| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Jul 2006 18:21:03 -0700 From: Jon Hart <jhart@...ofed.org> To: bugtraq@...urityfocus.com Subject: Cisco MARS < 4.2.1 remote compromise Cisco MARS (Monitoring, Analysis and Response System, sometimes referred to as CS-MARS) prior to version 4.2.1 ships with an unprotected JBoss installation which ultimately leads to a complete compromise of the device. The caveat here is that, despite much work on Cisco's part, they were not able to determine why some CS-MARS boxes were vulnerable and others were not. In versions 4.2.1 and newer, the discovered vulnerabilities have been fixed. Vulnerability #1 ---------------- CS-MARS shipped with JBoss 3.2.7, which suffered a number of flaws originally disclosed by Marc Schoenefeld in June of 2005. See http://www.securityfocus.com/archive/1/402653 for the original posting. Vulnerability #2 ---------------- CS-MARS' JBoss installation is basically stock, so few if any of the recommended procedures were taken to secure it prior to shipment. A common document used in securing JBoss can be found at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss Perhaps the most glaring vulnerability that results is the exposure of the jmx-console, and in turn full access to all of the MBeans. Per JBoss.org's description of the jmx-console: "The JMX console provides a raw view into the microkernel of the JBoss application server. It lists all registered services (MBeans) that are active in the application server and that can be accessed either through the JMX console itself or programmatically from Java code." As you can imagine, once an attacker has access to the jmx-console, the thoroughness with which the box can be compromised is only limited by their imagination. The jmx console is reachable on CS-MARS devices versions < 4.2.1 -- no authentication is necessary, and is available on port 80 and 443. I've put together some functional POC exploit code that leverages many of the MBeans to compromise the system in various ways. Please see the attached code. Vendor status ------------- Cisco's PSIRT was extremely responsive throughout this entire process. The JBoss issues I mentioned above are addressed by Cisco DDTS CSCse47646, and fixed in version 4.2.1 and newer. Enjoy, -jon View attachment "CS-MARS_jboss-exploit" of type "text/plain" (6464 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists