JBoss - Sensitive Information Disclosure | PoC | Lucideus Research

                                                                                                                          [Difficulty Level: Easy]
JBoss Web Server is an enterprise ready web server designed for medium and large applications, based on Tomcat. JBoss Web Server provides organisations with a single deployment platform for Java Server Pages (JSP) and Java Servlet technologies, PHP, and CGI. It uses a genuine high performance hybrid technology that incorporates the best of the most recent OS technologies for processing high volume data, while keeping all the reference Java specifications. It supports both in and out of the process execution of CGI and PHP scripts. The hybrid technology model offers the best from threading and event processing models, and that makes the JBoss Web Server one of the fastest and most scalable web servers in the market.

JBoss Web Server is based on Apache Tomcat that is used in the official Reference Implementation or the Java Servlet and JavaServer Pages technologies. So we need to setting up java in our machine (Ubuntu), We download jdk file from http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

After downloading the file we will extract the content
$ tar -zxvf jdk-8u161-linux-x64.tar.gz

Here is our extracted content

Move the extracted folder to /usr/lib/java/ with below command
$ sudo mv jdk1.8.0_161/ /usr/lib/java/

Now go to usr/lib/java directory and open jdk1.8.0_161 and check the all directories in it
$ cd jdk.1.8.0_161/
$ ls
$ cd bin/
$ ls

$ cd ..

Next run these below listed commands in terminal one by one
$ sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/java/jdk1.7.0_65/bin/java" 1
$ sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/java/jdk1.7.0_65/bin/javac" 1

$ sudo update-alternatives --install "/usr/bin/javaws" "javaws"    "/usr/lib/java/jdk1.7.0_65/bin/javaws" 1

Now update the JAVA_HOME in your ~/.bashrc
export JAVA_HOME=/usr/lib/java/jdk1.7.0_65

export PATH

After setting up Java. We have to check the java version with below command
$ java -version

Installation and Setup of JBoss
After setting up the java we move to JBoss web server. 

First we download the JBoss-4.2.2.GA from its offical site https://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.2.GA/

Move it to /usr/local/share/

$ sudo mv jboss-4.2.2.GA /usr/local/share/

Now open the moved jboss folder

$ cd /usr/local/share

$ ls
$ cd jboss-4.2.2.GA/

Set JBOSS_HOME environmental variable $ sudo gedit ~/.bashrc

Now move back to jboss-4.2.2.GA

On a server machine create a jboss user and apply that user's privileges.  

$ sudo chown -R 775 /usr/local/share/jboss-4.2.2.GA/ 

After that go to /bin/

Now run the jboss web server $ sudo ./run.sh

After running it go to browser and type localhost on port 8080 - > http://localhost:8080/

and our JBoss web server is working.

Exploit JBoss 4.2.x/4.3.x versions are vulnerable by the the vulnerability in which By requesting the Status param and sitting its value to true, Jboss will print a sensitive information such as Memory used/Total Memory / Client IP address.

And when we type status?full=true it will show the all sensitive information

And we can get this information with our .c program , We just compile the jboss.c program 
$ gcc jboss.c -o jboss

Now we just run this file on our jboss server 

$ ./jboss localhost 8080

It will make a connection with our jboss server and and give us a .xml code. We just copied that xml code and make a file name as jboss.xml and when we open that file in browser it shows us its sensitive information or information inside the /status?full=true

Precaution: Update JBoss to version 4.2.3 or later

References: https://www.exploit-db.com/exploits/44009/ http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html https://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.2.GA/

Post a Comment