Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Update JBoss 308 & 321: Remote Command Injection

From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Mon, 6 Oct 2003 22:39:15 +0200 (MES)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Adam,

 thanks for the question, here is the answer:

 just downloaded the 3.0.8 from Jboss.org and
 changed the port of the exploit code from
 1701 to 1476, which is the HSQL port in
 Version 3.0.8 of JBoss.
 I can confirm that

  JBOSS 3.0.8 is also vulnerable

Marc





On Mon, 6 Oct 2003, Adam Shostack wrote:


Date: Mon, 6 Oct 2003 14:15:36 -0400
From: Adam Shostack <adam () homeport org>
To: Marc Schoenefeld <schonef () uni-muenster de>
Subject: Re: JBoss 3.2.1: Remote Command Injection

Hi Marc,

   What about earlier versions of Jboss, like the 3.0 series, which a
lot of folks still run?

Adam


On Sun, Oct 05, 2003 at 11:41:28PM +0200, Marc Schoenefeld wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| ================================
| Illegalaccess.org Security Alert
| ================================
|
| Date        : 10/04/2003
| Application : JBoss, java server for running J2EE enterprise
|               applications
| Version     : 3.2.1
| Website     : http://www.jboss.org
| Problems    : Denial-Of-Service,
|               Log Manipulation,
|               Manipulation of Process variables,
|               Arbitrary Command Injection
|
|
| Illegalaccess.org has discovered a critical security
| vulnerability in the latest production version of JBoss J2EE
| application server. The vulnerability affects default
| installations of JBoss 3.2.1 running on JDK 1.4.x. We were able
| to design proof of concept code for this issue, which allows
| remote attack resulting in several compromises, ranging from
| information disclosure over log manipulation and manipulating
| java process properties to execution of any commands on the
| (windows) system with the privileges of the JBoss process. We do
| not rule out the possibility of remotely controlled code
| execution on JBoss servers running on top of other operating
| systems (such as Linux, Solaris, Mac, OS/390).
|
| The existence of the vulnerability has been confirmed by Marc
| Fleury and Scott Stark of the JBoss Group. This report is part of
| the coordinated release of information about this new threat. The
| appropriate security bulletin for the jboss system as well as a
| configuration fix for the affected version 3.2.1 are available
| for download from the JBoss web site  (see URL below).
|
| It should be stated, that the reaction time of the JBoss group
| was exemplary in providing an immediate correction of the default
| configuration which was causing the problem.
|
| Description
| This is a command injection vulnerability that exists in an
| integral component of the JBoss server, HSQLDB, an SQL database
| managing JMS connections. In a combined result of programming
| errors in the sun.* classes and logic errors in the org.apache.*
| classes of the JDK and settings in the default configuration of
| JBoss, remote attackers can obtain remote access to vulnerable
| JBoss systems. Our tests confirmed that this vulnerability
| affects all default installations of JBoss 3.2.1 and potentially
| every other system using TCP/IP based connections to HSQLDB.
|
| Risk Analysis
| The impact of this vulnerability should be considered as
| critical. Throughout its exploitation, any user can gain complete
| control over a vulnerable system by the means of a remote attack.
| By sending specially crafted sequence of SQL statements to the
| TCP port 1701 of the vulnerable JBoss system, an attacker can
| exploit the vulnerabilities and in worst case execute any code
| with the privileges of the java process executing JBoss.
|
| Scope
| This vulnerability affects every installation of JBoss 3.2.1
| application server not protected by additional hardening
| mechanisms for network access protection and boundary control
| such as firewall systems.
|
| Code Availability
| We were able to develop a fully functional 100%-java proof of
| concept code for JBoss 3.2.1 running on any Java 1.4.x-enabled
| platform. The base functionality for every operating system
| includes Denial-Of-Service, Information Disclosure, Log Message
| Injection and Resource Consumption. It makes use of some unique
| exploitation techniques and are based on a detailed analysis of
| the JDK 1.4.x class structure (available for download mid
| November 2003) by Illegalaccess.org. In the case of the host
| operating system being Windows 2000/XP, an additional
| exploitation is possible executing arbitrary executables and even
| registered file types. The attack may be performed unnoticed,
| without any abuse to the operation of the
| target system.
|
| Due to the unique nature and in-depth-impact of this
| vulnerability, illegalaccess.org has decided not to publish
| exploit code or any technical details helpful for replay with
| regard to this vulnerability at the moment. Parallel we are
| preparing a more detailed technical description of the
| vulnerability which is due to be released to the public when its
| impact will be reduced through propagation of appropriate fixes
| by the JBoss Group.
|
| Solution
| It should be emphasized that this vulnerability poses a critical
| threat and appropriate patches provided by JBoss (see below)
| should be immediately applied. The patch available at present
| is available at
|
| http://
| sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866
|
| and describes the fix which is to limit the HSQLDB to in-memory
| mode.
|
| =======start of snippet from updated jboss documentation=========
| The default configuration of the hsqldb service allows for
| interaction with the database over TCP/IP and can enable arbitary
| code to be executed if the default username/password has not be
| changed. JBoss does not need the socket based access mode so one
| can disable this through two changes to the deploy/hsqldb-ds.xml
| configuration.
|
|
| I) First, change:
| <!-- for tcp connection, other processes may use hsqldb -->
|   <connection-url>
|     jdbc:hsqldb:hsql://localhost:1701
|   </connection-url>
|
| to:
|
| <!-- for in-process db with file store, saved when jboss
| stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary -->
|
| <connection-url>
|    jdbc:hsqldb:localDB
| </connection-url>
|
| II) Next, comment out or remove this section:
|
|   <!-- this mbean should be used only when using tcp connections -->
|   <mbean code="org.jboss.jdbc.HypersonicDatabase"
|     name="jboss:service=Hypersonic">
|     <attribute name="Port">1701</attribute>
|     <attribute name="Silent">true</attribute>
|     <attribute name="Database">default</attribute>
|     <attribute name="Trace">false</attribute>
|     <attribute name="No_system_exit">true</attribute>
|   </mbean>
|
| =======end of snippet from updated jboss documentation=========
|
| Marc Schoenefeld, www.illegalaccess.org  (marc () illegalaccess org)
|
| - --
|
| Never be afraid to try something new. Remember, amateurs built the
| ark; professionals built the Titanic. -- Anonymous
|
| Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.0.6 (AIX)
| Comment: For info see http://www.gnupg.org
|
| iD8DBQE/gJALqCaQvrKNUNQRAiFqAJ9GYSd38BKgL2tYWp/U0r/KtdbO0ACdFz6V
| 39E+YTxnfgaf0NDpjXSfnLY=
| =Eb08
| -----END PGP SIGNATURE-----
|

--
"It is seldom that liberty of any kind is lost all at once."
                                                     -Hume





- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/gdL3qCaQvrKNUNQRAqc6AJ9nRxhXZjL94aSbQNpAJ0PQY/A8dQCfWn6G
Hcich424OGWfBcJWJBaY60c=
=J/sq
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: