[R1] Novell NetIQ Sentinel Commons DiskFileItem RMI Java Deserialization Remote File Creation / Manipulation

On March 4, 2016, Novell released a patch for NetIQ Sentinel 7.4 SP1 (Sentinel 7.4.1.0) Build 2512 that fixed “Java Deserialization” [1]. The “fix” however, appears to have simply upgraded Apache Commons Collections to 3.2 where dangerous objects are not deserializable by default. This means that NetIQ is still open to other deserialization attacks.

Apache Commons FileUpload contains an object called DiskFileItem, which is normally harmless. However, the object can be modified after it is serialized to behave in ways that were not intended. Specifically we can modify DiskFileItem to:

1. Create a new file anywhere the Java process has permission.
2. Write anything we would like to that new file.
3. We can also move (copy and delete) any file on the remote system that we have permission to.

There are two limitations though:

1. We don’t control the filename. This is generated by DiskFileItem class as “upload_$uuid_$counter.tmp.
2. Files are created using the File.createTempFile() interface. That means the lifetime of the file is totally dependent on the usage of deleteOnExit(), how long the JVM runs, and if it is moved after creation (If the move is done by the exploit then it will still be deleted. However, if the move is done by the InvokerTransformer exploit then it will not be deleted). It is our observation that files live for ~2 minutes when created by NetIQ Sentinel.

Proof of Concept

NetIQ Sentinel exposes RMI through TCP port 1099. Using this interface a remote unauthenticated attacker can deserialize a DiskFileItem. This allows an attacker to perform a variety of actions. The most obvious is that the attacker now has control of all files owned by novell:novell. There are a lot of files within the /var/opt/novell/sentinel directory structure that are interesting. Specifically, /var/opt/novell/sentinel/3rdparty/mongodb/ and /var/opt/novell/sentinel/3rdparty/postgresql/ contain a large amount of data important to Sentinel. An attacker even has the power to delete the table containing authentication information which then denies access to everyone. Another interesting attack is deleting the "events" (think like Snort warnings) database to hide malicious activity on the network.

Tenable has created a proof-of-concept NASL script that connects to the RMI port and sends the DiskFileItem object. We also had to create a Python version of the exploit for the haters. The result of the attack is a new file in /tmp/ with the contents “hello”. The new file has the permissions of user “novell”.