Jboss deserialization vulnerability reproduction (CVE-2017-12149)
First, Vulnerability Description
The vulnerability of Java deserialization error type, present in the jboss ReadOnlyAccessFilter filter assembly in HttpInvoker. The attempt to filter the data stream from the client to deserialize without any security check, resulting in a vulnerability.
Second, the flaw affects versions
Jboss 5.x
Jboss 6.x
Third, the vulnerability reproducible environment to build
Win7: 192.168.10.171
1, the installation environment java, java test environment
2, download jboss-as-6.1.0-final, download a compressed http://jbossas.jboss.org/downloads/
3, extract it to a directory (c: \ jboss \)
4, a new environment variable
JBOSS_HOME:值为:C:\jboss\jboss-6.1.0.Final
Join in the path:% JBOSS_HOME% \ bin;
5, after the completion of the environment variable configuration, in the C: \ jboss \ opened jboss-6.1.0.Final \ bin cmd, input call run.bat, i.e. the successful start occurs as shown in FIG.
6, local testing, the browser input 127.0.0.1:8080
7, can not default remote access, you need to modify the configuration file, the configuration file location jboss-6.1.0.Final \ server \ default \ deploy \ jbossweb.sar \ server.xml, then restart jboss
8, Test Remote Access
9, browser access http://192.168.10.171:8080/invoker/readonly, if HTTP Status 500 display, it indicates that there are loopholes
10, using the test tool validation vulnerability exists Tools Download: https://github.com/yunxu1/jboss-_CVE-2017-12149
11, command execution whomai
Fourth, the vulnerabilities defense
1, an upgraded version
2, do not need the http-invoker.sar components, remove this component