Skip to content

{ Tag Archives } jboss

Scanning JBoss AS for open Invokers

Apparently, the guys at Acunetix were tired of examining their JBoss Application Servers manually for vulnerabilities. In their Web Vulnerability Scanner from Version 6.5 build 20091215 on, they integrated various checks for the stuff from our JBoss paper.
To give you a little reminder: Always check for

http://www.example.com/jmx-console
http://www.example.com/web-console
http://www.example.com/web-console/Invoker
http://www.example.com/invoker/JMXInvokerServlet

and any open JBoss Remoting / RMI ports. See the [...]

Also tagged , , ,
2010 02 03 phof Hacking
Paper Comments (1)

JBoss Paper: English version released

We finally came around to translate and release the 27+ pages of our JBoss paper (see also this post). That was quite some work, the first versions of my translations always read like a one-to-one translation from German. Then I read it again and correct those horribly sounding sentences to what I hope is [...]

Also tagged ,
2009 12 01 phof Hacking
Paper Comments (1)

FrOSCon 2009

First of all, please excuse the lack of blog posts in the last weeks. We are currently on a very busy schedule, which is good for business but bad for blog posts and related stuff :). I hope I’ll be able to post more regularly in the next weeks.
On August 22nd, we will present our [...]

Also tagged , ,
2009 07 28 phof Conferences
Events
Talks Comments (1)

“Who’s the JBoss now?” Whitepaper released

We finally released the Whitepaper for our JBoss Application Server talk (the one we held e.g. at the hack.lu 2008 and the 16th DFN-CERT).
The paper gives you a more detailed overview about the JBoss AS internals we used in the attacks, as well as a complete description of the individual exploitation techniques.
The only catch [...]

Also tagged ,
2009 06 04 phof Hacking
Talks Comments (1)

JBoss Talk at the RWTH Aachen University

On May 19th 2009, we will give our JBoss talk (in German) at the Center for Computing and Communication of RWTH Aachen University (see their announcement). As we have more time than at the DFN CERT, we will be able to demonstrate all attacks live and generally go into a little bit more detail. You [...]

Also tagged , ,
2009 05 04 phof Events
Talks Comments (1)