What?
The most underrated, underhyped vulnerability of 2015 has recently come to my attention, and I’m about to bring it to yours. No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released OVER 9 MONTHS AGO, none of the products mentioned in the title of this post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications.
In this post I’ll be dropping pre-authentication, remote code execution exploits that leverage this vulnerability for WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. All on the newest versions. Even more interesting, I’ll detail the process we went through to discover that these products were vulnerable, and how I developed the exploits. This should empower you to go out and find this same bug in your own software or commercial products that you or your clients use. All code can be found on the FoxGlove Security Github.
I’ll also be touching on why this bug is unlikely to go away soon. You can infuriate your developers and ops people by telling them to follow the instructions in “The Fix” section to remediate this in your environment. It will fix it, but it’s an admittedly ugly solution.
This post is going to be long. Because I’m a nice person, I made you an index. Feel free to skip straight to the exploits if you’ve got better things to do than read my rambling:
- Background – Unserialize vulnerabilities and why didn’t I hear about this sooner?
- The Vulnerability – Light details on the work of @frohoff and @gebl
- How Common is Commons? – How to find software that is vulnerable
- Exploit Dev for Skiddies – The high level process to using this vulnerability
- Exploit 1 – WebSphere Application Server
- Exploit 2 – JBoss Application Server
- Exploit 3 – Jenkins
- Exploit 4 – WebLogic Application Server
- Exploit 5 – OpenNMS Through RMI
- The Fix – How to Monkey Patch Your Servers
...
文章较长,不复制粘贴了,直接看原文吧
原文:http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#background