Vulnerability Details

Jboss Of webUI Interface http://ip:port/jmx-console Unauthorized access ( Or default password admin/admin ), Can lead to JBoss Information disclosure of deployment management , Attackers can also upload Trojans directly to get webshell.

scope

 All lower versions 

Docker Build a shooting range environment

1. docker search testjboss
   

2. docker pull testjboss/jobss
   

3. docker run -p 8080:8080 -d testjboss/jboss
   

Loophole recurrence

1. Visit the range address . As shown in the figure, it is successfully built .
   

2. visit http://ip:8080/jmx-console/ If you can enter directly or log in through the default account password, it means that there is a vulnerability .
   

3. Remote deployment war package .
   find jboss.deployment Options flavor=URL,type=DeploymentScanner Click in .
   

4. Enter the page and find void addURL()
   

5. At this time, deploy our remote war Trojan horse .（ need jdk Environmental Science ）
   
   

6. Access the address in the browser , get war Package path .
   

7. And then click Invoke Deploy
   

8. Then came URLList View in Value Whether the value has been deployed , And for our remote war Trojan horse address .

9. find jboss.web.deployment Check whether there are any war Trojan horse .
   
10. At this point, you can see that the deployment has been successful .

11. Access address ：http://ip/cmd/shell.jsp（eg：aaa.war ;cmd=aaa）

Protection suggestions

    1、 Yes jmx-console and web-console Add strong authentication for interface access .

    2、 close jmx-console and web-console, Improve safety .