The best place to *find* answers to programming/development questions, imo, however it's the *worst* place to *ask* questions (if your first question/comment doesn't get any up-rating/response, then u can't ask anymore questions--ridiculously unrealistic), but again, a great reference for *finding* answers.

My Music (Nickleus)

20130716

JSP RAT by Jeroy - hacked a jboss 4.2.2 server

he put stuff in a jboss 4.2.2 "work" folder, in these locations:
/path/to/jboss/server/myapp/work/jboss.web/localhost/temporary/

/path/to/jboss/server/myapp/work/jboss.web/localhost/tmp/

/path/to/jboss/server/myapp/work/jboss.web/localhost/updates/


see also:
http://bri-blog.blogspot.no/2012/12/jsp-rat-by-jeroy.html

RAT can mean several things:
remote access trojan
remote administration tool

here's how to secure your jboss 4 server--first steps. (this links to my comment below on this page--or just read the instructions below):
1. remove the following folders:

/path/to/jboss/server/myapp/deploy/jmx-console.war
/path/to/jboss/server/myapp/deploy/management


NOTE: if you want to keep jmx-console enabled, then it seems that you need to edit some config code in deploy/jmx-console.war/WEB-INF/web.xml:
https://access.redhat.com/site/solutions/30744

<security-constraint>
  <web-resource-collection>
    <web-resource-name>HtmlAdaptor</web-resource-name>
    <description>
       An example security config that only allows users with the role
       JBossAdmin to access the HTML JMX console web application
    </description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>JBossAdmin</role-name>
  </auth-constraint>
</security-constraint>


2. secure permissions:
http://nickhumphreyit.blogspot.no/2013/07/jboss-422-files-that-need-execute.html




 
UPDATE 20131105

you also need to secure the invoker servlet, i.e. don't let anyone access this url:
/invoker/JMXInvokerServlet


UPDATE 20131114

according to Nafly, you also need to secure the EJBInvokerServlet


2 comments:

  1. same problem here on Jboss 4.2.3GA. JSP RAT was deployed in

    /path/to/jboss/server/default/work/jboss.web/localhost/temporary/
    /path/to/jboss/server/default/work/jboss.web/localhost/tmp/
    /path/to/jboss/server/default/work/jboss.web/localhost/updates/

    The problem seems to be Jboss Web 2.0.1 (which is a fork of Tomcat 6).
    anyone knows how to secure this JBoss version?

    ReplyDelete
  2. Hi Markus,
    1. remove the following folders:

    /path/to/jboss/server/myapp/deploy/jmx-console.war
    /path/to/jboss/server/myapp/deploy/management

    2. secure permissions:
    http://nickhumphreyit.blogspot.no/2013/07/jboss-422-files-that-need-execute.html

    ReplyDelete