<<< Date Index >>>     <<< Thread Index >>>

JBoss 3.2.1: Remote Command Injection



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================
Illegalaccess.org Security Alert
================================

Date        : 10/04/2003
Application : JBoss, java server for running J2EE enterprise
              applications
Version     : 3.2.1
Website     : http://www.jboss.org
Problems    : Denial-Of-Service,
              Log Manipulation,
              Manipulation of Process variables,
              Arbitrary Command Injection


Illegalaccess.org has discovered a critical security
vulnerability in the latest production version of JBoss J2EE
application server. The vulnerability affects default
installations of JBoss 3.2.1 running on JDK 1.4.x. We were able
to design proof of concept code for this issue, which allows
remote attack resulting in several compromises, ranging from
information disclosure over log manipulation and manipulating
java process properties to execution of any commands on the
(windows) system with the privileges of the JBoss process. We do
not rule out the possibility of remotely controlled code
execution on JBoss servers running on top of other operating
systems (such as Linux, Solaris, Mac, OS/390).

The existence of the vulnerability has been confirmed by Marc
Fleury and Scott Stark of the JBoss Group. This report is part of
the coordinated release of information about this new threat. The
appropriate security bulletin for the jboss system as well as a
configuration fix for the affected version 3.2.1 are available
for download from the JBoss web site  (see URL below).

It should be stated, that the reaction time of the JBoss group
was exemplary in providing an immediate correction of the default
configuration which was causing the problem.

Description
This is a command injection vulnerability that exists in an
integral component of the JBoss server, HSQLDB, an SQL database
managing JMS connections. In a combined result of programming
errors in the sun.* classes and logic errors in the org.apache.*
classes of the JDK and settings in the default configuration of
JBoss, remote attackers can obtain remote access to vulnerable
JBoss systems. Our tests confirmed that this vulnerability
affects all default installations of JBoss 3.2.1 and potentially
every other system using TCP/IP based connections to HSQLDB.

Risk Analysis
The impact of this vulnerability should be considered as
critical. Throughout its exploitation, any user can gain complete
control over a vulnerable system by the means of a remote attack.
By sending specially crafted sequence of SQL statements to the
TCP port 1701 of the vulnerable JBoss system, an attacker can
exploit the vulnerabilities and in worst case execute any code
with the privileges of the java process executing JBoss.

Scope
This vulnerability affects every installation of JBoss 3.2.1
application server not protected by additional hardening
mechanisms for network access protection and boundary control
such as firewall systems.

Code Availability
We were able to develop a fully functional 100%-java proof of
concept code for JBoss 3.2.1 running on any Java 1.4.x-enabled
platform. The base functionality for every operating system
includes Denial-Of-Service, Information Disclosure, Log Message
Injection and Resource Consumption. It makes use of some unique
exploitation techniques and are based on a detailed analysis of
the JDK 1.4.x class structure (available for download mid
November 2003) by Illegalaccess.org. In the case of the host
operating system being Windows 2000/XP, an additional
exploitation is possible executing arbitrary executables and even
registered file types. The attack may be performed unnoticed,
without any abuse to the operation of the
target system.

Due to the unique nature and in-depth-impact of this
vulnerability, illegalaccess.org has decided not to publish
exploit code or any technical details helpful for replay with
regard to this vulnerability at the moment. Parallel we are
preparing a more detailed technical description of the
vulnerability which is due to be released to the public when its
impact will be reduced through propagation of appropriate fixes
by the JBoss Group.

Solution
It should be emphasized that this vulnerability poses a critical
threat and appropriate patches provided by JBoss (see below)
should be immediately applied. The patch available at present
is available at

http://
sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866

and describes the fix which is to limit the HSQLDB to in-memory
mode.

=======start of snippet from updated jboss documentation=========
The default configuration of the hsqldb service allows for
interaction with the database over TCP/IP and can enable arbitary
code to be executed if the default username/password has not be
changed. JBoss does not need the socket based access mode so one
can disable this through two changes to the deploy/hsqldb-ds.xml
configuration.


I) First, change:
<!-- for tcp connection, other processes may use hsqldb -->
  <connection-url>
    jdbc:hsqldb:hsql://localhost:1701
  </connection-url>

to:

<!-- for in-process db with file store, saved when jboss
stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary -->

<connection-url>
   jdbc:hsqldb:localDB
</connection-url>

II) Next, comment out or remove this section:

  <!-- this mbean should be used only when using tcp connections -->
  <mbean code="org.jboss.jdbc.HypersonicDatabase"
    name="jboss:service=Hypersonic">
    <attribute name="Port">1701</attribute>
    <attribute name="Silent">true</attribute>
    <attribute name="Database">default</attribute>
    <attribute name="Trace">false</attribute>
    <attribute name="No_system_exit">true</attribute>
  </mbean>

=======end of snippet from updated jboss documentation=========

Marc Schoenefeld, www.illegalaccess.org  (marc@xxxxxxxxxxxxxxxxx)

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/gJALqCaQvrKNUNQRAiFqAJ9GYSd38BKgL2tYWp/U0r/KtdbO0ACdFz6V
39E+YTxnfgaf0NDpjXSfnLY=
=Eb08
-----END PGP SIGNATURE-----