless regular related release remote remotely require required requiredmodelmbean requirement requirement: requirements researched resource resources restriction resulting results retrieve retrieved return revisited rmi rmiserver said same second seem seems serializable serializers server service services set setproperty sets setters settings several since sjet some specific specification specified specify standard standardmbean standardmbean: static string such suffices surprised system take target targeted targetobject technique templates templatesimpl than thanks then thereby these things though tobias tool tools transform trigger two underlying understand understood unexpected url use used used: using values variable versatile versions violate vulnerabilities want way well what when which whose will wishing working works would wrapping wrong xml yet your |
| Tags | Tool |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.