Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Bridging the Gap between the Enterprise and You – or – Who’s the JBoss now?

The JBoss Application Server (JBoss AS) is a widely used, open source Java application server. It is part of the JBoss Enterprise Middleware Suite (JEMS) and often used in large enterprise installations. Because of the high modularity and versatility of this software solution, which leads to a high complexity, the JBoss AS is a rewarding target for attackers in enterprise networks.

Whitepaper

  • The following paper approaches the JBoss AS from an attacker’s perspective and points out its risk potential with examples showing how to achieve arbitrary code execution on the JBoss AS’s underlying host system. The examples use the JMX and Web Console, RMI, the Main- and BeanShellDeployer as well as JMX Invokers of the Web Console and HttpAdaptor.

    “Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now?” (German version)

  • In versions 3.2 through 5.1, the JBoss Application Server contains the DeploymentFileRepository MBean. It can be used to create directories and text files below a directory under the JBoss AS’s root directory. The following whitepaper explains how this MBean can also be used to deploy a Web Archive (WAR), without the need for outbound connections to be initiiated by the JBoss AS. It also describes how this can be used in conjunction with Cross Site Request Forgery (CSRF) to attack a JBoss AS with a protected JMX Console.

    „JBoss Application Server - Deploying WARs with the DeploymentFileRepository MBean”

Scripts

The scripts used in the whitepaper „Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now?” can be downloaded here. The signature was created with the release@redteam-pentesting.de GnuPG key.

redteam-jboss.tar.gz (GnuPG signature)

The archive contains the following files:

  • BeanShellDeployer/mkbeanshell.rb
  • WAR/shell.jsp
  • WAR/WEB-INF/web.xml
  • Webconsole-Invoker/webconsole_invoker.rb
  • JMXInvokerServlet/http_invoker.rb
  • JMXInvokerServlet/jmxinvokerservlet.rb
  • jboss_jars/console-mgr-classes.jar
  • jboss_jars/jbossall-client.jar
  • README
  • setpath.sh
  • Rakefile

The README gives an overview over the different files and their functionality.