supermanhamuerto.com

User Tools

Site Tools

Trace: hamburguesas modem3g
java:jboss

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
java:jboss [2010/10/18 16:10] rlunarojava:jboss [2024/10/05 17:00] (current) rlunaro
Line 4: Line 4:
  
   * [[LdapExtLoginModule]]   * [[LdapExtLoginModule]]
 +  * [[LDAPConfigFromTheGround|Configuring LDAP for an application from the ground]]
 +  * [[http://community.jboss.org/wiki/SecureJBoss|Secure Jboss]]
 +  * [[StaticMiniSiteInJBoss|How to create a mini web site to serve static content]]
 +
 +
  
 ===== Version JBoss [The Oracle] 5.1.0.GA ===== ===== Version JBoss [The Oracle] 5.1.0.GA =====
Line 51: Line 56:
 En ''run.bat'' añadiremos ''--host=%BIND_ADDRESS%'' justo donde puede verse aquí:  En ''run.bat'' añadiremos ''--host=%BIND_ADDRESS%'' justo donde puede verse aquí: 
  
-</code>+<code> 
 :RESTART :RESTART
 "%JAVA%" %JAVA_OPTS% ^ "%JAVA%" %JAVA_OPTS% ^
Line 62: Line 68:
 </code> </code>
  
 +==== Securing JMX Console ====
 +
 +I am copying this webpage:
 +
 +[[http://www.articlesbase.com/security-articles/exploitation-and-remediation-of-jboss-application-server-default-configuration-vulnerability-1889469.html]]
 +
 +because I found very interesting: it covers a topic in securization important. 
 +
 +Exploitation and Remediation of JBoss Application Server default configuration vulnerability
 +
 +A lot of servers these days are found to have their JBoss Management Console open to the world, without any authentication, no password or default password!
 +
 +A huge and silly vulnerability!
 +
 +JBoss Management Console or JMX-Console provides a view into the microkernel of the Jboss application server, as well as access to the MBeans of the application server. This console can be used to configure the MBeans of the JBoss server.  With default configuration the JMX console on url http://vulnerablehost:8080/jmx-console/ can be accessed without authentication or sometime bypassing authentication using default credentials (admin/admin).
 +
 +What an attacker can do?
 +
 +Any remote user can completely control the server, having full control to a lot of server configurations and internal network and infrastructure information disclosure, you can change the web service listening port (I test this with one of them, then I put back the original port), view internal IPs and start connections to a client, a lot of server absolute paths, you can change security configurations… too much power with almost no knowledge needed.
 +
 +Two most common exploitation scenarios:
 +Shutting down JBoss with the JMX Console
 +Open the JMXConsole in your browser (for example: http://localhost:8080/jmx-console)
 +
 +Navigate to the jboss.system:type=Server mbean (hint
 +: you can probably just CTRL-F and enter in the dialog box)
 +
 +Click on the jboss.system:
 +
 +Scroll down to "Shutdown" and press invoke
 +
 +Say bye bye to JBoss.
 +
 +Inclusion of malicious URLs using the DeploymentScanner:
 +
 +It is necessary to create a WAR file with WEB-INF a JSP to execute system commands.
 +
 +Navigate the browser to the
 +
 +jboss.deployment:flavor=URL,
 +
 +type=DeploymentScanner mbean
 +
 +(http://[host]:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL)
 +
 +Add the URL of the customized WAR file with the addURL() command
 +
 +Access the deployed application and start executing commands with the same privilege assigned to the Application server itself.
 +
 +How to guard against:
 +
 +Secure the JMX Console using a username/password file
 +
 +Locate the jmx-console.war directory. Normally found in server/default/deploy in your JBOSS_HOME directory.
 +
 +Edit the WEB-INF/web.xml; uncomment the security-constraint block.
 +
 +Edit the WEB-INF/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version>=4.0.2) and WEB-INF/jmx-console- roles.properties or server/default/conf/props/jmx-console-roles.properties (version>=4.0.2) and change the users and passwords to what you desire.  Please note: They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.
 +
 +Edit the WEB-INF/jboss-web.xml, uncomment the security-domain block. The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.
 +
 +Secure the JMX Console using your own JAAS domain
 +
 +Edit the WEB-INF/web.xml as above, uncommenting the security-constraint block. Change the role-name value to be the role in your domain that can access the console
 +
 +Edit the WEB-INF/jboss-web.xml as in step1, set the security domain to be the name of your security domain. For example, if your login-config.xml has an application-policy whose name is MyDomain then your JAAS domain java:/jaas/MyDomain
 +
 +Redeploy the application
 +
 +Secure the web console
 +
 +In the deploy directory, locate management/web-console.war and make the same changes as above to the WEB-INF/web.xml, WEB-INF/jboss-web.xml and the users/groups properties file.
 +
 +
 +Read more: http://www.articlesbase.com/security-articles/exploitation-and-remediation-of-jboss-application-server-default-configuration-vulnerability-1889469.html#ixzz12uem4hCj
 +Under Creative Commons License: Attribution
  
  
java/jboss.1287418244.txt.gz · Last modified: 2022/12/02 21:02 (external edit)