0 Replies Latest reply on Oct 10, 2003 5:41 PM by marc_schoenefeld

    JBoss remote code execution vulnerability

    marc_schoenefeld Newbie

      ================================
      Illegalaccess.org Security Alert
      ================================
      Date : 2003/10/05
      Application : JBoss, open-source java server for running J2EE enterprise applications
      Version : 3.0.8/3.2.1
      Website : http://www.jboss.org
      Problems : Denial-Of-Service,
      Log Manipulation,
      Manipulation of Process variables,
      Arbitrary Command Injection


      Illegalaccess.org has discovered a critical security vulnerability in the latest production version of JBoss J2EE application server. The vulnerability affects default installations of JBoss 3.0.8/3.2.1 running on JDK 1.4.x. We were able to design proof of concept code for this issue, which allows remote attack resulting in several compromises, ranging from information disclosure over log manipulation and manipulating java process properties to execution of any commands on the (windows) system with the privileges of the JBoss process. We do not rule out the possibility of remotely controlled code execution on JBoss servers running on top of other operating systems (such as Linux, Solaris, Mac, OS/390).
      The existence of the vulnerability has been confirmed by Marc Fleury and Scott Stark of the JBoss Group. This report is part of the coordinated release of information about this new threat. The appropriate security bulletin for the jboss system as well as a configuration fix for the affected version 3.0.8/3.2.1 are available for download from the JBoss web site (see URL below).
      It should be stated, that the reaction time of the JBoss group was exemplary in providing an immediate correction of the default configuration which was causing the problem.
      Description
      This is a command injection vulnerability that exists in an integral component of the JBoss server, HSQLDB, an SQL database managing JMS connections. In a combined result of programming errors in the sun.* classes and logic errors in the org.apache.* classes of the JDK and settings in the default configuration of JBoss, remote attackers can obtain remote access to vulnerable JBoss systems. Our tests confirmed that this vulnerability affects all default installations of JBoss 3.0.8/3.2.1 and potentially every other system using TCP/IP based connections to HSQLDB.
      Risk Analysis
      The impact of this vulnerability should be considered as critical. Throughout its exploitation, any user can gain complete control over a vulnerable system by the means of a remote attack. By sending specially crafted sequence of SQL statements to the TCP port 1701 of the vulnerable JBoss system, an attacker can exploit the vulnerabilities and in worst case execute any code with the privileges of the java process executing JBoss.
      Scope
      This vulnerability affects every installation of JBoss 3.0.8/3.2.1 application server not protected by additional hardening mechanisms for network access protection and boundary control such as firewall systems.
      Code Availability
      We were able to develop a fully functional 100%-java proof of concept code for JBoss 3.0.8/3.2.1 running on any Java 1.4.x-enabled platform. The base functionality for every operating system includes Denial-Of-Service, Information Disclosure, Log Message Injection and Resource Consumption. It makes use of some unique exploitation techniques and are based on a detailed analysis of
      the JDK 1.4.x class structure (available for download mid November 2003) by Illegalaccess.org. In the case of the host operating system being Windows 2000/XP, an additional exploitation is possible executing arbitrary executables and even registered file types. The attack may be performed unnoticed, without any abuse to the operation of the target system.
      Due to the unique nature and in-depth-impact of this vulnerability, illegalaccess.org has decided not to publish exploit code or any technical details helpful for replay with regard to this vulnerability at the moment. Parallel we are preparing a more detailed technical description of the vulnerability which is due to be released to the public when its impact will be reduced through propagation of appropriate fixes by the JBoss Group.
      Solution
      It should be emphasized that this vulnerability poses a critical threat and appropriate patches provided by JBoss (see below) should be immediately applied. The patch is available at
      http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866
      and describes the fix which is to limit the HSQLDB to in-memory
      mode.
      =======start of snippet from updated jboss documentation=========
      The default configuration of the hsqldb service allows for
      interaction with the database over TCP/IP and can enable arbitary
      code to be executed if the default username/password has not be
      changed. JBoss does not need the socket based access mode so one
      can disable this through two changes to the deploy/hsqldb-ds.xml
      configuration.

      I) First, change:
      <!-- for tcp connection, other processes may use hsqldb -->
      <connection-url>
      jdbc:hsqldb:hsql://localhost:1701
      </connection-url>
      to:
      <!-- for in-process db with file store, saved when jboss
      stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary -->

      <connection-url>
      jdbc:hsqldb:localDB
      </connection-url>
      II) Next, comment out or remove this section:
      <!-- this mbean should be used only when using tcp connections -->

      1701
      true
      default
      false
      true


      =======end of snippet from updated jboss documentation=========
      Marc Schoenefeld, www.illegalaccess.org (marc@org.illegalaccess)