Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Hewlett Packard Network Automation RMI Registry Port Java Deserialization Remote Code Execution

Critical

Synopsis

HP Network Automation (HP NA) software, available for Windows or Linux, "automates the complete operational lifecycle of network devices from provisioning to policy-based change management, compliance, and security administration." While writing a remote version check for this software, Tenable discovered an exposed RMI service on TCP port 6099. Based on recent Java deserialization vulnerabilities via RMI interfaces, a quick check was done to see if this software was vulnerable as well. Spoiler: it is.

Exposed RMI Registry

When installed, the HP NA administration server opens up a listening socket on TCP port 6099. Cygwin sorcery:


$ netstat -ab

Active Connections

  Proto  Local Address          Foreign Address        State
[..]
TCP    0.0.0.0:6099           WIN-45AKP1004KU:0      LISTENING	 [java.exe]

The listening socket is bound to 0.0.0.0, which means that it listens on all interfaces. While port 6099 is not the standard RMI registry port, looking into some of the HP NA code you can observe this snippet:


int port = Config.getConfig().get("swim/SWIMServer/port", 6099);
LocateRegistry.createRegistry(port);
registry = LocateRegistry.getRegistry(port);

The above is a clear indication that an RMI registry is listening on port 6099. To verify, you can use Tenable’s rmiregistry_detect.nasl plugin:


----------[ Executing ./rmiregistry_detect.nasl ]------

Here is a list of objects the remote RMI registry is currently
aware of :

  rmi://192.168.1.11:49216/SWIMServer

----------[ Finished ./rmiregistry_detect.nasl ]------

HTTP-based deserialization attacks are so last week.

Java Deserialization Vulnerabilities

Java deserialization vulnerabilities are not new, but have been talked about more recently thanks to FoxGlove Security’s infamous article, “What Do WebLogic, WebSphere, JBoss, Jenkins, and Your Application Have in Common? This Vulnerabilitypublished on November 6, 2015. This article discusses getting remote code execution in a variety of products using serialized Java objects. At the time of writing this, the most popular published objects used for deserialization attacks can be found in the GitHub project "yososerial". The most well-known objects leverage common libraries such as Apache Commons Collections, Groovy, and Spring.

The RMI protocol is especially vulnerable to deserialization attacks because the protocol is specifically crafted around remote Java object manipulation. All an unauthenticated attacker needs is to find a vulnerable library that can be used for exploitation. In the case of HP NA’s RMI registry a remote attacker has access to two libraries that will allow them to achieve remote code execution via serialized objects:

  1. Commons-Collections
  2. Commons-BeanUtils

In order to exploit the RMI registry you bind to it using the evil objects that ysoserial generates. These evil objects abuse serializable objects within the libraries along with Java’s proxy and reflection mechanisms in order to execute a command via Runtime.exec().

Proof of Concept

This vulnerability can be easily verified by using ysoserial’s RMIRegistryExploit.java. This is the same technique used by FoxGlove Security against OpenNMS in their article and they have a very simple write up on how to use it. However, the above requires some configuration and Java know-how so Tenable has authored two PoC scripts that were shared with the vendor

.

The first PoC, commons_collections_mkdir.py, uses ysoserial’s CommonCollections3 (org.apache.commons.collections.functors.InstantiateTransformer) to exploit the remote server and create the directory “C:\Users\Public\commons_collections_exploit”. To use the script, simply pass the server address in the command line like so:


lobster@nephropidae:~/hp_na_rmi$ python commons_collections_mkdir.py 192.168.1.11
[+] Connecting to the RMI registry at 192.168.1.11:6099
[+] Initiating JRMI handshake
[+] Sending commons collections exploit payload
[+] Success!

The second PoC, commons_beanutils_mkdir.py, uses ysoserial’s CommonBeanutils1 (org.apache.commons.beanutils.BeanComparator) to exploit the remote server and create the directory “C:\Users\Public\commons_beanutils_exploit”. To use the script, simply pass the server address in the command line like so:


lobster@decapoda:~/hp_na_rmi$ python commons_beanutils_mkdir.py 192.168.1.11
[+] Connecting to the RMI registry at 192.168.1.11:6099
[+] Initiating JRMI handshake
[+] Sending beanutils exploit payload
[+] Success!

To verify that the exploits worked, we checked the C:\Users\Public path on the HP NA server:


C:\Users\Public>dir
 Volume in drive C is Malacostraca.
 Volume Serial Number is 4199-7460

 Directory of C:\Users\Public

03/29/2016  02:10 PM    <DIR>          .
03/29/2016  02:10 PM    <DIR>          ..
03/29/2016  02:10 PM    <DIR>          commons_beanutils_exploit
03/29/2016  02:04 PM    <DIR>          commons_collections_exploit
07/14/2009  01:08 AM    <DIR>          Documents on Lobsters
07/14/2009  12:54 AM    <DIR>          Downloads
07/14/2009  03:45 AM    <DIR>          Lobster Pictures
07/14/2009  12:54 AM    <DIR>          Music Inspired by Lobsters
07/14/2009  12:54 AM    <DIR>          Videos of Lobsters
               0 File(s)              0 bytes
              10 Dir(s)  42,413,776,896 bytes free

Tenable does not have access to more recently patched versions (10.00.02, 9.22.04,), so we were unable to test those. And no, we aren't sharing our PoC toys.

Solution

HPE has made solutions available to resolve the vulnerability for the impacted versions of Network Automation. Please see the associated HP advisory for details.

Disclosure Timeline

2016-03-29 - Issue Discovered
2016-04-04 - Submitted to ZDI for consideration, case bainesjr0004
2016-04-25 - ZDI offers $1000, we humbly accept
2016-09-21 - ZDI publishes ZDI-16-523 (aka CVE-2016-4385)

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2016-4385
Tenable Advisory ID: TRA-2016-27
Credit:
Jacob Baines, Tenable Network Security
CVSSv2 Base / Temporal Score:
10.0 / 8.3
CVSSv2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Affected Products:
Hewlett Packard Network Automation 10.00, 10.10
Risk Factor:
Critical

Advisory Timeline

2016-09-22 - [R1] Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training