JBoss JMXInvokerServlet Deserialization Remote Code Execution¶
Red Hat JBoss Application Server is a JavaEE-based open source application server.
This is a classic JBoss deserialization vulnerability where JBoss reads user-supplied objects in the /invoker/JMXInvokerServlet request, allowing attackers to execute arbitrary code using Gadgets from Apache Commons Collections.
References:
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- https://www.seebug.org/vuldb/ssvid-89723
- http://www.freebuf.com/sectool/88908.html
- https://paper.seebug.org/312/
Environment Setup¶
Execute the following command to start JBoss AS 6.1.0:
docker compose up -d
The initial setup will take 1-3 minutes. After initialization is complete, visit http://your-ip:8080/ to see the JBoss default page.
Vulnerability Reproduce¶
When JBoss processes the /invoker/JMXInvokerServlet request, it reads the object directly. Therefore, we can simply attach a POC generated by ysoserial in the POST Body. The entire process is similar to jboss/CVE-2017-12149, so I won't repeat it here.
There are many existing exploits available online. For example, you can use DeserializeExploit.jar to directly execute commands and upload files:
