Home > BlackHatEU, Conferences, Security > BlackHatEU : Abusing JBoss

BlackHatEU : Abusing JBoss

April 15th, 2010 Leave a comment Go to comments

By Christian PapathanasiouJBoss logo

Christian demoed two tools called JBoss-autopwn and Tomcat-autopwn.

For both tools he demonstrated that exploitation is possible both on Windows and Linux systems. It is also very likely that his tool also works on Solaris.

Both tools make use of the accessibility of the management console and the ability to guess the administrator passwords which are often unchanged from the default.

The countermeasures against these attacks are obvious: change default password and disable of shield off management interfaces.

The tools are part of the metasploit framework and can be downloaded their.

Categories: BlackHatEU, Conferences, Security Tags: , , , , ,
  1. Gregor
    April 15th, 2010 at 13:02 | #1
    Reply | Quote

    So where’s the beef? “Xploiting” any system using a default password is more than rediculous. To tell it in other words:

    There’s not xploit for JBoss / Tomcat available, FULL STOP.

    I’d ask my money back from Blackhat for such a joke…

    Gregor

  2. tom
    April 15th, 2010 at 13:26 | #2
    Reply | Quote

    I’m losing the point…

  3. tom
    April 15th, 2010 at 13:30 | #3
    Reply | Quote

    … and definitely it works also on Solaris :-)

  4. Gregor
    April 15th, 2010 at 14:33 | #4
    Reply | Quote

    The point is:

    First thing *any* JBoss-/TC-Admin will do is to change the default password, meaning the Xploit is #useless.

    Big mouth “we do have an Xploit for JB/TC”, giving a session where ppl *pay* for attention and then producing such a bullshit…

  5. tom
    April 15th, 2010 at 16:26 | #5
    Reply | Quote

    sorry I was ironic in both comments :-)

  6. frank moreton
    April 15th, 2010 at 23:58 | #6
    Reply | Quote

    Hi guys,

    I actually gained quite a bit from this talk- we run quite a few JBoss/Tomcat instances in our enterprise. Having the risk of running these in their default states so eloquently demonstrated certainly drived the message home.

    I read the abstract prior to coming in and at no point did he hint that this was a new exploit but rather it says that it’s a new tool that facilitates exploitation. So nothing new, but does make our lives as pentesters all that easier.

    So overall, I quite enjoyed the talk and he delivered on all that he promised. It was actually one of the better technical talks this year I found..

  7. Gregor
    April 16th, 2010 at 13:18 | #7
    Reply | Quote

    @frank:

    Calling this “one of the better technical talks” is popping up the question on the overall quality of BlackhatEU…

    Remeber the Oracle-talk? The Oracle-setup described there should never be found anywhere, so the attacks mentioned there to me seem basically useless.

    Just my 0.02€…

    Gregor

  8. tom
    April 16th, 2010 at 15:22 | #8
    Reply | Quote

    Frank

    Frankly, you’re kidding, if this is meant:
    “It was actually one of the better technical talks this year I found..”
    then I don’t want to spend any €cent

  1. April 15th, 2010 at 13:19 | #1
    Tweets that mention BlackHatEU : Abusing JBoss | Cupfighter.net — Topsy.com
  2. May 5th, 2010 at 10:45 | #2
    Blackhat Europe: Gone, but not forgotten « ©атсн²² (in)sесuяitу