Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
33 lines
1.6 KiB
Markdown
33 lines
1.6 KiB
Markdown
# JBoss JMXInvokerServlet Deserialization Remote Code Execution
|
|
|
|
[中文版本(Chinese version)](README.zh-cn.md)
|
|
|
|
Red Hat JBoss Application Server is a JavaEE-based open source application server.
|
|
|
|
This is a classic JBoss deserialization vulnerability where JBoss reads user-supplied objects in the `/invoker/JMXInvokerServlet` request, allowing attackers to execute arbitrary code using Gadgets from Apache Commons Collections.
|
|
|
|
References:
|
|
|
|
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
|
|
- https://www.seebug.org/vuldb/ssvid-89723
|
|
- http://www.freebuf.com/sectool/88908.html
|
|
- https://paper.seebug.org/312/
|
|
|
|
## Environment Setup
|
|
|
|
Execute the following command to start JBoss AS 6.1.0:
|
|
|
|
```
|
|
docker compose up -d
|
|
```
|
|
|
|
The initial setup will take 1-3 minutes. After initialization is complete, visit `http://your-ip:8080/` to see the JBoss default page.
|
|
|
|
## Vulnerability Reproduce
|
|
|
|
When JBoss processes the `/invoker/JMXInvokerServlet` request, it reads the object directly. Therefore, we can simply attach a POC generated by [ysoserial](https://github.com/frohoff/ysoserial) in the POST Body. The entire process is similar to [jboss/CVE-2017-12149](https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149), so I won't repeat it here.
|
|
|
|
There are many existing exploits available online. For example, you can use [DeserializeExploit.jar](https://download.vulhub.org/download/deserialization/DeserializeExploit.jar) to directly execute commands and upload files:
|
|
|
|
|