1 / 33

clusterd: app server security Bryan Alexander

clusterd: app server security Bryan Alexander. who. pentester @ Coalfire Labs Independent researcher Breaking via building. why?. why?. ColdFusion 10 deployments? JRun hash retrieval? WebLogic anythings? Running versions? Jboss 7.x/8.x deploys? Brute forcing?

dara-bush
Download Presentation

clusterd: app server security Bryan Alexander

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. clusterd: app server security Bryan Alexander

  2. who • pentester @ Coalfire Labs • Independent researcher • Breaking via building

  3. why?

  4. why? • ColdFusion 10 deployments? • JRun hash retrieval? • WebLogic anythings? • Running versions? • Jboss 7.x/8.x deploys? • Brute forcing? • Railo? Axis2? WebSphere?! • More!?

  5. what • clusterd; application server attack toolkit • Python-based, command line driven • Support for Jboss, WebLogic, Tomcat, Coldfusion, Railo, …

  6. what • JBoss • Tomcat • WebLogic • ColdFusion • Railo • Axis2

  7. JBoss • So much has already been said (Matasano, Red Team Pentesting, HSC) • Let's talk about things that haven't been

  8. Jboss Recap • Versions 3.x – 7.x “Jboss” • Versions 8.x+ rebranded to “WildFly” • Make it rain shells with WARs • No security by default • clusterd currently features 7 unique deployers • Typically run as an administrative/SYSTEM user

  9. Jboss Recap

  10. Jboss 7.x • One interface to rule them all (JSON API) • They still haven't figured out how authentication works • Unauthenticated deploys via exposed management interface

  11. Jboss UNC • Not a new attack, but a new application • Force JBoss to load a remote resource via a UNC path, capture hashes, crack 'em

  12. Jboss CVE-2005-2006 • Nobody is using this bug to fetch credentials

  13. Jboss Auxiliary • Auxiliary modules used for scraping remote information

  14. Tomcat Recap • Tomcat 3.x – 8.x; very consistent platform • Default creds! • Roles! manager vs. manager-gui • clusterd currently deploys to everything

  15. Tomcat • Not much going on; all the standard modules

  16. WebLogic • Oracle's very own Jboss/Tomcat (still Java) • Very enterprise-y; clustering, systematic backups, etc • Difficult to obtain older versions (which have default creds)

  17. WebLogic • WebLogic supports deploying WAR files, and so does clusterd • You have to use the java/jsp_shell_*_tcp payloads (default in clusterd)

  18. WebLogic • Two versions of the admin interface; http and https (ports 7001 and 9002) • Typically run as a system service • Clustered environment, deploys can trickle down a domain • Very often seen in high-availability environments, ie. systems running active/active

  19. Coldfusion Recap • Coldfusion 6.x – 11.x • clusterd currently has three deployers for CF • LFI leading to hash disclosure v6.x – 10.x • No cracking when you can PTH • No default credentials, but plenty of ways to get around that

  20. Coldfusion

  21. Coldfusion • Everybody knows the task scheduler can be used to deploy • 10.x+ restricts the extension (no cfml)

  22. Coldfusion • How about LFI to RCE?

  23. Railo • Railo 3.x – 4.x • Essentially just a FOSS Coldfusion • Task scheduler, plugin architecture, clustered servers, lots of development • By default very promiscuous

  24. Railo • No public vulnerabilities, yet... • Two interfaces; server.cfm and web.cfm • Runs jsp and cfml, much like CF

  25. Axis2 • Axis2 1.2 – 1.6 • Web services (soap/wsdl) engine; deploy services not applications • Couple ways to deploy; clusterd currently supports one (recently added) • Default creds! • Last release was 2012, but still heavily used

  26. Axis2 • Generating payloads is pretty simple, but we can't use vanilla msfpayload • Generate a java/meterpreter/reverse_tcp and pack it into a jar; build XML descriptor

  27. Axis2 • LFI in 1.4.x, obviously we're going to fetch creds

  28. other features • All platforms support brute forcing via supplied wordlist

  29. other features • Clean up after yourselves; every platform has an undeployer

  30. other features • Discovery module

  31. other features Maybe demo?

  32. FOSSy • Well formed pull requests welcome • https://github.com/hatRiot/clusterd • Public to-do hosted on Trello • https://trello.com/b/Bwcmrsyd/clusterd • Research and 0days and fun stuff on my blog • http://hatriot.github.io/ • Twat or email me your questions/bugs/requests • @dronesec (bryan.alexander@coalfire.com)

  33. Questions¿ Comments?

More Related