View
222
Download
0
Category
Tags:
Preview:
Citation preview
clusterd: app server securityBryan Alexander
who
pentester @ Coalfire Labs
Independent researcher
Breaking via building
why?
why?
ColdFusion 10 deployments? JRun hash retrieval? WebLogic anythings? Running versions? Jboss 7.x/8.x deploys? Brute forcing? Railo? Axis2? WebSphere?! More!?
what
clusterd; application server attack toolkit Python-based, command line driven Support for Jboss, WebLogic, Tomcat,
Coldfusion, Railo, …
what
JBoss Tomcat WebLogic ColdFusion Railo Axis2
JBoss
So much has already been said (Matasano, Red Team Pentesting, HSC)
Let's talk about things that haven't been
Jboss Recap
Versions 3.x – 7.x “Jboss” Versions 8.x+ rebranded to “WildFly” Make it rain shells with WARs No security by default clusterd currently features 7 unique
deployers Typically run as an
administrative/SYSTEM user
Jboss Recap
Jboss 7.x
One interface to rule them all (JSON API) They still haven't figured out how
authentication works Unauthenticated deploys via exposed
management interface
Jboss UNC
Not a new attack, but a new application Force JBoss to load a remote resource via
a UNC path, capture hashes, crack 'em
Jboss CVE-2005-2006
Nobody is using this bug to fetch credentials
Jboss Auxiliary
Auxiliary modules used for scraping remote information
Tomcat Recap
Tomcat 3.x – 8.x; very consistent platform Default creds! Roles! manager vs. manager-gui clusterd currently deploys to everything
Tomcat
Not much going on; all the standard modules
WebLogic
Oracle's very own Jboss/Tomcat (still Java) Very enterprise-y; clustering, systematic
backups, etc Difficult to obtain older versions (which
have default creds)
WebLogic
WebLogic supports deploying WAR files, and so does clusterd
You have to use the java/jsp_shell_*_tcp payloads (default in clusterd)
WebLogic
Two versions of the admin interface; http and https (ports 7001 and 9002)
Typically run as a system service Clustered environment, deploys can
trickle down a domain Very often seen in high-availability
environments, ie. systems running active/active
Coldfusion Recap
Coldfusion 6.x – 11.x clusterd currently has three deployers for
CF LFI leading to hash disclosure v6.x – 10.x No cracking when you can PTH No default credentials, but plenty of ways
to get around that
Coldfusion
Coldfusion
Everybody knows the task scheduler can be used to deploy
10.x+ restricts the extension (no cfml)
Coldfusion
How about LFI to RCE?
Railo
Railo 3.x – 4.x Essentially just a FOSS Coldfusion Task scheduler, plugin architecture,
clustered servers, lots of development By default very promiscuous
Railo
No public vulnerabilities, yet... Two interfaces; server.cfm and web.cfm Runs jsp and cfml, much like CF
Axis2
Axis2 1.2 – 1.6
Web services (soap/wsdl) engine; deploy services not applications
Couple ways to deploy; clusterd currently supports one (recently added)
Default creds!
Last release was 2012, but still heavily used
Axis2
Generating payloads is pretty simple, but we can't use vanilla msfpayload
Generate a java/meterpreter/reverse_tcp and pack it into a jar; build XML descriptor
Axis2
LFI in 1.4.x, obviously we're going to fetch creds
other features
All platforms support brute forcing via supplied wordlist
other features
Clean up after yourselves; every platform has an undeployer
other features
Discovery module
other features
Maybe demo?
FOSSy
Well formed pull requests welcome
https://github.com/hatRiot/clusterd Public to-do hosted on Trello
https://trello.com/b/Bwcmrsyd/clusterd Research and 0days and fun stuff on my blog
http://hatriot.github.io/ Twat or email me your questions/bugs/requests
@dronesec (bryan.alexander@coalfire.com)
Questions¿
Comments?
Recommended