Java JMX Server Insecure Endpoint Code Execution Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/misc/java_jmx_server metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Java JMX Server Insecure Endpoint Code Execution Scanner
Module: auxiliary/scanner/misc/java_jmx_server
Source code: modules/auxiliary/scanner/misc/java_jmx_server.rb
Disclosure date: 2013-05-22
Last modification time: 2018-12-19 12:56:53 +0000
Supported architecture(s): -
Supported platform(s): Java
Target service / protocol: -
Target network port(s): 1099
List of CVEs: CVE-2015-2342
Detect Java JMX endpoints
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/misc/java_jmx_server
msf auxiliary(java_jmx_server) > show options
... show and set options ...
msf auxiliary(java_jmx_server) > set RHOSTS ip-range
msf auxiliary(java_jmx_server) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(java_jmx_server) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(java_jmx_server) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(java_jmx_server) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
The java_jmx_scanner module uses the Msf::Exploit::Remote::Java::Rmi::Client library to perform a handshake with a Java JMX MBean server. JMX MBean listens in 1099 by default, and is used to manage and monitor Java applications.
The module returns whether the target is a Java JMX MBeans server and also outputs if the server requires authentication.
Vulnerable Application
While many implementations of JMX are available, the module was successfully tested against an Apache ActiveMQ 5.13.3 server with JMX enabled. For convenience, a docker container (antonw/activemq-jmx) supports JMX and can be tweaked to require authentication.
Verification Steps
See PR#10401 for general information, and this specific comment for steps to require JMX authentication in the container. In summary:
docker run -p 1099:1099 antonw/activemq-jmx
docker exec -u=root -it `docker ps -q` /bin/bash
# echo -e "monitorRole QED\ncontrolRole R&D" /etc/java-7-openjdk/management/jmxremote.password
# chown activemq /etc/java-7-openjdk/management/jmxremote.password
# chmod 400 /etc/java-7-openjdk/management/jmxremote.password
# sed 's/-Dcom.sun.management.jmxremote.authenticate=false/-Dcom.sun.management.jmxremote.authenticate=true/' /opt/apache-activemq-5.13.3/bin/env
docker restart `docker ps -q`
Options
Option name
Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
Scenarios
ActiveMQ 5.13.3
Against the above-described Docker container, the workflow looks like:
msf5 auxiliary(scanner/misc/java_jmx_server) > set RHOST 127.0.0.1
msf5 auxiliary(scanner/misc/java_jmx_server) > set RPORT 1099
msf5 auxiliary(scanner/misc/java_jmx_server) > run
[*] Reloading module...
[*] 127.0.0.1:1099 - Sending RMI header...
[*] 127.0.0.1:1099 - localhost:1099 Java JMX MBean authentication required
[*] 127.0.0.1:1099 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
In addition, note that services within the data model has been updated:
msf5 auxiliary(scanner/misc/java_jmx_server) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
127.0.0.1 1099 tcp java-rmi open JMX MBean server accessible
Go back to menu.
Msfconsole Usage
Here is how the scanner/misc/java_jmx_server auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/misc/java_jmx_server
msf6 auxiliary(scanner/misc/java_jmx_server) > show info
Name: Java JMX Server Insecure Endpoint Code Execution Scanner
Module: auxiliary/scanner/misc/java_jmx_server
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2013-05-22
Provided by:
rocktheboat
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1099 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
Detect Java JMX endpoints
References:
https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf
https://www.optiv.com/blog/exploiting-jmx-rmi
https://nvd.nist.gov/vuln/detail/CVE-2015-2342
Module Options
This is a complete list of options available in the scanner/misc/java_jmx_server auxiliary module:
msf6 auxiliary(scanner/misc/java_jmx_server) > show options
Module options (auxiliary/scanner/misc/java_jmx_server):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1099 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Advanced Options
Here is a complete list of advanced options supported by the scanner/misc/java_jmx_server auxiliary module:
msf6 auxiliary(scanner/misc/java_jmx_server) > show advanced
Module advanced options (auxiliary/scanner/misc/java_jmx_server):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RmiReadLoopTimeout 1 yes Maximum number of seconds to wait for data between read iterations
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/misc/java_jmx_server module can do:
msf6 auxiliary(scanner/misc/java_jmx_server) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/misc/java_jmx_server auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/misc/java_jmx_server) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<RHOST>:<RPORT> Java JMX RMI not detected
Here is a relevant code snippet related to the "<RHOST>:<RPORT> Java JMX RMI not detected" error message:
36: mbean_server = { "address" => rhost, "port" => rport }
37:
38: connect
39: print_status("Sending RMI header...")
40: unless is_rmi?
41: print_status("#{rhost}:#{rport} Java JMX RMI not detected")
42: disconnect
43: return
44: end
45:
46: mbean_server = discover_endpoint
<RHOST>:<RPORT> Java JMX MBean not detected
Here is a relevant code snippet related to the "<RHOST>:<RPORT> Java JMX MBean not detected" error message:
45:
46: mbean_server = discover_endpoint
47: disconnect
48:
49: if mbean_server.nil?
50: print_status("#{rhost}:#{rport} Java JMX MBean not detected")
51: return
52: end
53:
54: connect(true, { 'RHOST' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
55:
<RHOST>:<RPORT> Java JMX RMI not detected
Here is a relevant code snippet related to the "<RHOST>:<RPORT> Java JMX RMI not detected" error message:
52: end
53:
54: connect(true, { 'RHOST' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
55:
56: unless is_rmi?
57: print_status("#{rhost}:#{rport} Java JMX RMI not detected")
58: disconnect
59: return
60: end
61:
62: jmx_endpoint = handshake(mbean_server)
JMXRMI discovery returned unexpected object <REF:OBJECT>
Here is a relevant code snippet related to the "JMXRMI discovery returned unexpected object <REF:OBJECT>" error message:
107:
108: ref = send_registry_lookup(name: "jmxrmi")
109: return nil if ref.nil?
110:
111: unless rmi_classes_and_interfaces.include? ref[:object]
112: vprint_error("JMXRMI discovery returned unexpected object #{ref[:object]}")
113: return nil
114: end
115:
116: ref
117: end
JMXRMI discovery raised an exception of type <E.MESSAGE>
Here is a relevant code snippet related to the "JMXRMI discovery raised an exception of type <E.MESSAGE>" error message:
123: uid_time: mbean[:uid].time,
124: uid_count: mbean[:uid].count
125: }
126: send_new_client(opts)
127: rescue ::Rex::Proto::Rmi::Exception => e
128: vprint_error("JMXRMI discovery raised an exception of type #{e.message}")
129: if e.message == 'java.lang.SecurityException'
130: return false
131: end
132: return nil
133: end
Go back to menu.
Related Pull Requests
References
- https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf
- https://www.optiv.com/blog/exploiting-jmx-rmi
- CVE-2015-2342
See Also
Check also the following modules related to this module:
- exploit/multi/misc/java_jmx_server
- auxiliary/scanner/misc/java_rmi_server
- auxiliary/scanner/misc/cctv_dvr_login
- auxiliary/scanner/misc/cisco_smart_install
- auxiliary/scanner/misc/clamav_control
- auxiliary/scanner/misc/dahua_dvr_auth_bypass
- auxiliary/scanner/misc/dvr_config_disclosure
- auxiliary/scanner/misc/easycafe_server_fileaccess
- auxiliary/scanner/misc/freeswitch_event_socket_login
- auxiliary/scanner/misc/ibm_mq_channel_brute
- auxiliary/scanner/misc/ibm_mq_enum
- auxiliary/scanner/misc/ibm_mq_login
- auxiliary/scanner/misc/ib_service_mgr_info
- auxiliary/scanner/misc/oki_scanner
- auxiliary/scanner/misc/poisonivy_control_scanner
- auxiliary/scanner/misc/raysharp_dvr_passwords
- auxiliary/scanner/misc/rosewill_rxs3211_passwords
- auxiliary/scanner/misc/sercomm_backdoor_scanner
- auxiliary/scanner/misc/sunrpc_portmapper
- auxiliary/scanner/misc/zenworks_preboot_fileaccess
- auxiliary/admin/zend/java_bridge
- auxiliary/gather/java_rmi_registry
- payload/java/jsp_shell_bind_tcp
- payload/java/jsp_shell_reverse_tcp
- payload/java/meterpreter/bind_tcp
- payload/java/meterpreter/reverse_http
- payload/java/meterpreter/reverse_https
- payload/java/meterpreter/reverse_tcp
- payload/java/shell/bind_tcp
- payload/java/shell/reverse_tcp
- payload/java/shell_reverse_tcp
- auxiliary/server/capture/http_javascript_keylogger
- exploit/multi/browser/java_jre17_jmxbean
- exploit/multi/browser/java_jre17_jmxbean_2
Related Nessus plugins:
- VMSA-2015-0007 : VMware vCenter and ESXi updates address critical security issues
- VMware vCenter Multiple Vulnerabilities (VMSA-2015-0007)
- VMware ESXi 5.0 < Build 3021432 OpenSLP RCE (VMSA-2015-0007)
- VMware ESXi 5.1 < Build 3021178 OpenSLP RCE (VMSA-2015-0007)
- VMware ESXi 5.5 < Build 3029944 OpenSLP RCE (VMSA-2015-0007)
Authors
- rocktheboat
Version
This page has been produced using Metasploit Framework version 6.2.7-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
