Immunity, Inc.
Name jboss_jmxconsole_deployer
CVE CVE-2010-0738
Exploit Pack CANVAS
Descriptionjboss_jmxconsole_deployer
NotesCVE Name: CVE-2010-0738
VENDOR: Red Hat
Notes:
JBoss Web JMX Console exposes services that can be used to deploy a new application.
This exploit will try to deploy an application via the HtmlAdaptor servlet by using any of these services:
* DeploymentFileRepository
* MainDeployer
* DeploymentScanner
* Beanshell Deployer

This exploit works against JBoss 4.x, 5.x and 6.x both on Windows and Linux.

If JMX Console requires an authentication the user can provide credentials.
If no credentials are set then a request using HEAD method instead of GET/POST
will be used in order to try to bypass the authentication due to bad default configuration
according to CVE-2010-0738. This authentication bypass only works for JBoss 4.x.

This exploit will try to determine the target platform to dinamically create MOSDEF Trojans.
Then it will execute all the services in a sequence to deploy a WAR file containing an application.

Repeatability: Infinite
References:
http://www.redteam-pentesting.de/publications/jboss
https://bugzilla.redhat.com/show_bug.cgi?id =574105
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0738
Google Dorks: inurl:/jmx-console/HtmlAdaptor
Compatibility:

JBoss version | 4.x | 5.x | 6.x |
-------------------------------------------------------------------------------------------------
DeploymentFileRepository | OK | OK | 6.0.0.M1 OK, 6.0 GA (doesn't exist) |
MainDeployer | OK | NOT SUPPORTED | NOT SUPPORTED (remote WAR not supported) |
DeploymentScanner | OK | NOT SUPPORTED | NOT SUPPORTED (remote WAR not supported) |
Beanshell Deployer | OK | NOT SUPPORTED | NOT SUPPORTED |


Learn more about the CANVAS Exploit Pack here: CANVAS