port 1099 remote method call vulnerability in jboss

Posted by lipsius at 2020-02-27

By: Weibo:

Brother bird sent me an article a few days ago. It's a Java vulnerability. It's about the 1099 port that can be called remotely. It suddenly occurred to me that when I gave xcon 2012, one of the problems I didn't mention because I "forgot" was a vulnerability in JBoss remote code execution. There seems to be no translation and use guide in China. After such a long time, I really forgot. Its principle is similar to that of ejbinvoker. In other words, a few days ago, an ejbinvoker was released. In fact, it is also an old vulnerability. It was all released together at the beginning. Exp only hit at different URLs, but there is no "use guide" vulnerability in China. So many people can't use it. The user's guide is as follows. What can't Google.

Vulnerability details: twiddle.bat - s JNP: / / Net: 1099 invoke JBoss. System: Service = maindeployer deploy

twiddle.bat -s jnp:// invoke jboss.system:service=MainDeployer deploy

In fact, this was originally in a foreigner's article, along with several other JBoss problems. It means to deploy a war remotely. The specific principle is basically the same as that of ejbinvokerservlet / jmxinvokerservlet, and the scanning characteristics are basically the same. Therefore, 1099 port can be scanned in batches. In addition, the 4444 port of JBoss is not a good bird. There is no time to analyze and wait for the answer. I think the saddest thing in the domestic security circle is "exploit tool = = new vulnerability" in most cases, so "exp = = vulnerability details".

Repair suggestion: delete the invoker and close 1099.

By: Weibo: