Reference: https://devco.re/blog/2020/09/12/how-I-hacked-Facebook-again-unauthenticated-RCE-on-MobileIron-MDM/
- Found that Facebook uses MobileIron as their MDM solution. Although I didn't find it on the official website, I found the rpm package used by the developer for testing through Google.
Through analyzing the code, it is found that the open ports are as follows:
- 443 Register interface for user device
- 8443 is the device management interface
- 9997 is a MobileIron proprietary device synchronization protocol (MI Protocol)
-
Apache reverse proxy Tomcat web applications, and web applications are developed based on Spring MVC.
-
Bypass Apache's rewrite ruls:
https://mobileiron/mifs/.;/services/someService
-
Use Hessian's JNDI deserialization of Spring AOP to inject this chain.
-
Bypass the restrictions of JEP 290 on remote JNDI injection (depending on the gadget in the classpath).
-
When I was preparing for the JNDI injection attack method, I found that JNDI outreach requests were not supported.
-
Finally, the low version of Groovy dependency was used to exploit the Hessian deserialization vulnerability.