Bridging the Gap between the Enterprise and You - or - Who's the JBoss now? presented at HackLu 2008

by Patrick Hof, Jens Liebchen,

Summary : The JBoss Application Server (JBoss AS) is a widely used open source Java application server. It is one part of the JBoss Enterprise Middleware Suite (JEMS), often used in rich enterprise solutions.
The security of a JBoss AS installation is directly related to its configuration before deploying it in production. Because of the size and complexity of JBoss and its components, securing against all possible attack vectors is a hard job. If you look at JBoss installations on the internet, you will find a lot of insecurely configured deployments. Did you ever want to have a remote code execution on a .gov enterprise site? This is due to the fact that first, earlier JBoss default installations did not provide any kind of secure configuration (which is even stated in the manuals) and secondly, many of the installation instructions found on the internet only deal with getting JBoss to run, but not how to secure it properly.
Besides JBoss having a large attack surface, one does not find a lot of information on how to exploit these installations. The talk will fill this gap and demonstrate typical examples of insecurities, which lead to remote code execution on the involved hosts and which can be easily found in the real world.
First, we will cover the basics. What is this jmx-console, which you can easily find with a google search on so many sites? Why is an open jmx-console often like a "Please execute your code here"-sign for an attacker? Secondly, we go a bit deeper. What can we do if the jmx-console is password protected, or only reachable from internal hosts, which oftentimes means localhost? What are those ominous ports JBoss AS opens, and what can you use them for? Can we persuade the Application Server to deploy an application coming from some host on the internet? And finally, what can we do if the JBoss AS is placed in a DMZ behind a firewall, not allowing any outbound connections, besides established ones? Can we still have remote code execution?
Although the talk is about an enterprise solution full of features, we will not go too deeply into the realm of JBoss (and therefore Java) enterprise development. No previous knowledge about JBoss is needed to follow the talk. There will be a lot of live demos, showing real world implications of the vulnerabilities we present.