Re: SYMSA-2006-011: JBoss Java Class DeploymentFileRepository Directory Traversal
On Mon, Nov 27, 2006 at 05:36:29PM -0000, research@xxxxxxxxxxxx wrote:
> Vendor Response:
>
> Red Hat has verified the flaw in the DeploymentFileRepository class
> of the JBoss application server. A remote attacker who is able to
> access the console manager could read or write to files with the
> permissions of the JBoss user. This could potentially lead to
> arbitrary code execution as the JBoss user (CVE-2006-5750).
>
> Please note that the JBoss console manager should always be secured
> prior to deployment. By default, the JBoss installer gives users the
> ability to password protect the console manager, limiting an attack
> using this vulnerability to authorised users. These steps can also
> be performed manually.
> http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
I think this last point is the key here. I can't think of any
legitimate reason to expose jmx-console to untrusted users. Sure,
password protection helps to some extent. This topic has been talked
about repeatedly in many venues, so I won't touch on that here.
Regarding this vulnerability in particular, this is just the tip of the
iceberg, so to speak. The Beans that are exposed via the jmx-console by
default, combined with what typical installations will have installed,
leaves any site that exposes this URL in an insecure manner just asking
for trouble. I won't give the exact search string, but I'm sure google
could help tickle your imagination in this respect. Compromise of the
code served by JBoss, JBoss or the underlying OS itself is only limited
by your imagination.
When I discovered CVE-2006-3733 (http://www.osvdb.org/27419,
http://spoofed.org/files/CS-MARS_jboss-exploit), I too noticed
DeploymentFileRepository's shortcomings, but honestly assumed this was
the desired functionality. Afterall, if you read JBoss's documentation
on the jmx-console
(http://wiki.jboss.org/wiki/Wiki.jsp?page=JMXConsole), you'll notice
that it essentially like a remote debugger.
Anyway, good to see this getting fixed as it'll give admins one less way
to shoot themselves in the foot. Similar to how most *nix admins `alias
mv='mv -i'`.
-jon