Friday, April 27, 2012

From LOW to PWNED [3] JBoss/Tomcat server-status



Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [3] JBoss/Tomcat server-status

There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.

http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
http://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.html
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/

http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer
http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy

Sometimes even though the deployer functionality is password protected the sever-status may not be.

/web-console/status?full=true



/manager/status/all



LOW?

This can be useful to find:


  • Lists of applications
  • Recent URL's accessed
    • sometimes with sessionids 
  • Find hidden services/apps
  • Enabled servlets
  • owned stuff :-)
Finding 0wned stuff is always fun let's see

Looking at the list of applications list one that doesnt look normal (zecmd)

Following that down leads us to zecmd.jsp that is a jsp shell


If you are interested in zecmd.jsp and jboss worm it comes from -->  this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf

thoughts?

-CG


CG

6 comments:

guerilla7 said...

zecmd.jsp is the bomb! LOL. Awesome posts/blog as always man!

Anonymous said...

This is like saying "if the crips have already kneecapped a punk ass blood, and his wallet isn't chained to his belt, you can steal it while he's writhing in agony!".

David Jorm said...

This post demonstrates exploiting the CVE-2008-3273 or CVE-2010-1429 information disclosure flaws to read a list of deployed software on a JBoss server. This information can be used to determine whether a machine is infected by the JBoss worm based on CVE-2010-0738. All of the security issues mentioned in this post are historical. Patches have been available for JBoss enterprise products since April 2010. Users running fully patched JBoss enterprise products are protected from these attacks, as are users running the latest community releases.

Anonymous said...

Heh, yeah and looks like someone beat you to the pwning OLOL!

Anonymous said...

There are a lot of applications which are built on top of JBoss/Tomcat and aren't secured at all. Best of all, they're often running as LocalSystem on Windows boxes.

s yogeesh said...

Hey is it possible to deface that site using zecmd ?

and in zecmd i found that it has root access..