Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Blackhat Europe: Abusing JBOSS

Abusing JBOSS (Christian Papathanasiou)

Abstract (source: Blackhat.com)

JBoss Application Server is the open source implementation of the Java EE suite of services. It’s easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform.

The pervasiveness of JBoss in enterprise JSP deployments is second to none meaning there is an abundance of targets both for the blackhat or the pentester alike. JBoss is usually invoked as root/SYSTEM meaning that any potential exploitation usually results in immediate super user privileges.

A tool has been developed that is able to compromise an unprotected JBoss instance. The current state of the art in published literature involves having the JBoss instance connect back to the attacker to obtain a war file that is subsequently deployed. The tool that will be presented at Black Hat does this in-situ and ultimately uploads a Metasploit payload resulting in interactive command execution on the JBoss instance. On Windows platforms, through the Metasploit framework a fully interactive reverse VNC shell can also be obtained and shall be demonstrated.

Depending on the platform that has been exploited and the level of access obtained, the tool is able to deploy the Metasploit payload as a persistent backdoor in conjunction with the Metasploit framework’s antivirus evasion techniques.

Due to the cross platform nature of the Java language, we are able to compromise JBoss instances running on Linux, MacOSX and Windows.

Talk Abstract –> Abusing JBoss

Speaker Bio –> Christian Papathanasiou

What is JBOSS ?

JBOSS Application server is an open-source implementation of JAVA EE Suite of services

JBOSS is used in enterprise JSP deployments and is insecure by default. It is also often invoked as root/SYSTEM

Typical industries

  • Financial
  • Publishing
  • Gambling
  • Defense

Often overlooked in perimeter hardening policies

Listens on TCP port 8080

Easy to test for presence of JBOSS on this port –> GET /jmx-console

Google dork allinurl:/jmx-console

Remote Command Execution on JBOSS

Reference: Red-Team paper (see links)

By using a similar method outlined in this paper, it is possible to upload a Metasploit payload and gain access to the remote server.

BSH Deployment

The BSH Deployer, or BeanShell Deployer allows you to deploy one-time execution scripts or even services in JBoss. Scripts are plain text files with a .bsh extension and can even be hot-deployed. This gives you scripting access inside the JBoss server.

The BSH script is used to upload a .war file on the remote filesystem. In the case of this attack a JSP shell is uploaded to give remote file-system. Once it’s deployed to the JBOSS server, it provides access to the server command-line.

JBOSS Autopwn

Designed to automate the process of exploiting JBOSS instances.

By uploading a JSP shell it is possible to then run further Metasploit payloads to connect back to an attackers machine.

As a Metasploit payload is used, the same issues found with AV engines discovering the payload. It is suggested to use msfencode to avoid detection.

Suggested encryption:

./msfencode -e x86/fnstenv_mov -c 5 -t raw | ./msfencode -e x86/countdown -c 5 -t raw | ./msfencode -e x86/shikata_ga_nai -t raw -c 5 | ./msfencode -e x86/cal l4_dword_xor -t exe -c 5

Demo –> jboss-autopwn (attacked Linux host – deployed reverse shell)

Apache Tomcat

Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process.

Much like JBOSS, Tomcat also responds on TCP port 8080

Unlike JBOSS however, Tomcat is secure in it’s default state.

However a number of default username / password combinations exist.

  • tomcat:tomcat
  • both:tomcat
  • role1:tomcat

None of these roles however have the manager role, which is required to logon to the console. It’s commonly found that one of the default accounts is edited to be a manager, instead of the suggested method of creating a new account with complex password.

Once credentials are discovered the process is a lot easier than with JBOSS.

Tomcat Autopwn

Similar in functionality to JBOSS-autopwn.

The tool attempts to check the default username / password combinations to see if they are permitted to deploy through the management console. If they are, a JSP shell is uploaded and used to invoke a Metasploit listener.

Securing the JBOSS Management Console

The easiest way to secure the console, is to remove it completely. This can be achieved by removing the following directories

  • $JBOSS_HOME/server/all/deploy
  • $JBOSS_HOME/server/default/deploy

If this is not possible, then the port should be firewalled and restricted to specific IP’s. A username and password should also be set.

Securing the Tomcat Management Console

As Tomcat is secure out of the box, strict user management should be used to prevent weak username password combinations from being used. I would also suggest removing / changing the default users and firewalling the management console as with the JBOSS system.

Additional Links

For more information please see the Blackhat Europe website

%d bloggers like this: