[NEWS] JBoss Remote Command Injection
From: SecuriTeam (support_at_securiteam.com)
Date: 10/08/03
- Previous message: SecuriTeam: "[TOOL] PHLAK - Security Targeted Linux Distribution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 8 Oct 2003 17:13:55 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
JBoss Remote Command Injection
------------------------------------------------------------------------
SUMMARY
<http://www.jboss.org> JBoss, Java server for running J2EE enterprise
applications. Multiple vulnerabilities have been found in the JBoss server
including: Denial-Of-Service, Log Manipulation, Manipulation of Process
variables, and Arbitrary Command Injection.
DETAILS
Vulnerable systems:
* JBoss version 3.0.8
* JBoss version 3.2.1
Illegalaccess.org has discovered a critical security vulnerability in the
latest production version of JBoss J2EE application server. The
vulnerability affects default installations of JBoss running on JDK 1.4.x.
We were able to design proof of concept code for this issue, which allows
remote attack resulting in several compromises, ranging from information
disclosure over log manipulation and manipulating Java process properties
to execution of any commands on the (windows) system with the privileges
of the JBoss process. Illegalaccess.org does not rule out the possibility
of remotely controlled code execution on JBoss servers running on top of
other operating systems (such as Linux, Solaris, Mac, OS/390).
The existence of the vulnerability has been confirmed by Marc Fleury and
Scott Stark of the JBoss Group. This report is part of the coordinated
release of information about this new threat. The appropriate security
bulletin for the JBoss system as well as a configuration fix for the
affected versions 3.X are available for download from the JBoss web site
(see URL below).
It should be stated, that the reaction time of the JBoss group was
exemplary in providing an immediate correction of the default
configuration that was causing the problem.
Description:
This is a command injection vulnerability that exists in an integral
component of the JBoss server, HSQLDB, an SQL database managing JMS
connections. In a combined result of programming errors in the sun.*
classes and logic errors in the org.apache.* classes of the JDK and
settings in the default configuration of JBoss, remote attackers can
obtain remote access to vulnerable JBoss systems. Our tests confirmed that
this vulnerability affects all default installations of JBoss 3.2.1 and
potentially every other system using TCP/IP based connections to HSQLDB.
Impact:
The impact of this vulnerability should be considered as critical.
Throughout its exploitation, any user can gain complete control over a
vulnerable system by the means of a remote attack. By sending specially
crafted sequence of SQL statements to the TCP port 1701 of the vulnerable
JBoss system, an attacker can exploit the vulnerabilities and in worst
case execute any code with the privileges of the Java process executing
JBoss.
Solution:
It should be emphasized that this vulnerability poses a critical threat
and appropriate patches provided by JBoss (see below) should be
immediately applied. The patch available at present is available at:
<http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866>
http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866,
and describes the fix which is to limit the HSQLDB to in-memory mode.
=======start of snippet from updated jboss documentation=========
The default configuration of the hsqldb service allows for interaction
with the database over TCP/IP and can enable arbitary code to be executed
if the default username/password has not be changed. JBoss does not need
the socket based access mode so one can disable this through two changes
to the deploy/hsqldb-ds.xml configuration.
I) First, change:
<!-- for tcp connection, other processes may use hsqldb -->
<connection-url>
jdbc:hsqldb:hsql://localhost:1701
</connection-url>
To:
<!-- for in-process db with file store, saved when jboss stops. The
org.jboss.jdbc.HypersonicDatabase is unnecessary -->
<connection-url>
jdbc:hsqldb:localDB
</connection-url>
II) Next, comment out or remove this section:
<!-- this mbean should be used only when using tcp connections -->
<mbean code="org.jboss.jdbc.HypersonicDatabase"
name="jboss:service=Hypersonic">
<attribute name="Port">1701</attribute>
<attribute name="Silent">true</attribute>
<attribute name="Database">default</attribute>
<attribute name="Trace">false</attribute>
<attribute name="No_system_exit">true</attribute>
</mbean>
=======end of snippet from updated jboss documentation=========
ADDITIONAL INFORMATION
The information has been provided by <mailto:marc@illegalaccess.org> Marc
Schoenefeld.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] PHLAK - Security Targeted Linux Distribution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
