clusterd: app server securityBryan Alexander

who

pentester @ Coalfire Labs

Independent researcher

Breaking via building

why?

why?

ColdFusion 10 deployments? JRun hash retrieval? WebLogic anythings? Running versions? Jboss 7.x/8.x deploys? Brute forcing? Railo? Axis2? WebSphere?! More!?

what

clusterd; application server attack toolkit Python-based, command line driven Support for Jboss, WebLogic, Tomcat,

Coldfusion, Railo, …

what

JBoss Tomcat WebLogic ColdFusion Railo Axis2

JBoss

So much has already been said (Matasano, Red Team Pentesting, HSC)

Let's talk about things that haven't been

Jboss Recap

Versions 3.x – 7.x “Jboss” Versions 8.x+ rebranded to “WildFly” Make it rain shells with WARs No security by default clusterd currently features 7 unique

deployers Typically run as an

administrative/SYSTEM user

Jboss Recap

Jboss 7.x

One interface to rule them all (JSON API) They still haven't figured out how

authentication works Unauthenticated deploys via exposed

management interface

Jboss UNC

Not a new attack, but a new application Force JBoss to load a remote resource via

a UNC path, capture hashes, crack 'em

Jboss CVE-2005-2006

Nobody is using this bug to fetch credentials

Jboss Auxiliary

Auxiliary modules used for scraping remote information

Tomcat Recap

Tomcat 3.x – 8.x; very consistent platform Default creds! Roles! manager vs. manager-gui clusterd currently deploys to everything

Tomcat

Not much going on; all the standard modules

WebLogic

Oracle's very own Jboss/Tomcat (still Java) Very enterprise-y; clustering, systematic

backups, etc Difficult to obtain older versions (which

have default creds)

WebLogic

WebLogic supports deploying WAR files, and so does clusterd

You have to use the java/jsp_shell_*_tcp payloads (default in clusterd)

WebLogic

Two versions of the admin interface; http and https (ports 7001 and 9002)

Typically run as a system service Clustered environment, deploys can

trickle down a domain Very often seen in high-availability

environments, ie. systems running active/active

Coldfusion Recap

Coldfusion 6.x – 11.x clusterd currently has three deployers for

CF LFI leading to hash disclosure v6.x – 10.x No cracking when you can PTH No default credentials, but plenty of ways

to get around that

Coldfusion

Coldfusion

Everybody knows the task scheduler can be used to deploy

10.x+ restricts the extension (no cfml)

Coldfusion

How about LFI to RCE?

Railo

Railo 3.x – 4.x Essentially just a FOSS Coldfusion Task scheduler, plugin architecture,

clustered servers, lots of development By default very promiscuous

Railo

No public vulnerabilities, yet... Two interfaces; server.cfm and web.cfm Runs jsp and cfml, much like CF

Axis2

Axis2 1.2 – 1.6

Web services (soap/wsdl) engine; deploy services not applications

Couple ways to deploy; clusterd currently supports one (recently added)

Default creds!

Last release was 2012, but still heavily used

Axis2

Generating payloads is pretty simple, but we can't use vanilla msfpayload

Generate a java/meterpreter/reverse_tcp and pack it into a jar; build XML descriptor

Axis2

LFI in 1.4.x, obviously we're going to fetch creds

other features

All platforms support brute forcing via supplied wordlist

other features

Clean up after yourselves; every platform has an undeployer

other features

Discovery module

other features

Maybe demo?

FOSSy

Well formed pull requests welcome

https://github.com/hatRiot/clusterd Public to-do hosted on Trello

https://trello.com/b/Bwcmrsyd/clusterd Research and 0days and fun stuff on my blog

http://hatriot.github.io/ Twat or email me your questions/bugs/requests

@dronesec (bryan.alexander@coalfire.com)

Questions¿

Comments?