SAINT CorporationSAINT:420DB72DE21A605EE687D107C28BDE21RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.973 High
EPSS
Percentile
99.9%
Added: 06/07/2010
CVE: CVE-2010-0738
BID: 39710
OSVDB: 64171
Background
JBoss Application Server (AS) is a full-featured open source Java application server that includes full support for J2EE-based APIs. JBoss AS runs on numerous operating systems (e.g., Linux, FreeBSD, Mac OS X, and Microsoft Windows), as long as a suitable Java Virtual Machine (JVM) is present.
Java Management Extensions (JMX) is a Java technology that provides tools for managing and monitoring applications, system objects, devices (e.g., printers) and service oriented networks. JMX Console is a JMX-based management console application for JBoss AS that comes bundled with the JBoss AS distribution.
Problem
JMX Console uses HTTP password authentication to control access to the application. However, JBoss AS allows verb-based authentication and access control (VBAAC), which allows specifying different access controls for different HTTP verbs (e.g., GET, POST, HEAD). The default JBoss AS authentication configuration restricts access to JMX Console via HTTP GET and POST verbs to users in the JBossAdmin role, but there is no restriction placed on access via other HTTP verbs. Since HEAD requests are executed by the GET verb handler, any command embedded in a HTTP HEAD request will be executed the same way as the same command using the GET request, but without requiring authentication and without sending the response body to the requester. By sending a crafted HTTP request with a verb other than GET or POST to the target server, a remote unauthenticated attacker can inject and execute arbitrary unrestricted Java code on the target server, including file access and invocation of command shell, in the context of the JBoss AS process, normally jboss on *NIX systems and SYSTEM on Windows systems.
Resolution
JBoss Enterprise Application Platform should be upgraded to 4.3 CP08, 4.2 CP09, or higher.
To secure the JMX Console, use the advanced installer options to configure JBoss to only allow authenticated administrative access.
References
<http://secunia.com/advisories/39563/>
Limitations
Exploit works on Red Hat JBoss Enterprise Application Platform 4.2.0.CP08.
The JMX Console service must be accessible remotely. By default, it is only accessible locally.
Platforms
Windows
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.973 High
EPSS
Percentile
99.9%