Monday, November 30, 2009

Hacking Unprotected JBOSS JMX Console Installations

Nothing new, notes for later, actually got most of the info from:

http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/

http://goohackle.com/jboss-security-vulnerability-jmx-management-console/
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf

The pdf (last link) actually details all the steps to get it done.

Google Dorks

intitle:”jboss management console” “application server” version inurl:”web-console”

intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”

Those searches will lead you to

http://somecrappysite.com/web-console/ServerInfo.jsp

will all kinds of fun information like below:


switch the URL to

http://somecrappysite.com/jmx-console/

and you'll either be greeted with a password prompt box (good) or the JMX Console page (not good--least for them)

Good

Bad

Very Bad

From there, just add the link to your cmd shell wrapped up in a war file. (check pdf for screenshot)

need to turn your .jsp into a .war?

jar -cf meh.war meh.jsp

From there enjoy access to your jsp shell.

Todo: Kick the shell to an msf instance via the msf jsp reverse shell

7 comments:

  1. I tried this couple of weeks ago using the original PDF during a Penetration Test. Everything seemed to work fine but the last step, opening the .jsp on browser, I could not find the full path to the jsp shell.

    ReplyDelete
  2. Idd, JBOSS doesn't have password on default installation.

    ReplyDelete
  3. Hi,

    This paper is more complete, describes other attack vectors such as RMI:

    http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf

    ReplyDelete
  4. RedTeam's info is very good (albeit spotty to those not fluent in German). The /{web|jmx}-console vector can be very potent indeed, but is often quickly discovered by the admin. Also, as for dumping a .jsp up there, keep in mind that JSPs in most cases have to be run-time compiled (ala JIT) into servlets (this is true if you have any inline/nested classes in your JSP), and if the install is an older JBoss install using a JRE (vs JDK) then there is a very strong chance that you'll get exceptions thrown by the presence of your JSP since the server isn't set up for run-time JSP compilation. I would, instead, pre-compile your JSP into a servlet...much cleaner. It also allows you to mask the footprint of your war a bit more as you can name the servlet whatever you want vs. having the server create servlet .class files that are named using names from your code.

    PS, Try a google query sometime for "MBean Inspector inurl:HtmlAdapter"...very enlightening :>

    ReplyDelete
  5. Even if Protected ;D

    Have a look here:

    http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html

    ReplyDelete
  6. "I tried this couple of weeks ago using the original PDF during a Penetration Test. Everything seemed to work fine but the last step, opening the .jsp on browser, I could not find the full path to the jsp shell."

    -I encountered the same problem. :/

    ReplyDelete
  7. You people need to do ten years in prison.

    ReplyDelete