mailing list archives
Re: SYMSA-2006-011: JBoss Java Class DeploymentFileRepository Directory Traversal
From: Jon Hart <jhart () spoofed org>
Date: Mon, 27 Nov 2006 21:21:06 -0800
On Mon, Nov 27, 2006 at 05:36:29PM -0000, research () symantec com wrote:
Red Hat has verified the flaw in the DeploymentFileRepository class
of the JBoss application server. A remote attacker who is able to
access the console manager could read or write to files with the
permissions of the JBoss user. This could potentially lead to
arbitrary code execution as the JBoss user (CVE-2006-5750).
Please note that the JBoss console manager should always be secured
prior to deployment. By default, the JBoss installer gives users the
ability to password protect the console manager, limiting an attack
using this vulnerability to authorised users. These steps can also
be performed manually.
I think this last point is the key here. I can't think of any
legitimate reason to expose jmx-console to untrusted users. Sure,
password protection helps to some extent. This topic has been talked
about repeatedly in many venues, so I won't touch on that here.
Regarding this vulnerability in particular, this is just the tip of the
iceberg, so to speak. The Beans that are exposed via the jmx-console by
default, combined with what typical installations will have installed,
leaves any site that exposes this URL in an insecure manner just asking
for trouble. I won't give the exact search string, but I'm sure google
could help tickle your imagination in this respect. Compromise of the
code served by JBoss, JBoss or the underlying OS itself is only limited
by your imagination.
When I discovered CVE-2006-3733 (http://www.osvdb.org/27419,
http://spoofed.org/files/CS-MARS_jboss-exploit), I too noticed
DeploymentFileRepository's shortcomings, but honestly assumed this was
the desired functionality. Afterall, if you read JBoss's documentation
on the jmx-console
(http://wiki.jboss.org/wiki/Wiki.jsp?page=JMXConsole), you'll notice
that it essentially like a remote debugger.
Anyway, good to see this getting fixed as it'll give admins one less way
to shoot themselves in the foot. Similar to how most *nix admins `alias