clusterd: app server security Bryan Alexander

who Coalfire Labs Independent researcher Breaking via building

why?

ColdFusion 10 deployments? JRun hash retrieval? WebLogic anythings? Running versions? Jboss 7.x/8.x deploys? Brute forcing? Railo? Axis2? WebSphere?! More!?

what clusterd; application server attack toolkit Python-based, command line driven Support for Jboss, WebLogic, Tomcat, Coldfusion, Railo, …

what JBoss Tomcat WebLogic ColdFusion Railo Axis2

JBoss So much has already been said (Matasano, Red Team Pentesting, HSC) Let's talk about things that haven't been

Jboss Recap Versions 3.x – 7.x “Jboss” Versions 8.x+ rebranded to “WildFly” Make it rain shells with WARs No security by default clusterd currently features 7 unique deployers Typically run as an administrative/SYSTEM user

Jboss Recap

Jboss 7.x One interface to rule them all (JSON API) They still haven't figured out how authentication works Unauthenticated deploys via exposed management interface

Jboss UNC Not a new attack, but a new application Force JBoss to load a remote resource via a UNC path, capture hashes, crack 'em

Jboss CVE Nobody is using this bug to fetch credentials

Jboss Auxiliary Auxiliary modules used for scraping remote information

Tomcat Recap Tomcat 3.x – 8.x; very consistent platform Default creds! Roles! manager vs. manager-gui clusterd currently deploys to everything

Tomcat Not much going on; all the standard modules

WebLogic Oracle's very own Jboss/Tomcat (still Java) Very enterprise-y; clustering, systematic backups, etc Difficult to obtain older versions (which have default creds)

WebLogic WebLogic supports deploying WAR files, and so does clusterd You have to use the java/jsp_shell_*_tcp payloads (default in clusterd)

WebLogic Two versions of the admin interface; http and https (ports 7001 and 9002) Typically run as a system service Clustered environment, deploys can trickle down a domain Very often seen in high-availability environments, ie. systems running active/active

Coldfusion Recap Coldfusion 6.x – 11.x clusterd currently has three deployers for CF LFI leading to hash disclosure v6.x – 10.x No cracking when you can PTH No default credentials, but plenty of ways to get around that

Coldfusion

Everybody knows the task scheduler can be used to deploy 10.x+ restricts the extension (no cfml)

Coldfusion How about LFI to RCE?

Railo Railo 3.x – 4.x Essentially just a FOSS Coldfusion Task scheduler, plugin architecture, clustered servers, lots of development By default very promiscuous

Railo No public vulnerabilities, yet... Two interfaces; server.cfm and web.cfm Runs jsp and cfml, much like CF

Axis2 Axis2 1.2 – 1.6 Web services (soap/wsdl) engine; deploy services not applications Couple ways to deploy; clusterd currently supports one (recently added) Default creds! Last release was 2012, but still heavily used

Axis2 Generating payloads is pretty simple, but we can't use vanilla msfpayload Generate a java/meterpreter/reverse_tcp and pack it into a jar; build XML descriptor

Axis2 LFI in 1.4.x, obviously we're going to fetch creds

other features All platforms support brute forcing via supplied wordlist

other features Clean up after yourselves; every platform has an undeployer

other features Discovery module

other features Maybe demo?

FOSSy Well formed pull requests welcome  Public to-do hosted on Trello  Research and 0days and fun stuff on my blog  Twat or me your questions/bugs/requests

Questions¿ Comments?