-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Adam, thanks for the question, here is the answer: just downloaded the 3.0.8 from Jboss.org and changed the port of the exploit code from 1701 to 1476, which is the HSQL port in Version 3.0.8 of JBoss. I can confirm that JBOSS 3.0.8 is also vulnerable Marc On Mon, 6 Oct 2003, Adam Shostack wrote: > Date: Mon, 6 Oct 2003 14:15:36 -0400 > From: Adam Shostack <adam@homeport.org> > To: Marc Schoenefeld <schonef@uni-muenster.de> > Subject: Re: JBoss 3.2.1: Remote Command Injection > > Hi Marc, > > What about earlier versions of Jboss, like the 3.0 series, which a > lot of folks still run? > > Adam > > > On Sun, Oct 05, 2003 at 11:41:28PM +0200, Marc Schoenefeld wrote: > | -----BEGIN PGP SIGNED MESSAGE----- > | Hash: SHA1 > | > | ================================ > | Illegalaccess.org Security Alert > | ================================ > | > | Date : 10/04/2003 > | Application : JBoss, java server for running J2EE enterprise > | applications > | Version : 3.2.1 > | Website : http://www.jboss.org > | Problems : Denial-Of-Service, > | Log Manipulation, > | Manipulation of Process variables, > | Arbitrary Command Injection > | > | > | Illegalaccess.org has discovered a critical security > | vulnerability in the latest production version of JBoss J2EE > | application server. The vulnerability affects default > | installations of JBoss 3.2.1 running on JDK 1.4.x. We were able > | to design proof of concept code for this issue, which allows > | remote attack resulting in several compromises, ranging from > | information disclosure over log manipulation and manipulating > | java process properties to execution of any commands on the > | (windows) system with the privileges of the JBoss process. We do > | not rule out the possibility of remotely controlled code > | execution on JBoss servers running on top of other operating > | systems (such as Linux, Solaris, Mac, OS/390). > | > | The existence of the vulnerability has been confirmed by Marc > | Fleury and Scott Stark of the JBoss Group. This report is part of > | the coordinated release of information about this new threat. The > | appropriate security bulletin for the jboss system as well as a > | configuration fix for the affected version 3.2.1 are available > | for download from the JBoss web site (see URL below). > | > | It should be stated, that the reaction time of the JBoss group > | was exemplary in providing an immediate correction of the default > | configuration which was causing the problem. > | > | Description > | This is a command injection vulnerability that exists in an > | integral component of the JBoss server, HSQLDB, an SQL database > | managing JMS connections. In a combined result of programming > | errors in the sun.* classes and logic errors in the org.apache.* > | classes of the JDK and settings in the default configuration of > | JBoss, remote attackers can obtain remote access to vulnerable > | JBoss systems. Our tests confirmed that this vulnerability > | affects all default installations of JBoss 3.2.1 and potentially > | every other system using TCP/IP based connections to HSQLDB. > | > | Risk Analysis > | The impact of this vulnerability should be considered as > | critical. Throughout its exploitation, any user can gain complete > | control over a vulnerable system by the means of a remote attack. > | By sending specially crafted sequence of SQL statements to the > | TCP port 1701 of the vulnerable JBoss system, an attacker can > | exploit the vulnerabilities and in worst case execute any code > | with the privileges of the java process executing JBoss. > | > | Scope > | This vulnerability affects every installation of JBoss 3.2.1 > | application server not protected by additional hardening > | mechanisms for network access protection and boundary control > | such as firewall systems. > | > | Code Availability > | We were able to develop a fully functional 100%-java proof of > | concept code for JBoss 3.2.1 running on any Java 1.4.x-enabled > | platform. The base functionality for every operating system > | includes Denial-Of-Service, Information Disclosure, Log Message > | Injection and Resource Consumption. It makes use of some unique > | exploitation techniques and are based on a detailed analysis of > | the JDK 1.4.x class structure (available for download mid > | November 2003) by Illegalaccess.org. In the case of the host > | operating system being Windows 2000/XP, an additional > | exploitation is possible executing arbitrary executables and even > | registered file types. The attack may be performed unnoticed, > | without any abuse to the operation of the > | target system. > | > | Due to the unique nature and in-depth-impact of this > | vulnerability, illegalaccess.org has decided not to publish > | exploit code or any technical details helpful for replay with > | regard to this vulnerability at the moment. Parallel we are > | preparing a more detailed technical description of the > | vulnerability which is due to be released to the public when its > | impact will be reduced through propagation of appropriate fixes > | by the JBoss Group. > | > | Solution > | It should be emphasized that this vulnerability poses a critical > | threat and appropriate patches provided by JBoss (see below) > | should be immediately applied. The patch available at present > | is available at > | > | http:// > | sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866 > | > | and describes the fix which is to limit the HSQLDB to in-memory > | mode. > | > | =======start of snippet from updated jboss documentation========= > | The default configuration of the hsqldb service allows for > | interaction with the database over TCP/IP and can enable arbitary > | code to be executed if the default username/password has not be > | changed. JBoss does not need the socket based access mode so one > | can disable this through two changes to the deploy/hsqldb-ds.xml > | configuration. > | > | > | I) First, change: > | <!-- for tcp connection, other processes may use hsqldb --> > | <connection-url> > | jdbc:hsqldb:hsql://localhost:1701 > | </connection-url> > | > | to: > | > | <!-- for in-process db with file store, saved when jboss > | stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary --> > | > | <connection-url> > | jdbc:hsqldb:localDB > | </connection-url> > | > | II) Next, comment out or remove this section: > | > | <!-- this mbean should be used only when using tcp connections --> > | <mbean code="org.jboss.jdbc.HypersonicDatabase" > | name="jboss:service=Hypersonic"> > | <attribute name="Port">1701</attribute> > | <attribute name="Silent">true</attribute> > | <attribute name="Database">default</attribute> > | <attribute name="Trace">false</attribute> > | <attribute name="No_system_exit">true</attribute> > | </mbean> > | > | =======end of snippet from updated jboss documentation========= > | > | Marc Schoenefeld, www.illegalaccess.org (marc@illegalaccess.org) > | > | - -- > | > | Never be afraid to try something new. Remember, amateurs built the > | ark; professionals built the Titanic. -- Anonymous > | > | Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer > | -----BEGIN PGP SIGNATURE----- > | Version: GnuPG v1.0.6 (AIX) > | Comment: For info see http://www.gnupg.org > | > | iD8DBQE/gJALqCaQvrKNUNQRAiFqAJ9GYSd38BKgL2tYWp/U0r/KtdbO0ACdFz6V > | 39E+YTxnfgaf0NDpjXSfnLY= > | =Eb08 > | -----END PGP SIGNATURE----- > | > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (AIX) Comment: For info see http://www.gnupg.org iD8DBQE/gdL3qCaQvrKNUNQRAqc6AJ9nRxhXZjL94aSbQNpAJ0PQY/A8dQCfWn6G Hcich424OGWfBcJWJBaY60c= =J/sq -----END PGP SIGNATURE-----