Intro:
First let me state that this is completely for educational purposes and that I do this to help you test and secure your own environment. I take no responsibility for your own actions.
Originally talked about at DefCon 18 [DefCon], I had problems getting their attacks working with the current tools available, so I decided to investigate further. For those that don’t know, JBoss Application Server (or JBoss AS) is a free software/open-source Java EE-based application server [wikipedia]. Lots of companies use JBoss and a lot of them are externally facing.
The main issue with JBoss is the fact that the JMX-Console, which is a web interface to MBeans, has a default configuration which is vulnerable. The example of config.ini is below:
<web-resource-collection>
<web-resource-name>HtmlAdaptor
</web-resource-name>
<description>An example security config that only allows users with the role JBossAdminto access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
The above shows that the config.ini file only matches its security authentication for GET and POST methods. This allows other methods to be used such as HEAD. If you want to read more on HTTP method attacks, review[OWASP]. So what does this all mean… This means you can force the JBoss server to make any valid request you would like and finally compromise that server.
Well if you remember in 2008 a IT Security Consultant created a white paper about Hacking jBoss using a browser[link]. He was able to define a Deployment Scanner MBean that would force a vulnerable server to request a web jsp shell wrapped around a war file. This war file would create a web shell that allowed you to make requests on the server. I didn’t include the war file in this case, but this document has all the necessary components to do so. (pretty much take your webshell.jsp and run this command: jar -cf cmd.war webshell.jsp.)
Tools:
Both metasploit and redteam-pentesting have scripts/modules that have tools to execute HEAD type exploits. I didn’t have too much luck with this, so I created my own (works with JBoss above version 2). The code is here [SecurePlanet jbossPWN.py]. The only thing I require is using Curl (so have it in your path). One of these times I’ll clean up my code using sockets, but I wanted to get this code out.
So here is the python script with curl zipped up. The only thing you need is to have the cmd.war file in the same directory.
[SecurePlanet jbossPWN.zip]
What this script does is execute a small webserver on port 8001 (so make sure if you are attacking behind a NAT to make sure you have Port Forwarding setup correctly) on your box hosting the war.cmd file you supplied. Then the script makes a HTTP HEAD method request to a JBoss Server telling it to come grab that war.cmd file. Once it grabs the file, you should have a web shell ready to use. Here is an example of the script in action[SCRIPT Execution Image]
When executing the python script, it requests input for your IP and the JBoss IP, starts a webserver, runs the attack via HEAD, and soon you’ll see the JBoss server requestion the cmd.war file from you. w00t w00t!
After this, go to http://jboss_IP:8080/cmd/cmd.jsp and you have a [webshell].
The FIX:
To fix this issue, in the JBoss config.ini file, either add all the methods to auth for or a easier way is to remove them all defined HTTP methods. This way it will force authentication on all HTTP methods.
-Cheetz
Resources:
http://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf