Jboss has some good management tools that are used to deploy new applications and to perform privileged actions like executing scripts on the remote host. One of these is Jboss JMX-Console.
For more information on what an attacker may accomplish through the JMX-Console I suggest to read the following presentation:
Abusing Jboss by Christian Papathanasiou (Trustwave Spiderlabs)
Here at Minded Security we discovered something more. Jboss JMX console may be protected using a common password authentication, but the standard password configuration protection is vulnerable.
How many time someone suggested to you to secure the JMX console using the standard Jboss security configurations?
JMX Console standard security configuration is available in:
This is the suggested security configuration also available in Jboss official security guidelines (“White Paper on JMX Security”):
The suggested configuration for protecting the JMX Console was the following one:
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
From the configuration above, security restrictions are enabled only for “GET” and “POST” methods. Any other HTTP method supported by the server will be not restricted.
By issuing a request with the “HEAD” method is possible to invoke directly, with “JBossAdmin” privilege, any functionality implemented by the jmx-console without valid credentials. Note: If JMX console replies with a HTTP 500 error the request has been correctly processed.
This kind of attack is referred in Appsec literature as Verb Tampering. The following one is a very good paper on this topic.
Bypassing with HTTP Verb Tampering by Arshan Dabirsiaghi - Aspect Security
The most interesting part is the exploitation. If we have access to any JMX console which is password protected or not, we can issue a HEAD HTTP request that will work ;D
Standard Deployment (will ask for password):
POST /jmx-console/HtmlAdaptor;index.jsp HTTP/1.1
Exploitation with Authentication Bypass:
HEAD /jmx-console/HtmlAdaptor;index.jsp?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=6&arg0=..%2Fjmx-console.war%2F&arg1=argval&arg2=.jsp&arg3=%3C%25%40+page+import%3D%22java.io.*….... HTTP/1.1
Now pick the request you prefer and build your custom exploit!
http://www.mindedsecurity.com/MSA030409.html (Official Advisory)
A solution to this issue is already available. See the following RedHat advisories:
We would like to thank the RedHat response team in particular Marc Schoenefeld for his support, technical knowledge and fast response.