Monday, February 22, 2010

JBoss Attacks

Read this first:
Hacking Unprotected JBOSS JMX Console Installations

An unprotected JMX console is a serious problem that doesn't get much attention. There are about a million Google dorks you can use to find one (or several). In addition to the ones in the linked post, I like:
inurl:"HtmlAdaptor" inurl:"maindeployer"
and
intitle:"tomcat status" inurl:8080

And of course you can find unprotected JMX consoles in any other number of ways. This will allow you to do things like shut down servers or deploy your own J2EE apps.

What I also noticed was interesting though, is that this functionality is completely CSRF-able. So even if YOU can't get to a particular site's JMX console, you may be able to CSRF someone else who can. Unfortunately there's no persistent authentication, so it might not be completely reliable; but it's a nice trick if you can make it work.

<img src="http://jbosshost:8080/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system%3Atype%3DServer&methodIndex=0" />

2 comments:

Zafar Khatri said...

An unprotected JMX console is a serious problem that doesn't get much attention. Awards Store

Susanne Green said...

I just came across your blog and wanted to drop you a note telling you how impressed I was with the information you have posted here
Thanks
Susanne Green
medical assistant