Closed ret2src closed 1 year ago
We were able to find out how to establish a connection. You might want to automate and add this technique to beanshooter
:
nmap
to check which ports might give you the required SSL certificate:$ sudo nmap -Pn -n -p- -sVC 13.33.33.37
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-12 02:41 EST
Nmap scan report for 13.33.33.37
Host is up (0.0016s latency).
PORT STATE SERVICE VERSION
[...]
9091/tcp open java-rmi Java RMI
| rmi-dumpregistry:
| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @13.33.33.37:49735
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
18888/tcp open java-rmi Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
[...]
21190/tcp open java-rmi Java RMI
| rmi-dumpregistry:
| DMSFileService
| implements org.springframework.remoting.rmi.RmiInvocationHandler,
| extends
| java.lang.reflect.Proxy
| fields
| Ljava/lang/reflect/InvocationHandler; h
| java.rmi.server.RemoteObjectInvocationHandler
| @13.33.33.37:49739
| extends
| java.rmi.server.RemoteObject
| DMSProcessService
| implements org.springframework.remoting.rmi.RmiInvocationHandler,
| extends
| java.lang.reflect.Proxy
| fields
| Ljava/lang/reflect/InvocationHandler; h
| java.rmi.server.RemoteObjectInvocationHandler
| @13.33.33.37:49739
| extends
| java.rmi.server.RemoteObject
| DMSLogCollectionService
| implements org.springframework.remoting.rmi.RmiInvocationHandler,
| extends
| java.lang.reflect.Proxy
| fields
| Ljava/lang/reflect/InvocationHandler; h
| java.rmi.server.RemoteObjectInvocationHandler
| @13.33.33.37:49739
| extends
|_ java.rmi.server.RemoteObject
21191/tcp open java-rmi Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
[...]
49735/tcp open ssl/unknown
| ssl-cert: Subject: commonName=iMC Development Team/organizationName=Hangzhou H3C Technologies Co,. Ltd./stateOrProvinceName=Beijing/countryName=CN
| Not valid before: 2007-03-28T03:53:34
|_Not valid after: 2022-03-28T03:53:34
|_ssl-date: 2023-01-12T07:43:14+00:00; -1s from scanner time.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.22 seconds
49735/tcp
has something to do with the JMX service on port 9091/tcp
. Let's download its certificate to a file:$ openssl s_client -connect 13.33.33.37:49735 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert
Can't use SSL_get_servername
depth=0 C = CN, ST = Beijing, L = Shang-Di Information Industry Base, O = "Hangzhou H3C Technologies Co,. Ltd.", OU = R&D Beijing, CN = iMC Development Team
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = CN, ST = Beijing, L = Shang-Di Information Industry Base, O = "Hangzhou H3C Technologies Co,. Ltd.", OU = R&D Beijing, CN = iMC Development Team
verify error:num=10:certificate has expired
notAfter=Mar 28 03:53:34 2022 GMT
verify return:1
depth=0 C = CN, ST = Beijing, L = Shang-Di Information Industry Base, O = "Hangzhou H3C Technologies Co,. Ltd.", OU = R&D Beijing, CN = iMC Development Team
notAfter=Mar 28 03:53:34 2022 GMT
verify return:1
DONE
truststore
file:$ keytool -import -noprompt -alias CN -file cert -keystore truststore -storepass 123456
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Certificate was added to keystore
Warning:
The input uses the MD5withRSA signature algorithm which is considered a security risk and is disabled.
The input uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
jconnect
using the truststore
file:$ jconsole -J-Djavax.net.ssl.trustStore=truststore -J-Djavax.net.ssl.trustStorePassword=123456
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Hi @ret2src :wave:
thanks for reporting and the detailed information :+1: The exception is now catched and a corresponding error message is displayed.
Fully solving this exception is really a challenge. The underlying issue is not that the certificate is missing (beanshooter does not care about certificates at all), but that the server certificate uses disabled cryptographic algorithms. These are configured within the java.security
policy and the current default settings look like this:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
SHA1 usage SignedJAR & denyAfter 2019-01-01, \
include jdk.disabled.namedCurves
Adjusting these settings at runtime is rather difficult. The correct way to work around them would probably to create a custom CertPathValidator
, that actually does nothing, and register it as security provider. However, this would be quite some implementation effort for an edge case that should not appear to often.
I'm actually surprised that adding the server certificate to the truststore worked. This may be the case because the signature algorithm was the problem in your situation and Java does not need to validate the signature if the certificate was explicitly set trusted. However, I do not expect it to work when e.g. the RSA key size is to small.
I will evaluate how much effort a custom CertPathValidator
would be and whether it actually works. If it does, I may add it in future. For now, only the exception handling was improved. Again, thanks for reporting :)
During a recent penetration test we have discovered a JMX service that allows connections using a custom
keystore
file. Apparently, Nessus was able to successfully connect to the service and extract information such as the correct VM arguments of the JVM process.In their research blog, Tenable write:
While we were able to establish a connection after extracting the
keystore
andtruststore
files from the server (we already compromised a Domain Admin) and using thekeystore
password reported by Nessus, we did not find a way to retrieve the required JMX certificate remotely without authentication.Since
beanshooter
apparently also misses this functionality, we receive the following stack trace upon establishing a connection:As indicated in the output of
beanshooter
, you might want to improve the exception handling accordingly. Furthermore, if you're up for the challenge, you might want to help us look into where to get the required certificate and makebeanshooter
even more awesome... ;-)