Script rmi-vuln-classloader

Script types: portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/rmi-vuln-classloader.nse

Script Summary

Tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.

Based on original Metasploit module by mihi.

References:

• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb

Script Arguments

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script=rmi-vuln-classloader -p 1099 <target>

Script Output

PORT     STATE SERVICE
1099/tcp open  rmiregistry
| rmi-vuln-classloader:
|   VULNERABLE:
|   RMI registry default configuration remote code execution vulnerability
|     State: VULNERABLE
|     Description:
|               Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code executeion.
|
|     References:
|_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb

Requires

• rmi
• shortport
• string
• stdnse
• vulns

---

Author:

• Aleksandar Nikolic

License: Same as Nmap--See https://nmap.org/book/man-legal.html