F*cking JBoss Pwned
Upcoming SlideShare
Loading in...5
×
 

F*cking JBoss Pwned

on

  • 1,900 views

Palestra realizada dia 04 de dezembro de 2011 na Conferência O Outro Lado ( CoOL )

Palestra realizada dia 04 de dezembro de 2011 na Conferência O Outro Lado ( CoOL )

Statistics

Views

Total Views
1,900
Views on SlideShare
1,894
Embed Views
6

Actions

Likes
1
Downloads
6
Comments
0

2 Embeds 6

http://paper.li 5
http://a0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

F*cking JBoss Pwned F*cking JBoss Pwned Presentation Transcript

  • 04 de dezembro 2011 – São Paulo/SP
  • F*ck1ng Pwn3d
  • ●Analista de Segurançada Informação;● Consultor independente;● Professor;● DCLabs Security Team
  • Servidor de aplicações Java baseado no padrão J2EEresponsável pela hospedagem, publicação egerenciamento de portais corporativos. ● Prós: ● Facilidade de implementação, manutenção, escalabilidade e clustering; ● Contras: ● Grande consumidor de recursos, tunning complicado.
  • A Vulnerabilidade
  • ● CVE-2010-0738 – 26/04/2010● JMX-Console Authentication Bypass:JBoss Communications Platform 1.2JBoss Enterprise Application Platform (EAP) 4.2, 4.3, 5.0JBoss Enterprise Portal Platform (EPP) 4.3JBoss Application Server (AS) 4.0.xJBoss Enterprise Web Platform (EWP) 5.0JBoss SOA-Platform (SOA-P) 4.2, 4.3, 5.0
  • ● Divulgado em Outubro/2011;● Explora a vulnerabilidade CVE-2010-0738;● Autenticação do JBoss é insuficiente;
  • 186.192.127.7 : 80 : TXT : JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/212.211.201.58 : 80 : TXT : JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomc67.213.226.244 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/144.229.36.148 : 80 : TXT : JBoss-5.0/JBossWeb-2.1rnExpires: Sun, 27 Nov 2011 09:04:20 GMTrn144.229.36.147 : 80 : TXT : JBoss-5.0/JBossWeb-2.1rnExpires: Sun, 27 Nov 2011 09:04:20 GMTrn82.230.168.87 : 8080 : TXT : JBossAS-6rnAccept-Ranges: bytesrnETag: W/"1554-1310895539000"rnL46.231.186.15 : 8080 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/77.242.167.176 : 80 : TXT : JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomc77.242.240.99 : 80 : TXT : JBoss-4.3.0.GA_CP08 (build: SVNTag=JBPAPP_4_3_0_GA_CP08 date=20185.254.68.40 : 8080 : TXT : JBoss-4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)69.5.221.10 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200904241611)209.62.23.250 : 80 : TXT : JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/209.62.155.16 : 80 : TXT : JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200209.62.155.17 : 80 : TXT : JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200209.62.173.76 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201002101307)/209.62.173.102 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200911061539)/209.62.173.130 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.148 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.231 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.207 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/203.72.158.244 : 8080 : TXT : JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/200.174.238.68 : 80 : TXT : JBoss-5.0/JBossWeb-2.1rnAccept-Ranges: bytesrnETag: W/"291-13220
  • Identificando o ataque
  • ● Queda de performance do servidor e da rede;● Número excessivo de requisições para a internet;● Diretórios .war suspeitos na estrutura do Jboss; ● <JBOSS_HOME>/deploy/management/iesvc.war ● <JBOSS_HOME>/deploy/management/zecmd.war● Arquivos maliciosos: ● bm.c / bm.h ● pnscan.c ● version.c ● Makefile ● Install-sh ● Ipsort ● kisses.tar.gz ● linda.pl ● javaoslix.pl ● jbossp.d
  • ● LINUX:● lsof -i | grep pnscan e lsof -i | grep perlperl 14483 acme 3u IPv4 20645122 TCP vitima:55599->user-84.hbadesign.com:ddi-tcp-1 (CLOSE_WAIT)perl 27910 acme 3u IPv4 19993885 TCP vitima:40901->user-84.hbadesign.com:ddi-tcp-1 (ESTABLISHED)perl 29854 acme 3u IPv4 12214311 TCP vitima:52894->user-84.hbadesign.com:ircd (ESTABLISHED)
  • ● Windows:● Handle● Process Explorer
  • Contramedidas Parte 1
  • ● Remover os diretórios .war suspeitos e os arquivos listadosanteriormente;● Parar todos os processos perl e pnscan: ● lsof -i | grep perl | awk { print $2} | xargs kill -9 ● lsof -i | grep pnscan | awk { print $2} | xargs kill -9 ● pids=$(ps aux | grep pnscan | awk {print $2}); for i in $pids; do kill -9 $i; done;● Checar: ● Agendamentos do CRON; ● Diretórios /tmp, /home, /var/tmp.
  • Contramedidas Parte 2
  • ● Atualizar o JBoss?● Remover os diretórios jmx-console.war,web-console.war e reiniciar oJBoss: rm -fr <JBOSS_HOME>/server/deploy/jmx-console rm -fr <JBOSS_HOME>/server/deploy/management/console-mgr.sar/web-console.war● Remover gcc,make...;● Monitorar as tentativas de ataque através de um IDS (Snort SID18794) e/ou HIDS;● Monitorar conexões existentes: ● netstat -tanep |grep LISTEN |grep -v 127.0.0.1 | sort● Monitorar modificações nos diretórios.
  • Links● JBoss Worm Analysis in Details - http://bit.ly/srjgsZ● CVE-2010-0738 - http://bit.ly/uqg7GE● Snort SID 18794 - http://bit.ly/teVp8H● Handle - http://bit.ly/gw0jel● Process Explorer - http://bit.ly/fzWyfq● JBoss Worm [jwmr-d] - http://bit.ly/ulToUp
  • ContatosEmails:alexos@alexos.orgalexos@dclabs.com.brSites:http://www.dclabs.com.brhttp://alexos.orgTwitter:@alexandrosilva