You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
2015-06-01T20:30:19 <anthonymoralez> ‘nmap -q -sV --version-all --script rmi-vuln-classloader.nse -p 1098 localhost’ reports a vulnerability on port 1098. I am running ‘rmid -J-Djava.security.policy=file:https:///path/to/my.policy' from oracle’s JVM Java 1.8.0_45. My understanding was that this script is checking for the vulnerability that is mitigated by enabling java.rmi.server.useCodebaseOnly, which is enabled by default with JVM 1.8.0_45.
2015-06-01T20:31:19 <anthonymoralez> Does anyone know if rmi-vuln-classloader is supposed to detect this issue? Or how to secure rmid against this script?
2015-06-01T20:39:44 <anthonymoralez> judging by this message: http:https://seclists.org/nmap-dev/2012/q2/442 it is but I still don’t see how to secure rmid against this vulnerability
The script attempts to load the "dummy" class from "file:./dummy.jar", which will not succeed in any case. The target is deemed vulnerable if the response does not contain "RMI class loader disabled". This check may not distinguish between JVMs which support or enable the java.rmi.server.useCodebaseOnly property. Todo items:
Determine if the useCodebaseOnly property really makes a service not-vulnerable. We may want to downgrade to LIKELY_VULN to reflect this mitigation, but it doesn't feel like a complete mitigation.
Update the script to distinguish services with this property. This may require actually loading a class from elsewhere, which would be difficult unless there is some system-available class that useCodebaseOnly is supposed to prevent loading. Perhaps something like java.lang.Runtime.exec()?
The text was updated successfully, but these errors were encountered:
From IRC:
The script attempts to load the "dummy" class from "file:./dummy.jar", which will not succeed in any case. The target is deemed vulnerable if the response does not contain "RMI class loader disabled". This check may not distinguish between JVMs which support or enable the
java.rmi.server.useCodebaseOnly
property. Todo items:useCodebaseOnly
property really makes a service not-vulnerable. We may want to downgrade toLIKELY_VULN
to reflect this mitigation, but it doesn't feel like a complete mitigation.useCodebaseOnly
is supposed to prevent loading. Perhaps something likejava.lang.Runtime.exec()
?The text was updated successfully, but these errors were encountered: