As we know, JBoss comes with a number of fully functional and operational add-ons and extensions, such as JNDI, JMX and JMS so the number of possible entry points for JBoss exploitation increases accordingly. The following table lists the vulnerable MBeans, with their respective service and method names, that can be used for JBoss reconnaissance and exploitation:
|
Category |
MBean domain name |
MBean service name |
MBean method name |
MBean method description |
|
Exploitation |
jboss.system |
MainDeployer |
deploy(), undeploy(), and redeploy() |
The deploy() method is used to deploy the applications. The undeploy() method is used to un-deploy the deployed application. The redeploy() method is used by the server to redeploy the deployed application stored in the server itself (the local file).
|
|
Reconnaissance |
jboss.system |
Server |
exit(), shutdown(), and halt() |
The exit(), shutdown(), and halt() methods are quite dangerous methods. A threat actor can use these methods to disrupt the service by shutting down the application server. |
|
Reconnaissance |
jboss.system |
ServerInfo |
N/A | N/A |
|
Reconnaissance |
jboss.system |
ServerConfig |
N/A | N/A |
|
Exploitation |
jboss.deployment |
DeploymentScanner |
addURL() and listDeployedURLs() |
The addURL() method is used to add a remote/local application by URL for the deployment. The listDeploymentURLs() method is used to list all the previously deployed applications with their URLs. This method is helpful for finding out whether the current JBoss AS instance has already been exploited. |
|
Exploitation |
jboss.deployer |
BSHDeployer |
createScriptDeployment(), deploy(), undeploy(), and redeploy() |
The createScriptDeployment() method is used to deploy the application via a Bean Shell (BSH) script. The script content should be mentioned in this method for deployment. The MBean then creates a temporary file with a .bsh extension, which will be used for the deployment. The deploy(), undeploy(), and redeploy() methods are used to manage the deployment using BSH scripts. |
|
Exploitation |
jboss.admin |
DeploymentFileRepository |
store() |
The store() method is used by the deployer to store the filename with its extension, folder name, and timestamp. A threat actor just needs to mention the WAR file with the aforementioned information and the payload will be directly deployed on the server. |
The MainDeployer MBean is the deployment entry point and all the requests for component deployment are sent over to MainDeployer. MainDeployer can deploy WAR archives, JARs, Enterprise Application Archives (EARs), Resource Archives (RARs), Hibernate Archives (HARs), Service Archives (SARs), BSHes, and many other deployment packages.