<<< Date Index >>>     <<< Thread Index >>>

Update JBoss 308 & 321: Remote Command Injection



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Adam,

 thanks for the question, here is the answer:

 just downloaded the 3.0.8 from Jboss.org and
 changed the port of the exploit code from
 1701 to 1476, which is the HSQL port in
 Version 3.0.8 of JBoss.
 I can confirm that

  JBOSS 3.0.8 is also vulnerable

Marc





On Mon, 6 Oct 2003, Adam Shostack wrote:

> Date: Mon, 6 Oct 2003 14:15:36 -0400
> From: Adam Shostack <adam@xxxxxxxxxxxx>
> To: Marc Schoenefeld <schonef@xxxxxxxxxxxxxxx>
> Subject: Re: JBoss 3.2.1: Remote Command Injection
>
> Hi Marc,
>
>    What about earlier versions of Jboss, like the 3.0 series, which a
> lot of folks still run?
>
> Adam
>
>
> On Sun, Oct 05, 2003 at 11:41:28PM +0200, Marc Schoenefeld wrote:
> | -----BEGIN PGP SIGNED MESSAGE-----
> | Hash: SHA1
> |
> | ================================
> | Illegalaccess.org Security Alert
> | ================================
> |
> | Date        : 10/04/2003
> | Application : JBoss, java server for running J2EE enterprise
> |               applications
> | Version     : 3.2.1
> | Website     : http://www.jboss.org
> | Problems    : Denial-Of-Service,
> |               Log Manipulation,
> |               Manipulation of Process variables,
> |               Arbitrary Command Injection
> |
> |
> | Illegalaccess.org has discovered a critical security
> | vulnerability in the latest production version of JBoss J2EE
> | application server. The vulnerability affects default
> | installations of JBoss 3.2.1 running on JDK 1.4.x. We were able
> | to design proof of concept code for this issue, which allows
> | remote attack resulting in several compromises, ranging from
> | information disclosure over log manipulation and manipulating
> | java process properties to execution of any commands on the
> | (windows) system with the privileges of the JBoss process. We do
> | not rule out the possibility of remotely controlled code
> | execution on JBoss servers running on top of other operating
> | systems (such as Linux, Solaris, Mac, OS/390).
> |
> | The existence of the vulnerability has been confirmed by Marc
> | Fleury and Scott Stark of the JBoss Group. This report is part of
> | the coordinated release of information about this new threat. The
> | appropriate security bulletin for the jboss system as well as a
> | configuration fix for the affected version 3.2.1 are available
> | for download from the JBoss web site  (see URL below).
> |
> | It should be stated, that the reaction time of the JBoss group
> | was exemplary in providing an immediate correction of the default
> | configuration which was causing the problem.
> |
> | Description
> | This is a command injection vulnerability that exists in an
> | integral component of the JBoss server, HSQLDB, an SQL database
> | managing JMS connections. In a combined result of programming
> | errors in the sun.* classes and logic errors in the org.apache.*
> | classes of the JDK and settings in the default configuration of
> | JBoss, remote attackers can obtain remote access to vulnerable
> | JBoss systems. Our tests confirmed that this vulnerability
> | affects all default installations of JBoss 3.2.1 and potentially
> | every other system using TCP/IP based connections to HSQLDB.
> |
> | Risk Analysis
> | The impact of this vulnerability should be considered as
> | critical. Throughout its exploitation, any user can gain complete
> | control over a vulnerable system by the means of a remote attack.
> | By sending specially crafted sequence of SQL statements to the
> | TCP port 1701 of the vulnerable JBoss system, an attacker can
> | exploit the vulnerabilities and in worst case execute any code
> | with the privileges of the java process executing JBoss.
> |
> | Scope
> | This vulnerability affects every installation of JBoss 3.2.1
> | application server not protected by additional hardening
> | mechanisms for network access protection and boundary control
> | such as firewall systems.
> |
> | Code Availability
> | We were able to develop a fully functional 100%-java proof of
> | concept code for JBoss 3.2.1 running on any Java 1.4.x-enabled
> | platform. The base functionality for every operating system
> | includes Denial-Of-Service, Information Disclosure, Log Message
> | Injection and Resource Consumption. It makes use of some unique
> | exploitation techniques and are based on a detailed analysis of
> | the JDK 1.4.x class structure (available for download mid
> | November 2003) by Illegalaccess.org. In the case of the host
> | operating system being Windows 2000/XP, an additional
> | exploitation is possible executing arbitrary executables and even
> | registered file types. The attack may be performed unnoticed,
> | without any abuse to the operation of the
> | target system.
> |
> | Due to the unique nature and in-depth-impact of this
> | vulnerability, illegalaccess.org has decided not to publish
> | exploit code or any technical details helpful for replay with
> | regard to this vulnerability at the moment. Parallel we are
> | preparing a more detailed technical description of the
> | vulnerability which is due to be released to the public when its
> | impact will be reduced through propagation of appropriate fixes
> | by the JBoss Group.
> |
> | Solution
> | It should be emphasized that this vulnerability poses a critical
> | threat and appropriate patches provided by JBoss (see below)
> | should be immediately applied. The patch available at present
> | is available at
> |
> | http://
> | sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866
> |
> | and describes the fix which is to limit the HSQLDB to in-memory
> | mode.
> |
> | =======start of snippet from updated jboss documentation=========
> | The default configuration of the hsqldb service allows for
> | interaction with the database over TCP/IP and can enable arbitary
> | code to be executed if the default username/password has not be
> | changed. JBoss does not need the socket based access mode so one
> | can disable this through two changes to the deploy/hsqldb-ds.xml
> | configuration.
> |
> |
> | I) First, change:
> | <!-- for tcp connection, other processes may use hsqldb -->
> |   <connection-url>
> |     jdbc:hsqldb:hsql://localhost:1701
> |   </connection-url>
> |
> | to:
> |
> | <!-- for in-process db with file store, saved when jboss
> | stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary -->
> |
> | <connection-url>
> |    jdbc:hsqldb:localDB
> | </connection-url>
> |
> | II) Next, comment out or remove this section:
> |
> |   <!-- this mbean should be used only when using tcp connections -->
> |   <mbean code="org.jboss.jdbc.HypersonicDatabase"
> |     name="jboss:service=Hypersonic">
> |     <attribute name="Port">1701</attribute>
> |     <attribute name="Silent">true</attribute>
> |     <attribute name="Database">default</attribute>
> |     <attribute name="Trace">false</attribute>
> |     <attribute name="No_system_exit">true</attribute>
> |   </mbean>
> |
> | =======end of snippet from updated jboss documentation=========
> |
> | Marc Schoenefeld, www.illegalaccess.org  (marc@xxxxxxxxxxxxxxxxx)
> |
> | - --
> |
> | Never be afraid to try something new. Remember, amateurs built the
> | ark; professionals built the Titanic. -- Anonymous
> |
> | Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
> | -----BEGIN PGP SIGNATURE-----
> | Version: GnuPG v1.0.6 (AIX)
> | Comment: For info see http://www.gnupg.org
> |
> | iD8DBQE/gJALqCaQvrKNUNQRAiFqAJ9GYSd38BKgL2tYWp/U0r/KtdbO0ACdFz6V
> | 39E+YTxnfgaf0NDpjXSfnLY=
> | =Eb08
> | -----END PGP SIGNATURE-----
> |
>
> --
> "It is seldom that liberty of any kind is lost all at once."
>                                                      -Hume
>
>
>

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/gdL3qCaQvrKNUNQRAqc6AJ9nRxhXZjL94aSbQNpAJ0PQY/A8dQCfWn6G
Hcich424OGWfBcJWJBaY60c=
=J/sq
-----END PGP SIGNATURE-----