Full Disclosure mailing list archives
ArcGIS Server 10.3.1: RMIClassLoader useCodebaseOnly=false RCE
From: Harrison Neal <hneal () whatdidibreak com>
Date: Mon, 09 Oct 2017 02:16:43 +0000
Using an Esri-provided image on Azure's Marketplace, ArcGIS Server 10.3.1 started Java's rmid on port 1098 and explicitly set the property java.rmi.server.useCodebaseOnly equal to false. Screenshot: https://www.dropbox.com/s/xz9ugal3ixnfh1c/10.3.1_rmid_useCodebaseOnly%3Dfalse.png?dl=0 As discussed on Oracle's website, the default value of java.rmi.server.useCodebaseOnly was changed to true in Java 7 Update 21, with a remark that setting it to false could create a risk of RCE. Link: http://docs.oracle.com/javase/7/docs/technotes/guides/rmi/enhancements-7.html While the version of Java included in ArcGIS Server 10.3.1 appears to be Java 7 Update 76, which would have the more secure default setting, that is irrelevant due to the ArcGIS solution manually changing it. Screenshot: https://www.dropbox.com/s/5reh81dwwp9e4dz/10.3.1_rmid_java7u76.png?dl=0 When an attacker can remotely reach rmid on the victim server, and the victim server can reach a web server on a machine controlled by the attacker, this is relatively easily exploited to gain RCE. Video: https://www.dropbox.com/s/t4fmxwzjzzo7yhe/ArcGIS_useCodebaseOnly%3Dfalse_exploitation.wmv?dl=0 Administrators are encouraged to use a tool such as Process Explorer or wmic to ensure that the command line arguments passed to rmid have the java.rmi.server.useCodebaseOnly property equal to true. During testing, Esri-provided images on Azure's Marketplace for ArcGIS Server 10.4.1 and 10.5.1 were found to set that property to true; administrators may try updating to a newer version of ArcGIS Server, and/or contacting Esri for assistance. If an update is required but not immediately possible, consider firewall rules to block access to rmid from systems that have no need to connect to it. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- ArcGIS Server 10.3.1: RMIClassLoader useCodebaseOnly=false RCE Harrison Neal (Oct 10)
- Re: ArcGIS Server 10.3.1: RMIClassLoader useCodebaseOnly=false RCE Harrison Neal (Oct 10)