Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities - Nessus

Critical   Plugin ID: 70414

This page contains detailed information about the Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 70414
Name: Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities
Filename: jmxinvokerservlet_ejbinvokerservlet_rce.nasl
Vulnerability Published: 2013-09-09
This Plugin Published: 2013-10-14
Last Modification Time: 2022-03-28
Plugin Version: 1.24
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies: http_version.nasl

Vulnerability Information

Severity: Critical
Vulnerability Published: 2013-09-09
Patch Published: N/A
CVE [?]: CVE-2007-1036, CVE-2012-0874, CVE-2013-4810
CPE [?]: cpe:/a:hp:application_lifecycle_management, cpe:/a:hp:identity_driven_manager, cpe:/a:hp:procurve_manager, cpe:/a:jboss:jboss_application_server, cpe:/a:redhat:jboss_enterprise_application_platform, cpe:/a:redhat:jboss_enterprise_brms_platform, cpe:/a:redhat:jboss_enterprise_web_platform, cpe:/a:symantec:workspace_streaming

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :

- A security bypass vulnerability exists due to improper restriction of access to the console and web management interfaces. An unauthenticated, remote attacker can exploit this, via direct requests, to bypass authentication and gain administrative access. (CVE-2007-1036)

- A remote code execution vulnerability exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. An unauthenticated, remote attacker can exploit this to bypass authentication and invoke MBean methods, resulting in the execution of arbitrary code. (CVE-2012-0874)

- A remote code execution vulnerability exists in the EJBInvokerServlet and JMXInvokerServlet servlets due to the ability to post a marshalled object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to install arbitrary applications. Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier. (CVE-2013-4810)

Solution

If using EMC Data Protection Advisor, either upgrade to version 6.x or apply the workaround for 5.x.

Otherwise, contact the vendor or remove any affected JBoss servlets.

Public Exploits

Target Network Port(s): 8080, 9111, 9832
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, ExploitHub, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities vulnerability:

  1. Metasploit: exploit/multi/http/jboss_maindeployer
    [JBoss JMX Console Deployer Upload and Execute]
  2. Metasploit: exploit/multi/http/jboss_invoke_deploy
    [JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)]
  3. Exploit-DB: exploits/multiple/remote/16318.rb
    [EDB-16318: JBoss JMX - Console Deployer Upload and Execute (Metasploit)]
  4. Exploit-DB: exploits/multiple/remote/21080.rb
    [EDB-21080: JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) (Metasploit)]
  5. Exploit-DB: exploits/php/remote/28713.php
    [EDB-28713: Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object - Remote Code Execution]
  6. Exploit-DB: exploits/windows/remote/30211.txt
    [EDB-30211: EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution]
  7. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2007-1036]
  8. GitHub: https://github.com/fupinglee/JavaTools
    [CVE-2007-1036]
  9. GitHub: https://github.com/0day666/Vulnerability-verification
    [CVE-2013-4810]
  10. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2013-4810]
  11. GitHub: https://github.com/fupinglee/JavaTools
    [CVE-2013-4810]
  12. GitHub: https://github.com/jiangsir404/POC-S
    [CVE-2013-4810]
  13. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/30211.tgz
    [EDB-30211]
  14. ExploitHub: EH-13-606

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2013-4810
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:ND
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:10.0 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:10.0 (High)

Go back to menu.

Plugin Source

This is the jmxinvokerservlet_ejbinvokerservlet_rce.nasl nessus plugin source code. This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(70414);
  script_version("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/28");

  script_cve_id("CVE-2007-1036", "CVE-2012-0874", "CVE-2013-4810");
  script_bugtraq_id(57552, 62854, 77037);
  script_xref(name:"CERT", value:"632656");
  script_xref(name:"EDB-ID", value:"16318");
  script_xref(name:"EDB-ID", value:"21080");
  script_xref(name:"EDB-ID", value:"28713");
  script_xref(name:"EDB-ID", value:"30211");
  script_xref(name:"ZDI", value:"ZDI-13-229");
  script_xref(name:"HP", value:"HPSBGN02952");
  script_xref(name:"HP", value:"SSRT101127");
  script_xref(name:"HP", value:"emr_na-c04041110");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");

  script_name(english:"Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on
the web server on the remote host are accessible to unauthenticated
users. The remote host is, therefore, affected by the following
vulnerabilities :

  - A security bypass vulnerability exists due to improper
    restriction of access to the console and web management
    interfaces. An unauthenticated, remote attacker can
    exploit this, via direct requests, to bypass
    authentication and gain administrative access.
    (CVE-2007-1036)

  - A remote code execution vulnerability exists due to the
    JMXInvokerHAServlet and EJBInvokerHAServlet invoker
    servlets not properly restricting access to profiles. An
    unauthenticated, remote attacker can exploit this to
    bypass authentication and invoke MBean methods,
    resulting in the execution of arbitrary code.
    (CVE-2012-0874)

  - A remote code execution vulnerability exists in the
    EJBInvokerServlet and JMXInvokerServlet servlets due to
    the ability to post a marshalled object. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted request, to install arbitrary
    applications. Note that this issue is known to affect
    McAfee Web Reporter versions prior to or equal to
    version 5.2.1 as well as Symantec Workspace Streaming
    version 7.5.0.493 and possibly earlier.
    (CVE-2013-4810)");
  # https://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?74979c27");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-229/");
  # https://web.archive.org/web/20131031213751/http://retrogod.altervista.org/9sg_ejb.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?52567bc1");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2013/Oct/126");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/530241/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2013/Dec/att-133/ESA-2013-094.txt");
  script_set_attribute(attribute:"solution", value:
"If using EMC Data Protection Advisor, either upgrade to version 6.x or
apply the workaround for 5.x. 

Otherwise, contact the vendor or remove any affected JBoss servlets.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4810");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'JBoss JMX Console Deployer Upload and Execute');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
  script_set_attribute(attribute:"exploithub_sku", value:"EH-13-606");
  script_cwe_id(264);

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/09/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:procurve_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:application_lifecycle_management");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:identity_driven_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_web_platform");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_application_platform");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_brms_platform");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_application_platform");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:jboss:jboss_application_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:workspace_streaming");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 9111, 8080, 9832);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

# Identify possible ports.
#
# - web servers.
ports = get_kb_list("Services/www");
if (isnull(ports)) ports = make_list();

# - ports for McAfee Web Reporter and Symantec Workspace Streaming.
foreach p (make_list(8080, 9111, 9832))
{
  if (service_is_unknown(port:p))  ports = add_port_in_list(list:ports, port:p);
}

# Check each port.
non_vuln = make_list();

foreach port (ports)
{
  vuln_urls = make_list();

  foreach page (make_list("/EJBInvokerServlet", "/JMXInvokerServlet"))
  {
    url = "/invoker" + page;
    res = http_send_recv3(
      method : "GET",
      item   : url,
      port   : port,
      fetch404     : TRUE
    );

    if (
      !isnull(res) &&
      "org.jboss.invocation.MarshalledValue" >< res[2] &&
      (
        'WWW-Authenticate: Basic realm="JBoss HTTP Invoker"' >!< res[1] ||
        "404 Not Found" >!< res[1]
      )
    ) vuln_urls = make_list(vuln_urls, build_url(qs:url, port:port));
  }

  if (max_index(vuln_urls) > 0)
  {
    if (max_index(vuln_urls) > 1) request = "URLs";
    else request = "URL";

    if (report_verbosity > 0)
    {
      report =
        '\n' +'Nessus was able to verify the issue exists using the following '+
        '\n' + request + ' :' +
        '\n' +
        '\n' + join(vuln_urls, sep:'\n') + '\n';

      security_hole(port:port, extra:report);
    }
    else security_hole(port);
  }
  else non_vuln = make_list(non_vuln, port);
}

if (max_index(non_vuln) == 1) exit(0, "The web server tested on port " + port + " is not affected.");
else if (max_index(non_vuln) > 1)  exit(0, "None of the ports tested (" +join(non_vuln, sep:", ")+ ") contain web servers that are affected.");

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/jmxinvokerservlet_ejbinvokerservlet_rce.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\jmxinvokerservlet_ejbinvokerservlet_rce.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/jmxinvokerservlet_ejbinvokerservlet_rce.nasl

Go back to menu.

How to Run

Here is how to run the Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CGI abuses plugin family.
  6. On the right side table select Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities plugin ID 70414.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl jmxinvokerservlet_ejbinvokerservlet_rce.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a jmxinvokerservlet_ejbinvokerservlet_rce.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - jmxinvokerservlet_ejbinvokerservlet_rce.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state jmxinvokerservlet_ejbinvokerservlet_rce.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: CERT | Computer Emergency Response Team: Hewlett Packard Security:
  • emr_na-c04041110, HPSBGN02952, SSRT101127
ZDI | Zero Day Initiative: CWE | Common Weakness Enumeration:
  • CWE-264 (Category) Permissions, Privileges, and Access Controls
See also: Similar and related Nessus plugins:
  • 67248 - Cisco Prime Data Center Network Manager RMI Remote Code Execution (credentialed check)
  • 67247 - Cisco Prime Data Center Network Manager RMI Remote Code Execution (uncredentialed check)
  • 87312 - JBoss Java Object Deserialization RCE
  • 64079 - RHEL 5 : JBoss EAP (RHSA-2013:0192)
  • 64080 - RHEL 4 : JBoss EAP (RHSA-2013:0193)
  • 78945 - RHEL 6 : JBoss EWP (RHSA-2013:0195)
  • 78946 - RHEL 5 : JBoss EWP (RHSA-2013:0196)
  • 78947 - RHEL 4 : JBoss EWP (RHSA-2013:0197)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file jmxinvokerservlet_ejbinvokerservlet_rce.nasl version 1.24. For more plugins, visit the Nessus Plugin Library.

Go back to menu.