lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060719161709.GF25856@spoofed.org>
Date: Wed, 19 Jul 2006 09:17:09 -0700
From: Jon Hart <jhart@...ofed.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Cisco MARS < 4.2.1 remote compromise

Cisco MARS (Monitoring, Analysis and Response System, sometimes referred
to as CS-MARS) prior to version 4.2.1 ships with an unprotected JBoss
installation which ultimately leads to a complete compromise of the
device.

The caveat here is that, despite much work on Cisco's part, they were
not able to determine why some CS-MARS boxes were vulnerable and others
were not.  In versions 4.2.1 and newer, the discovered vulnerabilities
have been fixed.

Vulnerability #1
----------------

CS-MARS shipped with JBoss 3.2.7, which suffered a number of flaws
originally disclosed by Marc Schoenefeld in June of 2005.  See
http://www.securityfocus.com/archive/1/402653 for the original posting.

Vulnerability #2
----------------

CS-MARS' JBoss installation is basically stock, so few if any of the
recommended procedures were taken to secure it prior to shipment.
A common document used in securing JBoss can be found at
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss

Perhaps the most glaring vulnerability that results is the exposure of
the jmx-console, and in turn full access to all of the MBeans.  Per
JBoss.org's description of the jmx-console:

   "The JMX console provides a raw view into the microkernel of the
   JBoss application server. It lists all registered services (MBeans)
   that are active in the application server and that can be accessed
   either through the JMX console itself or programmatically from Java
   code."

As you can imagine, once an attacker has access to the jmx-console, the
thoroughness with which the box can be compromised is only limited by
their imagination.  The jmx console is reachable on CS-MARS devices
versions < 4.2.1 -- no authentication is necessary, and is available on
port 80 and 443.

I've put together some functional POC exploit code that leverages many
of the MBeans to compromise the system in various ways.  Please see the
attached code.


Vendor status
-------------

Cisco's PSIRT was extremely responsive throughout this entire process.
The JBoss issues I mentioned above are addressed by Cisco DDTS
CSCse47646, and fixed in version 4.2.1 and newer.


Enjoy,

-jon


View attachment "CS-MARS_jboss-exploit" of type "text/plain" (6464 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ