Apache Mina 2.0.13 - Remote Command Execution

Apache Mina 2.0.13 - Remote Command Execution

Abstract

Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. Then this expression is executed when the method “find” is called. This class seems to be only used in the JMX MINA component “IoServiceMBean”. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.

Description

The function “find” in the “IoSessionFinder” class executes an arbitrary OGNL expression (Ognl.getValue(….)) defined in its constructor.



Conclusion

This vulnerability shows that Expression languages vulnerabilities are still present in Java libraries and can have a big impact even if it is in this case the vulnerability can only exploited in specific conditions.

Regarding the fix, the Apache Mina team didn't request a CVE neither acknowledged the vulnerability but I confirm that the vulnerability is fixed is the last version.

Timelines

30/03/2016: First email to disclose the vulnerability to the Apache Security Team
31/03/2016: Acknowledgment from the Apache Mina team for the email reception and saying the vulnerability is under investigation
21/05/2016: Email from the Apache Mina saying that they look for possible remediations
12/08/2016: Email from the Apache Mina suggesting a solution
29/08/2016: Email from my side saying that the remediation looks good
30/08/2016: Apache Mina team published the new version fixing the issue.


PS: I have included two archives containing the two proofs of concept.

Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40384.zip