Your SlideShare is downloading. ×
0
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
F*cking JBoss Pwned
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

F*cking JBoss Pwned

1,473

Published on

Palestra realizada dia 04 de dezembro de 2011 na Conferência O Outro Lado ( CoOL )

Palestra realizada dia 04 de dezembro de 2011 na Conferência O Outro Lado ( CoOL )

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,473
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 04 de dezembro 2011 – São Paulo/SP
  • 2. F*ck1ng Pwn3d
  • 3. ●Analista de Segurançada Informação;● Consultor independente;● Professor;● DCLabs Security Team
  • 4. Servidor de aplicações Java baseado no padrão J2EEresponsável pela hospedagem, publicação egerenciamento de portais corporativos. ● Prós: ● Facilidade de implementação, manutenção, escalabilidade e clustering; ● Contras: ● Grande consumidor de recursos, tunning complicado.
  • 5. A Vulnerabilidade
  • 6. ● CVE-2010-0738 – 26/04/2010● JMX-Console Authentication Bypass:JBoss Communications Platform 1.2JBoss Enterprise Application Platform (EAP) 4.2, 4.3, 5.0JBoss Enterprise Portal Platform (EPP) 4.3JBoss Application Server (AS) 4.0.xJBoss Enterprise Web Platform (EWP) 5.0JBoss SOA-Platform (SOA-P) 4.2, 4.3, 5.0
  • 7. ● Divulgado em Outubro/2011;● Explora a vulnerabilidade CVE-2010-0738;● Autenticação do JBoss é insuficiente;
  • 8. 186.192.127.7 : 80 : TXT : JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/212.211.201.58 : 80 : TXT : JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomc67.213.226.244 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/144.229.36.148 : 80 : TXT : JBoss-5.0/JBossWeb-2.1rnExpires: Sun, 27 Nov 2011 09:04:20 GMTrn144.229.36.147 : 80 : TXT : JBoss-5.0/JBossWeb-2.1rnExpires: Sun, 27 Nov 2011 09:04:20 GMTrn82.230.168.87 : 8080 : TXT : JBossAS-6rnAccept-Ranges: bytesrnETag: W/"1554-1310895539000"rnL46.231.186.15 : 8080 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/77.242.167.176 : 80 : TXT : JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomc77.242.240.99 : 80 : TXT : JBoss-4.3.0.GA_CP08 (build: SVNTag=JBPAPP_4_3_0_GA_CP08 date=20185.254.68.40 : 8080 : TXT : JBoss-4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)69.5.221.10 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200904241611)209.62.23.250 : 80 : TXT : JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/209.62.155.16 : 80 : TXT : JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200209.62.155.17 : 80 : TXT : JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200209.62.173.76 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201002101307)/209.62.173.102 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200911061539)/209.62.173.130 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.148 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.231 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.207 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/203.72.158.244 : 8080 : TXT : JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/200.174.238.68 : 80 : TXT : JBoss-5.0/JBossWeb-2.1rnAccept-Ranges: bytesrnETag: W/"291-13220
  • 9. Identificando o ataque
  • 10. ● Queda de performance do servidor e da rede;● Número excessivo de requisições para a internet;● Diretórios .war suspeitos na estrutura do Jboss; ● <JBOSS_HOME>/deploy/management/iesvc.war ● <JBOSS_HOME>/deploy/management/zecmd.war● Arquivos maliciosos: ● bm.c / bm.h ● pnscan.c ● version.c ● Makefile ● Install-sh ● Ipsort ● kisses.tar.gz ● linda.pl ● javaoslix.pl ● jbossp.d
  • 11. ● LINUX:● lsof -i | grep pnscan e lsof -i | grep perlperl 14483 acme 3u IPv4 20645122 TCP vitima:55599->user-84.hbadesign.com:ddi-tcp-1 (CLOSE_WAIT)perl 27910 acme 3u IPv4 19993885 TCP vitima:40901->user-84.hbadesign.com:ddi-tcp-1 (ESTABLISHED)perl 29854 acme 3u IPv4 12214311 TCP vitima:52894->user-84.hbadesign.com:ircd (ESTABLISHED)
  • 12. ● Windows:● Handle● Process Explorer
  • 13. Contramedidas Parte 1
  • 14. ● Remover os diretórios .war suspeitos e os arquivos listadosanteriormente;● Parar todos os processos perl e pnscan: ● lsof -i | grep perl | awk { print $2} | xargs kill -9 ● lsof -i | grep pnscan | awk { print $2} | xargs kill -9 ● pids=$(ps aux | grep pnscan | awk {print $2}); for i in $pids; do kill -9 $i; done;● Checar: ● Agendamentos do CRON; ● Diretórios /tmp, /home, /var/tmp.
  • 15. Contramedidas Parte 2
  • 16. ● Atualizar o JBoss?● Remover os diretórios jmx-console.war,web-console.war e reiniciar oJBoss: rm -fr <JBOSS_HOME>/server/deploy/jmx-console rm -fr <JBOSS_HOME>/server/deploy/management/console-mgr.sar/web-console.war● Remover gcc,make...;● Monitorar as tentativas de ataque através de um IDS (Snort SID18794) e/ou HIDS;● Monitorar conexões existentes: ● netstat -tanep |grep LISTEN |grep -v 127.0.0.1 | sort● Monitorar modificações nos diretórios.
  • 17. Links● JBoss Worm Analysis in Details - http://bit.ly/srjgsZ● CVE-2010-0738 - http://bit.ly/uqg7GE● Snort SID 18794 - http://bit.ly/teVp8H● Handle - http://bit.ly/gw0jel● Process Explorer - http://bit.ly/fzWyfq● JBoss Worm [jwmr-d] - http://bit.ly/ulToUp
  • 18. ContatosEmails:alexos@alexos.orgalexos@dclabs.com.brSites:http://www.dclabs.com.brhttp://alexos.orgTwitter:@alexandrosilva

×