Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SYMSA-2006-011: JBoss Java Class DeploymentFileRepository Directory

from [Jon Hart] Network Security [Permanent Link]
Subject: Re: SYMSA-2006-011: JBoss Java Class DeploymentFileRepository Directory Traversal
Date: Mon, 27 Nov 2006 21:21:06 -0800 
On Mon, Nov 27, 2006 at 05:36:29PM -0000, research@symantec.com wrote:

Vendor Response:

Red Hat has verified the flaw in the DeploymentFileRepository class
of the JBoss application server.  A remote attacker who is able to
access the console manager could read or write to files with the
permissions of the JBoss user.  This could potentially lead to
arbitrary code execution as the JBoss user (CVE-2006-5750).

Please note that the JBoss console manager should always be secured
prior to deployment.  By default, the JBoss installer gives users the
ability to password protect the console manager, limiting an attack
using this vulnerability to authorised users.  These steps can also
be performed manually.
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss


I think this last point is the key here.  I can't think of any
legitimate reason to expose jmx-console to untrusted users.  Sure,
password protection helps to some extent.  This topic has been talked
about repeatedly in many venues, so I won't touch on that here.

Regarding this vulnerability in particular, this is just the tip of the
iceberg, so to speak.  The Beans that are exposed via the jmx-console by
default, combined with what typical installations will have installed,
leaves any site that exposes this URL in an insecure manner just asking
for trouble.  I won't give the exact search string, but I'm sure google
could help tickle your imagination in this respect.   Compromise of the
code served by JBoss, JBoss or the underlying OS itself is only limited
by your imagination.

When I discovered CVE-2006-3733 (http://www.osvdb.org/27419,
http://spoofed.org/files/CS-MARS_jboss-exploit), I too noticed
DeploymentFileRepository's shortcomings, but honestly assumed this was
the desired functionality.  Afterall, if you read JBoss's documentation
on the jmx-console
(http://wiki.jboss.org/wiki/Wiki.jsp?page=JMXConsole), you'll notice
that it essentially like a remote debugger.  

Anyway, good to see this getting fixed as it'll give admins one less way
to shoot themselves in the foot.  Similar to how most *nix admins `alias
mv='mv -i'`.

-jon
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow, research
Next by Date:  Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Steven M. Christey
Previous by Thread:  SYMSA-2006-011: JBoss Java Class DeploymentFileRepository Directory Traversal, research
Next by Thread:  GnuPG 1.4 and 2.0 buffer overflow, Werner Koch
Indexes:  [Date] [Thread] [Top] [All Lists]