exploit the possibilities

JDA Connect CSRF / Command Execution / Exposed JMX Service

JDA Connect CSRF / Command Execution / Exposed JMX Service
Posted May 28, 2018
Authored by Xiaoran Wang

JDA Connect suffers from cross site request forgery, JMX interface exposure, and command execution vulnerabilities.

tags | exploit, vulnerability, csrf
MD5 | 4ce88271645c827b9014f96101c86dd9

JDA Connect CSRF / Command Execution / Exposed JMX Service

Change Mirror Download
Introduction
============
Multiple critical vulnerabilities were identified in JDA Connect.
The vulnerabilities were discovered during a
black box security assessment and therefore the vulnerability list
should not be considered exhaustive.

Affected Software and Versions
==============================
- Tested with JDA Connect (most recent version at the date of July 2017)
- All vulnerabilities are fixed as of patch 2017.2

CVE
===
No CVEs have been assigned yet.

Author
======
The vulnerabilities were discovered by Xiaoran Wang from Google Security
Team.

Credit
======
The author would like to thank John Vrankovich from JDA for coordinating
the security fixes promptly and diligently.

Vulnerability Overview
======================
CNT-01 - Privileged remote command execution through open CORS policies
CNT-02 - No CSRF protection on hawtio web portal
CNT-03 - Unauthenticated JMX service listening on all interfaces


Vulnerability Details
=====================
----------------------------------------------------------------------------
CNT-01 - Privileged remote command execution through open CORS policies
----------------------------------------------------------------------------
Severity: CRITICAL

The hawtio admin web portal running on port 8181 has a insecure wide open
aAccess-Control-Allow-Origina setting and it allows any arbitrary origin to
access its data by echoing back aAccess-Control-Allow-Origin:
attacker-supplied-origina and aAccess-Control-Allow-Credentials: truea.
This allows the attacker to communicate with the vulnerable website from an
attackeras website as if they were on the same origin. This enables the
attacker to take send and receive any request this website accepts because
itas cookie authenticated. Example requests include dumping heap memory,
reading/writing JVM options, reading/writing object values, installing
arbitrary features/bundles, and the servlet handler runs as root.

----------------------------------------------------------------------------
CNT-02 - No CSRF protection on hawtio web portal
----------------------------------------------------------------------------
Severity: HIGH

The hawtio admin web portal running on port 8181 does not have any CSRF
protection, leading to the same results as the previous vulnerability, such
as installing arbitrary packages, reading/writing JVM memory, etc.

----------------------------------------------------------------------------
CNT-03 - Unauthenticated JMX service listening on all interfaces
----------------------------------------------------------------------------
Severity: HIGH

The JDA Connect Java daemon has a JMX server that listens on all interfaces
without authentication. Using tools like jconsole, one could read and write
the values of objects in the entire application, possibly leading to
arbitrary command execution. For example, the Java process is started with
the following options.
-Dcom.sun.management.jmxremote.port=1616
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close