Java RMI Registry Class Loading Vulnerability Scanner

Details
Stay Up To Date
Asset Type

DOMAIN,IP

Need Membership

Yes

Asset Verify

Yes

API Support

Yes

Estimate Time (Second)

15

Java RMI Registry Class Loading Vulnerability Scanner Detail

Tests whether Java rmiregistry allows class loading.

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well.

Some Advice for Common Problems

Change the default configuration of RMI Registry and RMI Activation services.

See the following links for specific information:

  • https://github.com/rapid7/metasploit-framework/pull/4203
  • https://github.com/rapid7/metasploit-framework/issues/6445

Community Discussions

Need a Full Assesment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service