Exploitation And Remediation Of Jboss Application Server Default Configuration Vulnerability
Exploitation and Remediation of JBoss Application Server default configuration vulnerability
A lot of servers these days are found to have their JBoss Management Console open to the world, without any authentication, no password or default password!
A huge and silly vulnerability!
JBoss Management Console or JMX-Console provides a view into the microkernel of the Jboss application server, as well as access to the MBeans of the application server. This console can be used to configure the MBeans of the JBoss server. With default configuration the JMX console on url http://vulnerablehost:8080/jmx-console/ can be accessed without authentication or sometime bypassing authentication using default credentials (admin/admin).
What an attacker can do?
Any remote user can completely control the server, having full control to a lot of server configurations and internal network and infrastructure information disclosure, you can change the web service listening port (I test this with one of them, then I put back the original port), view internal IPs and start connections to a client, a lot of server absolute paths, you can change security configurations… too much power with almost no knowledge needed.
Two most common exploitation scenarios:
Shutting down JBoss with the JMX Console
Open the JMXConsole in your browser (for example: http://localhost:8080/jmx-console)
Navigate to the jboss.system:type=Server mbean (hint: you can probably just CTRL-F and enter in the dialog box)
Click on the jboss.system:
Scroll down to “Shutdown” and press invoke
Say bye bye to JBoss.
Inclusion of malicious URLs using the DeploymentScanner:
It is necessary to create a WAR file with WEB-INF a JSP to execute system commands.
Navigate the browser to the
jboss.deployment:flavor=URL,
type=DeploymentScanner mbean
(http://[host]:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL)
Add the URL of the customized WAR file with the addURL() command
Access the deployed application and start executing commands with the same privilege assigned to the Application server itself.
How to guard against:
Secure the JMX Console using a username/password file
Locate the jmx-console.war directory. Normally found in server/default/deploy in your JBOSS_HOME directory.
Edit the WEB-INF/web.xml; uncomment the security-constraint block.
Edit the WEB-INF/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version>=4.0.2) and WEB-INF/jmx-console- roles.properties or server/default/conf/props/jmx-console-roles.properties (version>=4.0.2) and change the users and passwords to what you desire. Please note: They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.
Edit the WEB-INF/jboss-web.xml, uncomment the security-domain block. The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.
Secure the JMX Console using your own JAAS domain
Edit the WEB-INF/web.xml as above, uncommenting the security-constraint block. Change the role-name value to be the role in your domain that can access the console
Edit the WEB-INF/jboss-web.xml as in step1, set the security domain to be the name of your security domain. For example, if your login-config.xml has an application-policy whose name is MyDomain then your JAAS domain java:/jaas/MyDomain
Redeploy the application
Secure the web console
In the deploy directory, locate management/web-console.war and make the same changes as above to the WEB-INF/web.xml, WEB-INF/jboss-web.xml and the users/groups properties file.
About the Author
Somnath has been working as Senior Security Analyst with Web Spiders India Pvt Ltd and have successfully carried out countless assignments on vulnerability assessment, penetration testing, web application security, Threat modeling,PCI DSS Compliance for various Banking sector firms, financial institutions, Govt. organizations, Defense, Software development Companies, leading BPOs and various small-mid-large industries.He holds security certifications like OSCP and CNSM.Before joining Web Spiders Somnath worked for iViZ Techno Solutions and STQC IT Services.
XML Applications pt1/2 (Arabic)
|
|
Microsoft Expression Studio 4 Ultimate $400.00 Microsoft Expression Studio 4 Ultimate opens up a new world of creative possibility. Its professional design tools give you the freedom to make your vision real–whether you’re designing for standards-based Web sites, rich desktop experiences, or Silverlight. Includes Expression Web, Expression Blend, SketchFlow, Expression Design and Expression Encoder Pro. Quickly create an effecti… |
|
|
Android Apps for Absolute Beginners $17.00 Anybody can start building simple apps for the Android platform, and this book will show you how! Android Apps for Absolute Beginners takes you through the process of getting your first Android applications up and running using plain English and practical examples. It cuts through the fog of jargon and mystery that surrounds Android application development, and gives you simple, step-by-step instr… |
|
|
Windows Communication Foundation 4 Step by Step (Step by Step (Microsoft)) $32.04 Your hands-on, step-by-step guide to building connected, service-oriented applications.Teach yourself the essentials of Windows Communication Foundation (WCF) 4 — one step at a time. With this practical, learn-by-doing tutorial, you get the clear guidance and hands-on examples you need to begin creating Web services for robust Windows-based business applications.Discover how to:Build and host SOA… |
|
|
Learn Java for Android Development $24.09 Android development is hot, and many programmers are interested in joining the fun. However, because this technology is based on Java, you should first obtain a solid grasp of the Java language and its foundational APIs to improve your chances of succeeding as an Android app developer. After all, you will be busy learning the architecture of an Android app, the various Android-specific APIs, … |
|
|
Final Draft Version 8 $169.00 Story Development Features: Send to Script: Send copy from the Index Card Summary directly to your scriptScene View: Outline your script ideas and reorder scenes in this high level overviewScene Navigator: Manage and view the important details of your scene in this sortable floating palletScene Properties Inspector (SPI): Add scene titles and colors to track your story lines characters etcIndex Ca… |
|
|
Adobe Dreamweaver CS5 – Old Version $399.00 Adobe Dreamweaver CS5 software empowers designers and developers to build standards-based websites with confidence. Work visually or directly in code, develop with your existing content management system like WordPress, Joomla!, or Drupal, and design productively with CSS inspection tools. Simplify advanced website development with integrated support for Subversion software and custom PHP code hin… |
|
|
Aastra 55i (6755i) Telephone Text $135.00 Aastra 55i IP Phone A1755-0131-1001 IP Phones… |
|
|
Grandstream GXP2120 6 Lines Enterprise Phone $116.95 The GXP2120 Executive HD telephone features 6 lines, a generous 320×160 backlit graphical LCD, 4 XML programmable context-sensitive soft keys, 7 XML programmable BLF extension keys, dual network ports with integrated PoE, and 5-way conference. Delivering superior HD audio quality, rich telephony features, personalized information and customizable application service, the GXP2120 is the perfect cho… |
