Websphere Application Server Installation Directory Definition' title='Websphere Application Server Installation Directory Definition' />What Do Web. Logic, Web. Sphere, JBoss, Jenkins, Open. NMS, and Your Application Have in Common This Vulnerability. By breenmachine. What The most underrated, underhyped vulnerability of 2. Im about to bring it to yours. No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released OVER 9 MONTHS AGO, none of the products mentioned in the title of this post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications. In this post Ill be dropping pre authentication, remote code execution exploits that leverage this vulnerability for Web. Logic, Web. Sphere, JBoss, Jenkins, and Open. NMS. All on the newest versions. Websphere Application Server Installation Directory WindowsWebsphere Application Server Installation Directory Of Utorrent1 Reviewing Information About This Guide. This guide describes how to install Oracle Database by using the default installation options. Tasks Described in This Guide. General Oracle Application Server Certification Information. Table 1 through Table 5 contain the overall certification information for Oracle. Even more interesting, Ill detail the process we went through to discover that these products were vulnerable, and how I developed the exploits. This should empower you to go out and find this same bug in your own software or commercial products that you or your clients use. All code can be found on the Fox. Glove Security Github. Ill also be touching on why this bug is unlikely to go away soon. You can infuriate your developers and ops people by telling them to follow the instructions in The Fix section to remediate this in your environment. It will fix it, but its an admittedly ugly solution. This post is going to be long. Because Im a nice person, I made you an index. Feel free to skip straight to the exploits if youve got better things to do than read my rambling Background Unserialize vulnerabilities and why didnt I hear about this sooner The Vulnerability Light details on the work of frohoff and gebl. How Common is Commons How to find software that is vulnerable. Exploit Dev for Skiddies The high level process to using this vulnerability. Exploit 1 Web. Sphere Application Server. Exploit 2 JBoss Application Server. Exploit 3 Jenkins. Exploit 4 Web. Logic Application Server. Exploit 5 Open. NMS Through RMIThe Fix How to Monkey Patch Your Servers. Background. Unserialize Vulnerabilities for Dummies. Unserialize vulnerabilities are a vulnerability class. Most programming languages provide built in ways for users to output application data to disk or stream it over the network. The process of converting application data to another format usually binary suitable for transportation is called serialization. The process of reading data back in after it has been serialized is called unserialization. Vulnerabilities arise when developers write code that accepts serialized data from users and attempt to unserialize it for use in the program. Depending on the language, this can lead to all sorts of consequences, but most interesting, and the one we will talk about here is remote code execution. Previous Work. There have been a few Java unserialize vulnerabilities published in the past few years. One was discovered in the Spring framework, another in Groovy, and yet another in one of the other commons library, commons fileupload. All of these vulnerabilities were eventually fixed. Unfortunately I cant take credit for finding the vulnerability in the commons collections library. Myself and a fellow researcher, dronesec really dropped the ball on this one. Nearly two years ago, we decided we wanted 0 day in Web. Sphere application server. The project started off promising, with such a large code base and so much exposed, there had to be something vulnerable. After some time searching we eventually got it into our heads that it would be amazing if we could find an unserialize vulnerability in Java or a common library. Download Windows Server 2003 Iso Trial. Why Because EVERYTHING in the Java world uses object serialization, and almost everything can be coerced into accepting unsafe, user provided serialized data see the exploits section of this post for proof. We started down this path and found some cool leads in the world of Java unserialize vulnerabilities, some of which well probably continue to look into. Unfortunately, we didnt find anything leading to remote code execution. Java Serialization  How a Library Screwed You Over. Serialization Basics. Unserialize vulnerabilities are totally language dependent. Here Ill describe the basics of how it works in Java, and why an unserialize vulnerability in any of the hundreds of libraries your application loads, even libraries you dont use, can ruin your day. As described earlier, serialization is the process by which your programming language lets you convert data to a static, binary format, suitable for saving to disk or sending over the network. Unserialization, or deserialization, is exactly the opposite. It takes binary data and converts it back to something that you can use. Since this is all a bit hand wavy and high level, lets take a look at some basic Java code that shows how someone might use serialization. Object. Input. Stream. File. Input. Stream. Object. Output. Stream. File. Output. Stream. Serialize. Test. String args throws Exception. This is the object were going to serialize. String name bob. Well write the serialized data to a file name. File. Output. Stream fos new File. Output. Streamname. Object. Output. Stream os new Object. Output. Streamfos. Objectname. Read the serialized data back in from the file name. File. Input. Stream fis new File. Input. Streamname. Object. Input. Stream ois new Object. Input. Streamfis. Read the object from the data stream, and convert it back to a String. String name. From. Disk Stringois. Object. Print the result. System. out. printlnname. From. Disk. The above code simply writes the String bob to disk using Javas serializable interface, then reads it back in and prints the result. The following shows the output from running this code. DesktopSerial. Test java Serialize. Test. breensus l breens DesktopSerial. Test xxd name. ser. Notice the file on disk name. In particular the bytes aced 0. Java serialized object. Not particularly exciting, but a good demonstration of the basics of Java object serialization. Java Objects and More Complex Serialization. As an object oriented language, Java has a concept of Objects. Those unfamiliar with the concept can think of these like user defined data types. For example, in Java, a String is a type, and you can do things like this. String name bob. System. This prints out 3. System. out. printlnname. This prints out bo. The methods length and substring arent magic. Theyre part of the definition of the String object. As a programmer, you can define your own objects and methods. Now that weve skipped about 6 months of Intro to Java, lets skip a few more and go straight to custom object serialization. Consider the following code. Object. Input. Stream. File. Input. Stream. Object. Output. Stream. File. Output. Stream. Serializable. import java. IOException. public class Serialize. Test. public static void mainString args throws Exception. This is the object were going to serialize. My. Object my. Obj new My. Object. my. Obj. Well write the serialized data to a file object. File. Output. Stream fos new File. Output. Streamobject. Object. Output. Stream os new Object. Output. Streamfos. Objectmy. Obj. Read the serialized data back in from the file object. File. Input. Stream fis new File. Input. Streamobject. Building a JMS Web service using SOAP over JMS and Web. Sphere Studio. Helen Du and Jeffrey Liu. Published on February 0. Web services provide a powerful architecture for integrating applications. Open standards make. Web services interoperable across these environments. For example, the. Simple Object Access Protocol SOAP and HTTP transport standards allow. Although standards compliance. Web services, they are not the only ones. Consider a mission critical. Using SOAP. over HTTP messaging is not sufficient because HTTP does not guarantee. In the Java world, Java Message Service JMS can be. This article will discuss the. JMS Web services, present a use case scenario to. SOAP over JMS, and then show you in detail how to. JMS Web service using IBM Web. Sphere Studio. V5. Understanding JMS Web. In a distributed computing environment, data exchange between applications. To satisfy Java. applications that require enterprise messaging support, Sun Microsystems. JMS, which is a common set of APIs and frameworks that support. J2. EE. applications. As JAX RPC and JSR 1. J2. EE 1. 4. specification in order to form the basis of enterprise Web services. JMS based Web services is expected. IBM has recognized this. Web service implementation in Web. Sphere Application. Server V5 that supports JMS messaging. JMS supports two basic styles of message based communications. Point to point lets. JMS queue, and the. Once the message is. JMS queue and is no longer available to. Pub sub communication lets multiple subscribers listen. JMS topic. Unlike point to point. JMS topic does not get deleted. It stays on the topic and is made available for all. Building on top of JMS, JMS Web services support two messaging styles. One way request messaging lets a Web service client unblock when the. JMS queue or topic. Two way request and response. Web service client until the response message is. SOAP over JMS workflow diagrams for. Web. Sphere Application Server V5. This section will show you how JMS Web services work in Web. Sphere. Application Server V5. Figure 1 below shows a workflow diagram for one way. Both JMS queue or JMS topic can be used for one way request. JMS queue is the recommended approach because it results in. For two way request and response messaging, a JMS. JMS topic does not support point to point. Figure 1. One way request. View image at full size. Figure 2 shows a workflow diagram for one way request messaging to multiple. This messaging style resembles the JMS pub sub structure, so a. JMS topic must be used in this case. Figure 2. One way request. View image at full size. JMS sender is an internal handler that is a part of the SOAP engines. It is responsible for delivering the SOAP. SOAP. response message, if applicable. JMS listener is basically a. SOAP engine. for processing. It is also responsible for sending the response message to. Web. Sphere Studio supports both of the above messaging. The following section presents a use case scenario on the use of. JMS Web services. Use case scenario. Since SOAP is transport independent and can be bound to any protocol, SOAP. JMS is an alternative messaging mechanism to the standard SOAP over. HTTP messaging. Although both of them serve as a communication channel. Web service provider and a Web service client, they are very. When interoperability is the driving factor, use SOAP over HTTP. Web Service Interoperability WS I. When reliability, scalability, and asynchronous messaging. SOAP over JMS. SOAP over JMS ensures reliability because message delivery is guaranteed. Messages sent by a Web services provider or Web services client are placed. In case of a. communication failure, the failing message is retrieved from the. Businesses. that use Enterprise Application Integration EAI should find SOAP over. JMS appealing because it boosts confidence when exchanging critical data. Scalability is another advantage with SOAP over JMS. Unlike HTTP, JMS can. Asynchronous messaging lets a client invoke a service without waiting for. Asynchronous invocation can be implemented by both. JMS as an asynchronous transport. It also lets a client query the status of its requests. These features, which HTTP. The following scenario illustrates a possible configuration that lets. SOAP over HTTP. messaging, as well as the reliability aspect of SOAP over JMS messaging. Figure 3 shows the configuration of a Web services gateway that uses SOAP. HTTP as the communication channel between external businesses, and. SOAP over JMS within the companys intranet. The use of SOAP over. HTTP is for the sake of interoperability, since external businesses may be. Conversely, since a company controls. The use of SOAP over JMS can compensate for the possible. Figure 3. Configuration of a. Web services gateway. View image at full size. Building a JMS Web. Begin by creating a Web. Sphere V5. 0 test environment server and. JMS provider. Bring up the wizard selection dialog. Select File New Other. Launch the Server Creation wizard. Select Server from the menu. Server and Server Configuration from the list. Click Next. Enter Web. Sphere5. 0TestEnvironment as the. Test Environment from the Web. Sphere V5. 0. folder. Click Finish Figure 4. Server. creation wizard. View image at full size. Switch to the Server perspective. Select Windows Open. Perspective Other. In the Perspective selection dialog, select Server and click. OK. Figure 5. Perspective. Use the Server Configuration Editor to configure the JMS provider. To. open the Server Configuration Editor, double click on the server. Web. Sphere5. 0TestEnvironment in the. Click on the JMS tab of the editor. By default, the JMS provider is disabled. To enable it, click on the. MQ Simulator for Java Developers radio button. We need to create a queue in the JMS server to maintain the incoming. Web service. Under the JMS Server Properties section. Add button beside the Queue Names table. In the. Add Queue Name dialog, enter Hello. World and. click OK. The Web. Sphere JMS Provider Options page should look. Figure 6 Figure 6. Web. Sphere JMS. Provider Options page. View image at full size. The next step is to create and associate a JMS destination with the. Hello. World queue we created earlier. A JMS destination lets you. JNDI name. In this. JMS Web service will use two way request and response. Under the JMS Destinations section, click on the Add. WASQueue entries table. In the Add WASQueue dialog. Figure 7, enter Hello. World as the. name this name must match the queue name you added to the JMS server. Hello. World as. the JNDI name. Click OK. Figure 7. Add WASQueue. dialog. View image at full size. Now that you have a JMS destination for the Web service, you need to. JMS connection factory to control how connections are made to. JMS destination, for example, the connection timeout period. Under. the JMS Connection Factories section, click on the Add button. WASQueue. Connection. Factory entries table. In the Add. WASQueue. Connection. Factory dialog shown in Figure 8, enter. Hello. World. QCF as the name and. Hello. World. QCF as the JNDI name. Click. OK. Figure 8. Add. WASQueue. Connection. Factory dialog. View image at full size. Since our JMS Web service uses two way request and response messaging. Create another WASQueue. Connection. Factory entry. Use. Web. Services. Reply. QCF as the name and. Web. Services. Reply. QCF as the JNDI name. You cannot modify these names because they are fixed by the Web. Sphere. Web service implementation. The Web. Sphere JMS Provider Options page. Figure 9 Figure 9.