RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass

2010-06-0700:00:00

SAINT Corporation

www.saintcorporation.com

0.974 High

EPSS

Percentile

99.9%

JSON

Added: 06/07/2010
CVE: CVE-2010-0738
BID: 39710
OSVDB: 64171

Background

JBoss Application Server (AS) is a full-featured open source Java application server that includes full support for J2EE-based APIs. JBoss AS runs on numerous operating systems (e.g., Linux, FreeBSD, Mac OS X, and Microsoft Windows), as long as a suitable Java Virtual Machine (JVM) is present.

Java Management Extensions (JMX) is a Java technology that provides tools for managing and monitoring applications, system objects, devices (e.g., printers) and service oriented networks. JMX Console is a JMX-based management console application for JBoss AS that comes bundled with the JBoss AS distribution.

Problem

JMX Console uses HTTP password authentication to control access to the application. However, JBoss AS allows verb-based authentication and access control (VBAAC), which allows specifying different access controls for different HTTP verbs (e.g., GET, POST, HEAD). The default JBoss AS authentication configuration restricts access to JMX Console via HTTP GET and POST verbs to users in the JBossAdmin role, but there is no restriction placed on access via other HTTP verbs. Since HEAD requests are executed by the GET verb handler, any command embedded in a HTTP HEAD request will be executed the same way as the same command using the GET request, but without requiring authentication and without sending the response body to the requester. By sending a crafted HTTP request with a verb other than GET or POST to the target server, a remote unauthenticated attacker can inject and execute arbitrary unrestricted Java code on the target server, including file access and invocation of command shell, in the context of the JBoss AS process, normally jboss on *NIX systems and SYSTEM on Windows systems.