Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Hewlett Packard Network Automation RMI Registry Port Java Deserialization Remote Code Execution

Critical

Synopsis

HP Network Automation (HP NA) software, available for Windows or Linux, "automates the complete operational lifecycle of network devices from provisioning to policy-based change management, compliance, and security administration." While writing a remote version check for this software, Tenable discovered an exposed RMI service on TCP port 6099. Based on recent Java deserialization vulnerabilities via RMI interfaces, a quick check was done to see if this software was vulnerable as well. Spoiler: it is.

Exposed RMI Registry

When installed, the HP NA administration server opens up a listening socket on TCP port 6099. Cygwin sorcery:


$ netstat -ab

Active Connections

  Proto  Local Address          Foreign Address        State
[..]
TCP    0.0.0.0:6099           WIN-45AKP1004KU:0      LISTENING	 [java.exe]

The listening socket is bound to 0.0.0.0, which means that it listens on all interfaces. While port 6099 is not the standard RMI registry port, looking into some of the HP NA code you can observe this snippet:


int port = Config.getConfig().get("swim/SWIMServer/port", 6099);
LocateRegistry.createRegistry(port);
registry = LocateRegistry.getRegistry(port);

The above is a clear indication that an RMI registry is listening on port 6099. To verify, you can use Tenable’s rmiregistry_detect.nasl plugin:


----------[ Executing ./rmiregistry_detect.nasl ]------

Here is a list of objects the remote RMI registry is currently
aware of :

  rmi://192.168.1.11:49216/SWIMServer

----------[ Finished ./rmiregistry_detect.nasl ]------

HTTP-based deserialization attacks are so last week.

Java Deserialization Vulnerabilities

Java deserialization vulnerabilities are not new, but have been talked about more recently thanks to FoxGlove Security’s infamous article, “What Do WebLogic, WebSphere, JBoss, Jenkins, and Your Application Have in Common? This Vulnerabilitypublished on November 6, 2015. This article discusses getting remote code execution in a variety of products using serialized Java objects. At the time of writing this, the most popular published objects used for deserialization attacks can be found in the GitHub project "yososerial". The most well-known objects leverage common libraries such as Apache Commons Collections, Groovy, and Spring.

The RMI protocol is especially vulnerable to deserialization attacks because the protocol is specifically crafted around remote Java object manipulation. All an unauthenticated attacker needs is to find a vulnerable library that can be used for exploitation. In the case of HP NA’s RMI registry a remote attacker has access to two libraries that will allow them to achieve remote code execution via serialized objects:

  1. Commons-Collections
  2. Commons-BeanUtils

In order to exploit the RMI registry you bind to it using the evil objects that ysoserial generates. These evil objects abuse serializable objects within the libraries along with Java’s proxy and reflection mechanisms in order to execute a command via Runtime.exec().

Proof of Concept

This vulnerability can be easily verified by using ysoserial’s RMIRegistryExploit.java. This is the same technique used by FoxGlove Security against OpenNMS in their article and they have a very simple write up on how to use it. However, the above requires some configuration and Java know-how so Tenable has authored two PoC scripts that were shared with the vendor

.

The first PoC, commons_collections_mkdir.py, uses ysoserial’s CommonCollections3 (org.apache.commons.collections.functors.InstantiateTransformer) to exploit the remote server and create the directory “C:\Users\Public\commons_collections_exploit”. To use the script, simply pass the server address in the command line like so:


[email protected]:~/hp_na_rmi$ python commons_collections_mkdir.py 192.168.1.11
[+] Connecting to the RMI registry at 192.168.1.11:6099
[+] Initiating JRMI handshake
[+] Sending commons collections exploit payload
[+] Success!

The second PoC, commons_beanutils_mkdir.py, uses ysoserial’s CommonBeanutils1 (org.apache.commons.beanutils.BeanComparator) to exploit the remote server and create the directory “C:\Users\Public\commons_beanutils_exploit”. To use the script, simply pass the server address in the command line like so:


[email protected]:~/hp_na_rmi$ python commons_beanutils_mkdir.py 192.168.1.11
[+] Connecting to the RMI registry at 192.168.1.11:6099
[+] Initiating JRMI handshake
[+] Sending beanutils exploit payload
[+] Success!

To verify that the exploits worked, we checked the C:\Users\Public path on the HP NA server:


C:\Users\Public>dir
 Volume in drive C is Malacostraca.
 Volume Serial Number is 4199-7460

 Directory of C:\Users\Public

03/29/2016  02:10 PM    <DIR>          .
03/29/2016  02:10 PM    <DIR>          ..
03/29/2016  02:10 PM    <DIR>          commons_beanutils_exploit
03/29/2016  02:04 PM    <DIR>          commons_collections_exploit
07/14/2009  01:08 AM    <DIR>          Documents on Lobsters
07/14/2009  12:54 AM    <DIR>          Downloads
07/14/2009  03:45 AM    <DIR>          Lobster Pictures
07/14/2009  12:54 AM    <DIR>          Music Inspired by Lobsters
07/14/2009  12:54 AM    <DIR>          Videos of Lobsters
               0 File(s)              0 bytes
              10 Dir(s)  42,413,776,896 bytes free

Tenable does not have access to more recently patched versions (10.00.02, 9.22.04,), so we were unable to test those. And no, we aren't sharing our PoC toys.

Solution

HPE has made solutions available to resolve the vulnerability for the impacted versions of Network Automation. Please see the associated HP advisory for details.

Disclosure Timeline

2016-03-29 - Issue Discovered
2016-04-04 - Submitted to ZDI for consideration, case bainesjr0004
2016-04-25 - ZDI offers $1000, we humbly accept
2016-09-21 - ZDI publishes ZDI-16-523 (aka CVE-2016-4385)

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.