Java RMI Services Default Configuration Remote Loading

Added: 07/29/2011

Background

The Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. RMI provides for remote communication between programs written in the Java programming language.

Problem

The default configuration of Java RMI Registry and Activation Services that is included in the Oracle Java Development Kit (JDK) 6.0 Update 26 and prior allows attackers to load classes from remote URLs.

Resolution

Disable the Java RMI services if they are not required. Otherwise, configure the RMI applications to validate the URLs of remote classes and restrict access to the services.

References

http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136424.html

Limitations

This exploit has been tested against Oracle JRE 6.0 Update 26 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). The exploit must bind a service to port 80 on the scanning host. Ensure no other services are listening on port 80.

Platforms

Windows

Back to exploit index