Bridging the Gap between the Enterprise and You – or – Who’s the JBoss now?
The JBoss Application Server (JBoss AS) is a widely used, open source Java application server. It is part of the JBoss Enterprise Middleware Suite (JEMS) and often used in large enterprise installations. Because of the high modularity and versatility of this software solution, which leads to a high complexity, the JBoss AS is a rewarding target for attackers in enterprise networks.
Whitepaper
The following paper approaches the JBoss AS from an attacker’s perspective and points out its risk potential with examples showing how to achieve arbitrary code execution on the JBoss AS’s underlying host system. The examples use the JMX and Web Console, RMI, the Main- and BeanShellDeployer as well as JMX Invokers of the Web Console and HttpAdaptor.
“Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now?” (German version)
In versions 3.2 through 5.1, the JBoss Application Server contains the DeploymentFileRepository MBean. It can be used to create directories and text files below a directory under the JBoss AS’s root directory. The following whitepaper explains how this MBean can also be used to deploy a Web Archive (WAR), without the need for outbound connections to be initiiated by the JBoss AS. It also describes how this can be used in conjunction with Cross Site Request Forgery (CSRF) to attack a JBoss AS with a protected JMX Console.
„JBoss Application Server - Deploying WARs with the DeploymentFileRepository MBean”
Scripts
The scripts used in the whitepaper „Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now?” can be downloaded here. The signature was created with the release@redteam-pentesting.de GnuPG key.
redteam-jboss.tar.gz (GnuPG signature)
The archive contains the following files:
- BeanShellDeployer/mkbeanshell.rb
- WAR/shell.jsp
- WAR/WEB-INF/web.xml
- Webconsole-Invoker/webconsole_invoker.rb
- JMXInvokerServlet/http_invoker.rb
- JMXInvokerServlet/jmxinvokerservlet.rb
- jboss_jars/console-mgr-classes.jar
- jboss_jars/jbossall-client.jar
- README
- setpath.sh
- Rakefile
The README gives an overview over the different files and their functionality.
Related Material
- 09/24/2010 - „Forgotten JBoss AS Exploitation Techniques”, BruCON 2010 Lightning Talk, Slides (English)
- 04/30/2010 - „Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now”, Ruhr-Universität Bochum, Video (German)
- 04/21/2010 - „Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now”, Ruhr-Universität Bochum, Slides (German)
- 05/19/2009 - “Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now?”, Rechen- und Kommunikationszentrum der RWTH Aachen, Slides (German)
- 03/17/2009 - “Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now?”, DFN-CERT, Slides (German)
- 10/23/2008 - “Bridging the Gap between the Enterprise and You - or - Who’s the JBoss now?”, hack.lu 2008, Slides (English)