• Home

  • Documents

  • admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from...
15
Glassfish from (In)Secure admin to RCE

admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

  • Upload
    lyque

  • View
    218

  • Download
    0

Embed Size (px)

Citation preview

Page 1: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Glassfish from (In)Secure admin to RCE

Page 2: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

Who am I ?

• Jeremy Mousset

• Rum Addict

• Pentester & IT Security engineer at vente-privee

• @BlueRabbit09

Page 3: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

What is Glassfish?

• JAVA EE Application server

• https://javaee.github.io/glassfish/download

• 2 versions:• Web Profile

• Full Platform

https://javaee.github.io/glassfish/download
Page 4: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

Lets try to access administration interfaces

• Administration interface http://glassfish.passthesalt.net:4848/

This interface is only accessible from localhost when secure admin is disabled

http://glassfish.passthesalt.net:4848/
Page 5: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

Lets try to access administration interfaces

• REST API http://glassfish.passthesalt.net:4848/management/domain

• Asadmin tool (sends commands to http://glassfish.passthesalt.net:4848/commands )

http://glassfish.passthesalt.net:4848/management/domain
http://glassfish.passthesalt.net:4848/commands
Page 6: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

Lets try to access administration interfaces

• BUT that means the default administration password (blank) has probably not been changed…

Page 7: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

Discovering service

Page 8: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

Java Message Service ???

• From https://docs.oracle.com/cd/E19226-01/821-0027/aeodm/index.html

• Trying to communicate with it :

https://docs.oracle.com/cd/E19226-01/821-0027/aeodm/index.html
Page 9: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Discovering service

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

Page 10: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

JAVA Remote Methode Invocation !!!

One TOOL

2 Accessservice:jmx:rmi://glassfish.passthesalt.net:8686/jndi/rmi://glassfish.passthesalt.net:8686/jmxrmi

Login : emptyPassword: empty

service:jmx:rmi://glassfish.passthesalt.net/jndi/rmi://glassfish.passthesalt.net:8686/glassfish.passthesalt.net/7676/jmxrmi

Login : adminPassword: admin

Page 11: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

Then…

You just have to change the « enabled » attribute…

Page 12: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

AND…

Page 13: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

BUT…

Page 14: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

What else ?

• If the defaults credentials were changed => create new admin

• Activate JDWP => Code execution

• Need lot of debug….

Page 15: admin to RCE Glassfish from (In)Secure - 2018.pass … · Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE Lets try to access administration interfaces •BUT that means

Questions ?

Pass The Salt 2018: Glassfish from (IN)Secure admin to RCE

POC: https://github.com/Jm0uss3t/gl4ssFish


Glassfish Security Guide

Glassfish Security Guide

Documents
Administration Guide GlassFish

Administration Guide GlassFish

Documents
Oracle GlassFish Server

Oracle GlassFish Server

Documents
Javaee glassfish jcertif2010

Javaee glassfish jcertif2010

Documents
Supervision Glassfish OpenESB

Supervision Glassfish OpenESB

Documents
Glassfish HA

Glassfish HA

Documents
GlassFish internals #1

GlassFish internals #1

Technology
JavaFX and GlassFish

JavaFX and GlassFish

Technology
Glassfish Deployment

Glassfish Deployment

Documents
The Glassfish Experience

The Glassfish Experience

Technology
Eclipse GlassFish Server Administration Guide, …...GlassFish Server Open Source Edition 5.0 Administration Guide provides instructions for configuring and administering GlassFish

Eclipse GlassFish Server Administration Guide, …...GlassFish Server Open Source Edition 5.0 Administration Guide provides instructions for configuring and administering GlassFish

Documents
Nuxeo 5.2 Glassfish

Nuxeo 5.2 Glassfish

Technology
Enterprise GlassFish

Enterprise GlassFish

Technology
Manual Para Migração de Domínios Do Glassfish 2 Para o Glassfish 3

Manual Para Migração de Domínios Do Glassfish 2 Para o Glassfish 3

Documents
Glassfish document

Glassfish document

Software
Gameduell Glassfish Migration

Gameduell Glassfish Migration

Technology
WebSocket on Glassfish

WebSocket on Glassfish

Technology
Administration glassfish 3

Administration glassfish 3

Documents
Glassfish 4 reference.pdf

Glassfish 4 reference.pdf

Documents
Client Glassfish

Client Glassfish

Documents
Tutorial Glassfish v2.1

Tutorial Glassfish v2.1

Documents
Glassfish Admin

Glassfish Admin

Documents
GlassFish Roadmap

GlassFish Roadmap

Technology
Glassfish Adminstration

Glassfish Adminstration

Documents
Glassfish Importer for Eclipse · Glassfish Importer for Eclipse Michael Tidd . Problem Import a Glassfish project created in Netbeans into Eclipse . Background . Background • Glassfish

Glassfish Importer for Eclipse · Glassfish Importer for Eclipse Michael Tidd . Problem Import a Glassfish project created in Netbeans into Eclipse . Background . Background • Glassfish

Documents
Practical GlassFish - download.java.net

Practical GlassFish - download.java.net

Documents
GlassFish 4.docx

GlassFish 4.docx

Documents
Calling All GlassFish Users and User Groups: Please Contribute to GlassFish!

Calling All GlassFish Users and User Groups: Please Contribute to GlassFish!

Documents
GlassFish RESTful management

GlassFish RESTful management

Technology
JasperSoft and GlassFish

JasperSoft and GlassFish

Technology