Abusing Jboss presented at Blackhat Europe 2010

by Christian Papathanasiou,

Tags: Security Access Exploitation

Summary : JBoss Application Server is the open source implementation of the Java EE suite of services. It's easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform.
The pervasiveness of JBoss in enterprise JSP deployments is second to none meaning there is an abundance of targets both for the blackhat or the pentester alike. JBoss is usually invoked as root/SYSTEM meaning that any potential exploitation usually results in immediate super user privileges.
A tool has been developed that is able to compromise an unprotected JBoss instance. The current state of the art in published literature involves having the JBoss instance connect back to the attacker to obtain a war file that is subsequently deployed. The tool that will be presented at Black Hat does this in-situ and ultimately uploads a Metasploit payload resulting in interactive command execution on the JBoss instance. On Windows platforms, through the Metasploit framework a fully interactive reverse VNC shell can also be obtained and shall be demonstrated.
Depending on the platform that has been exploited and the level of access obtained, the tool is able to deploy the Metasploit payload as a persistent backdoor in conjunction with the Metasploit framework’s antivirus evasion techniques.
Due to the cross platform nature of the Java language, we are able to compromise JBoss instances running on Linux, MacOSX and Windows.