JBoss AS Administrative Console Password Disclosure

2013-06-06T00:00:00
ID PACKETSTORM:121920
Type packetstorm
Reporter amroot
Modified 2013-06-06T00:00:00

Description

                                        
                                            ` Product: Embedded Jopr - JBoss AS Administration Console  
Vendor: Red Hat Middleware, LLC  
Version: < 1.2  
Tested Version: 1.2  
Vendor Notified Date: May 29, 2013  
Release Date: June 03, 2013  
Risk: Moderate  
Authentication: Required  
Remote: Yes  
  
Description:  
Passwords submitted to the application are returned in clear form in   
later responses from the application. Although the password field is   
masked, it is visible via the page source regardless of SSL.  
This behavior increases the risk that passwords will be captured by an   
attacker.  
Specifically, this can be leveraged to pivot and gain access to   
configured databases by viewing the page source or using browser tools   
such as "inspect element" in chrome and firefox.  
Successful exploitation of this vulnerability results in taking   
complete control of database servers.  
  
Exploit steps for proof-of-concept:  
1. Navigate to: JBossAS Servers> JBoss AS> Resources> Datasources  
2. Select Datasource  
3. View page source  
4. Find input type="password"  
5. "value=" will contain the database password.  
6. Dump database.  
  
Vendor Notified: Yes  
Vendor Response: Does not consider this to be an exploitable security   
flaw due to type authenticated.  
  
Reference:  
CVE-2013-3734  
http://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/  
amroot.com  
`