Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Blackhat Europe: Abusing JBOSS

Abusing JBOSS (Christian Papathanasiou)

Abstract (source: Blackhat.com)

JBoss Application Server is the open source implementation of the Java EE suite of services. It’s easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform.

The pervasiveness of JBoss in enterprise JSP deployments is second to none meaning there is an abundance of targets both for the blackhat or the pentester alike. JBoss is usually invoked as root/SYSTEM meaning that any potential exploitation usually results in immediate super user privileges.

A tool has been developed that is able to compromise an unprotected JBoss instance. The current state of the art in published literature involves having the JBoss instance connect back to the attacker to obtain a war file that is subsequently deployed. The tool that will be presented at Black Hat does this in-situ and ultimately uploads a Metasploit payload resulting in interactive command execution on the JBoss instance. On Windows platforms, through the Metasploit framework a fully interactive reverse VNC shell can also be obtained and shall be demonstrated.

Depending on the platform that has been exploited and the level of access obtained, the tool is able to deploy the Metasploit payload as a persistent backdoor in conjunction with the Metasploit framework’s antivirus evasion techniques.

Due to the cross platform nature of the Java language, we are able to compromise JBoss instances running on Linux, MacOSX and Windows.

Talk Abstract –> Abusing JBoss

Speaker Bio –> Christian Papathanasiou

What is JBOSS ?

JBOSS Application server is an open-source implementation of JAVA EE Suite of services

JBOSS is used in enterprise JSP deployments and is insecure by default. It is also often invoked as root/SYSTEM

Typical industries

  • Financial
  • Publishing
  • Gambling
  • Defense

Often overlooked in perimeter hardening policies

Listens on TCP port 8080

Easy to test for presence of JBOSS on this port –> GET /jmx-console

Google dork allinurl:/jmx-console

Remote Command Execution on JBOSS

Reference: Red-Team paper (see links)

By using a similar method outlined in this paper, it is possible to upload a Metasploit payload and gain access to the remote server.

BSH Deployment

The BSH Deployer, or BeanShell Deployer allows you to deploy one-time execution scripts or even services in JBoss. Scripts are plain text files with a .bsh extension and can even be hot-deployed. This gives you scripting access inside the JBoss server.

The BSH script is used to upload a .war file on the remote filesystem. In the case of this attack a JSP shell is uploaded to give remote file-system. Once it’s deployed to the JBOSS server, it provides access to the server command-line.

JBOSS Autopwn

Designed to automate the process of exploiting JBOSS instances.

By uploading a JSP shell it is possible to then run further Metasploit payloads to connect back to an attackers machine.

As a Metasploit payload is used, the same issues found with AV engines discovering the payload. It is suggested to use msfencode to avoid detection.

Suggested encryption:

./msfencode -e x86/fnstenv_mov -c 5 -t raw | ./msfencode -e x86/countdown -c 5 -t raw | ./msfencode -e x86/shikata_ga_nai -t raw -c 5 | ./msfencode -e x86/cal l4_dword_xor -t exe -c 5

Demo –> jboss-autopwn (attacked Linux host – deployed reverse shell)

Apache Tomcat

Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process.

Much like JBOSS, Tomcat also responds on TCP port 8080

Unlike JBOSS however, Tomcat is secure in it’s default state.

However a number of default username / password combinations exist.

  • tomcat:tomcat
  • both:tomcat
  • role1:tomcat

None of these roles however have the manager role, which is required to logon to the console. It’s commonly found that one of the default accounts is edited to be a manager, instead of the suggested method of creating a new account with complex password.

Once credentials are discovered the process is a lot easier than with JBOSS.

Tomcat Autopwn

Similar in functionality to JBOSS-autopwn.

The tool attempts to check the default username / password combinations to see if they are permitted to deploy through the management console. If they are, a JSP shell is uploaded and used to invoke a Metasploit listener.

Securing the JBOSS Management Console

The easiest way to secure the console, is to remove it completely. This can be achieved by removing the following directories

  • $JBOSS_HOME/server/all/deploy
  • $JBOSS_HOME/server/default/deploy

If this is not possible, then the port should be firewalled and restricted to specific IP’s. A username and password should also be set.

Securing the Tomcat Management Console

As Tomcat is secure out of the box, strict user management should be used to prevent weak username password combinations from being used. I would also suggest removing / changing the default users and firewalling the management console as with the JBOSS system.

Additional Links

For more information please see the Blackhat Europe website


6 responses to “Blackhat Europe: Abusing JBOSS

  1. T. Hartwig April 15, 2010 at 13:52

    Recommended resources:

    Webinar: Security features for JBoss EAP: https://inquiries.redhat.com/go/redhat/20100414JEAPSeriesWebinar
    JBoss Security Guide: http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5.0.0/html/Security_Guide/index.html
    JBoss Common Criteria Certification Guide: http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/Common_Criteria_Guide/html-single/index.html
    JBoss Common Criteria Certification: http://www.commoncriteriaportal.org/files/epfiles/0531a.pdf

    And if you are concerned about Security, you should consider the JBoss Enterprise Application Platforms over jboss.org releases.

  2. jduck April 15, 2010 at 17:55

    Nice work! We have had modules to automate this stuff for a month or so now. Check out [1] and [2].

    1. http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy
    2. http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer

    If you have any comments, fixes, suggestions, etc on those modules we are open to input and contributions. You can use our Redmine interface, visit us on Freenode IRC #metasploit, or email us. Thanks!

  3. CG April 15, 2010 at 19:21

    i glanced at the slides… but since you were there. what does this tool do that the metasploit module doesnt?

  4. george richards April 15, 2010 at 23:24

    It uses the BSH deployment method which bypasses ingress firewall filtering that the Metasploit module doesnt.

    So you are very likely to get at the very least a JSP shell running on the server in question should the server be vulnerable.

    Cool talk, tested the tool out right after, quite solid results 🙂

  5. George April 16, 2010 at 13:11

    JBOSS Application server is another landmark in the open-source world. Recently there also have been other instances in the open source where softwares have done a decent job in competing with other products. Open source search platforms like Solr too have made a mark.I even reviewed it’s complete reference guide (http://www.lucidimagination.com/Downloads/LucidWorks-for-Solr/Reference-Guide) and found it quite useful for concept insights.

%d bloggers like this: