RedTeam

We released a new JBoss security whitepaper with the title “JBoss Application Server – Deploying WARs with the DeploymentFileRepository MBean” today. It explains how to deploy WAR files with the DeploymentFileRepository MBean and how this is even possible with Cross Site Request Forgery (CSRF). The paper is available at

http://www.redteam-pentesting.de/publications/jboss

This new informational page also contains the now publicly released scripts used in the older paper “Bridging the Gap between the Enterprise and You – or – Who’s the JBoss now?”, which is also available there.

Abstract

The JBoss Application Server (JBoss AS) is a widely used, open source Java application server. It is part of the JBoss Enterprise Middleware Suite (JEMS) and often used in large enterprise installations. Because of the high modularity and versatility of this software solution, which leads to a high complexity, the JBoss AS is a rewarding target for attackers in enterprise networks. This paper adds to the whitepaper “Bridging the Gap between the Enterprise and You – or – Who’s the JBoss now?” released by RedTeam Pentesting. It shows how to use the DeploymentFileRepository MBean to deploy a Web ARchive (WAR) without the need of outbound connections being allowed for the JBoss AS. It also describes how this can be used in conjunction with CSRF to attack a JBoss AS with a protected JMX Console.

To make the JBoss research complete, I sent one new and two updated Metasploit modules to their mailing list. The updated modules improve on the already existing jboss_deploymentfilerepository.rb and jboss_maindeployer exploits. The new module jboss_bshdeployer.rb adds an exploit to install a WAR file via the BeanShellDeployer MBean's createScriptDeployment() method. If they do not make it to the main repository, you can always download them from the list post.