Software

Abusing JBoss

Date Added: Apr 2010
Format: PDF

This is an application server written in Java that can host business components developed in Java. JBOSS is an open source implementation of J2EE that relies on the Enterprise JavaBeans specification for functionality. JBoss Web Server provides organizations with a single deployment platform for Java Server Pages (JSP) and Java Servlet technologies, PHP, and CGI. It uses a genuine high performance hybrid technology that incorporates the best of the most recent OS technologies for processing high volume data, while keeping all the reference Java specifications. Basically, JBoss Application Server is the open source implementation of the Java EE suite of services; easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform (Koussouris, Mondesir, & Dang, 2007). As it is Java-based, the JBoss application server operates cross-platform: usable on any operating system that Java supports. JBoss AS was developed by JBoss, now a division of Red Hat. The pervasiveness of JBoss in enterprise JSP deployments is second to none meaning there is an abundance of targets both for the blackhat or the pentester alike. JBoss is usually invoked as root/SYSTEM meaning that any potential exploitation usually results in immediate super user privileges on the target host. A tool has been developed that is able to compromise an unprotected JBoss instance and ultimately upload and execute a Metasploit payload on the server. Finally, this whitepaper will also take a brief look at Apache Tomcat demonstrating remote command execution and a tool that has also been developed to exploit a common Tomcat misconfiguration.