lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 27 Nov 2006 21:21:06 -0800
From: Jon Hart <jhart@...ofed.org>
To: research@...antec.com
Cc: bugtraq@...urityfocus.com
Subject: Re: SYMSA-2006-011: JBoss Java Class DeploymentFileRepository Directory Traversal

On Mon, Nov 27, 2006 at 05:36:29PM -0000, research@...antec.com wrote:
> Vendor Response:
> 
> Red Hat has verified the flaw in the DeploymentFileRepository class
> of the JBoss application server.  A remote attacker who is able to
> access the console manager could read or write to files with the
> permissions of the JBoss user.  This could potentially lead to
> arbitrary code execution as the JBoss user (CVE-2006-5750).
> 
> Please note that the JBoss console manager should always be secured
> prior to deployment.  By default, the JBoss installer gives users the
> ability to password protect the console manager, limiting an attack
> using this vulnerability to authorised users.  These steps can also
> be performed manually.
> http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss

I think this last point is the key here.  I can't think of any
legitimate reason to expose jmx-console to untrusted users.  Sure,
password protection helps to some extent.  This topic has been talked
about repeatedly in many venues, so I won't touch on that here.

Regarding this vulnerability in particular, this is just the tip of the
iceberg, so to speak.  The Beans that are exposed via the jmx-console by
default, combined with what typical installations will have installed,
leaves any site that exposes this URL in an insecure manner just asking
for trouble.  I won't give the exact search string, but I'm sure google
could help tickle your imagination in this respect.   Compromise of the
code served by JBoss, JBoss or the underlying OS itself is only limited
by your imagination.

When I discovered CVE-2006-3733 (http://www.osvdb.org/27419,
http://spoofed.org/files/CS-MARS_jboss-exploit), I too noticed
DeploymentFileRepository's shortcomings, but honestly assumed this was
the desired functionality.  Afterall, if you read JBoss's documentation
on the jmx-console
(http://wiki.jboss.org/wiki/Wiki.jsp?page=JMXConsole), you'll notice
that it essentially like a remote debugger.  

Anyway, good to see this getting fixed as it'll give admins one less way
to shoot themselves in the foot.  Similar to how most *nix admins `alias
mv='mv -i'`.

-jon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ