f*cking jboss pwned

Click here to load reader

Post on 19-Jun-2015

1.499 views

Category:

Technology

2 download

Embed Size (px)

DESCRIPTION

Palestra realizada dia 04 de dezembro de 2011 na Conferência O Outro Lado ( CoOL )

TRANSCRIPT

  • 1. 04 de dezembro 2011 So Paulo/SP

2. F*ck1ng Pwn3d 3. Analista de Seguranada Informao; Consultor independente; Professor; DCLabs Security Team 4. Servidor de aplicaes Java baseado no padro J2EEresponsvel pela hospedagem, publicao egerenciamento de portais corporativos. Prs: Facilidade de implementao, manuteno, escalabilidade e clustering; Contras: Grande consumidor de recursos, tunning complicado. 5. A Vulnerabilidade 6. CVE-2010-0738 26/04/2010 JMX-Console Authentication Bypass:JBoss Communications Platform 1.2JBoss Enterprise Application Platform (EAP) 4.2, 4.3, 5.0JBoss Enterprise Portal Platform (EPP) 4.3JBoss Application Server (AS) 4.0.xJBoss Enterprise Web Platform (EWP) 5.0JBoss SOA-Platform (SOA-P) 4.2, 4.3, 5.0 7. Divulgado em Outubro/2011; Explora a vulnerabilidade CVE-2010-0738; Autenticao do JBoss insuficiente; 8. 186.192.127.7 : 80 : TXT : JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/212.211.201.58 :80 : TXT : JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomc67.213.226.244 :80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/144.229.36.148 :80 : TXT : JBoss-5.0/JBossWeb-2.1rnExpires: Sun, 27 Nov 2011 09:04:20 GMTrn144.229.36.147 :80 : TXT : JBoss-5.0/JBossWeb-2.1rnExpires: Sun, 27 Nov 2011 09:04:20 GMTrn82.230.168.87 : 8080 : TXT : JBossAS-6rnAccept-Ranges: bytesrnETag: W/"1554-1310895539000"rnL46.231.186.15 : 8080 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/77.242.167.176 :80 : TXT : JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomc77.242.240.99 : 80 : TXT : JBoss-4.3.0.GA_CP08 (build: SVNTag=JBPAPP_4_3_0_GA_CP08 date=20185.254.68.40 : 8080 : TXT : JBoss-4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)69.5.221.10: 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200904241611)209.62.23.250 : 80 : TXT : JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/209.62.155.16 : 80 : TXT : JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200209.62.155.17 : 80 : TXT : JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200209.62.173.76 : 80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201002101307)/209.62.173.102 :80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200911061539)/209.62.173.130 :80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.148 :80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.231 :80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/209.62.173.207 :80 : TXT : JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=201001210934)/203.72.158.244 : 8080 : TXT : JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/200.174.238.68 : 80 : TXT : JBoss-5.0/JBossWeb-2.1rnAccept-Ranges: bytesrnETag: W/"291-13220 9. Identificando o ataque 10. Queda de performance do servidor e da rede; Nmero excessivo de requisies para a internet; Diretrios .war suspeitos na estrutura do Jboss; /deploy/management/iesvc.war /deploy/management/zecmd.war Arquivos maliciosos: bm.c / bm.h pnscan.c version.c Makefile Install-sh Ipsort kisses.tar.gz linda.pl javaoslix.pl jbossp.d 11. LINUX: lsof -i | grep pnscan e lsof -i | grep perlperl 14483 acme 3u IPv4 20645122 TCP vitima:55599->user-84.hbadesign.com:ddi-tcp-1 (CLOSE_WAIT)perl 27910 acme 3u IPv4 19993885 TCP vitima:40901->user-84.hbadesign.com:ddi-tcp-1 (ESTABLISHED)perl 29854 acme 3u IPv4 12214311 TCP vitima:52894->user-84.hbadesign.com:ircd (ESTABLISHED) 12. Windows: Handle Process Explorer 13. Contramedidas Parte 1 14. Remover os diretrios .war suspeitos e os arquivos listadosanteriormente; Parar todos os processos perl e pnscan: lsof -i | grep perl | awk { print $2} | xargs kill -9 lsof -i | grep pnscan | awk { print $2} | xargs kill -9 pids=$(ps aux | grep pnscan | awk {print $2}); for i in $pids; do kill -9 $i;done;Checar: Agendamentos do CRON; Diretrios /tmp, /home, /var/tmp. 15. Contramedidas Parte 2 16. Atualizar o JBoss? Remover os diretrios jmx-console.war,web-console.war e reiniciar oJBoss:rm -fr /server/deploy/jmx-consolerm -fr /server/deploy/management/console-mgr.sar/web-console.war Remover gcc,make...; Monitorar as tentativas de ataque atravs de um IDS (Snort SID18794) e/ou HIDS; Monitorar conexes existentes: netstat -tanep |grep LISTEN |grep -v 127.0.0.1 | sort Monitorar modificaes nos diretrios. 17. Links JBoss Worm Analysis in Details - http://bit.ly/srjgsZ CVE-2010-0738 - http://bit.ly/uqg7GE Snort SID 18794 - http://bit.ly/teVp8H Handle - http://bit.ly/gw0jel Process Explorer - http://bit.ly/fzWyfq JBoss Worm [jwmr-d] - http://bit.ly/ulToUp 18. ContatosEmails:alexos@alexos.orgalexos@dclabs.com.brSites:http://www.dclabs.com.brhttp://alexos.orgTwitter:@alexandrosilva