In late August 2017 Redhat have published a security advisory regarding an arbitrary code execution vulnerability in JBoss and recently a Proof of Concept exploit was publicly released. This vulnerability is added to the long list of unsafe deserialization vulnerabilities discovered this year.
The vulnerable code is part of the HTTP Invoker service that provides HTTP and Remote Method Invocation (RMI) access. This service was first introduced in JBoss Application Server version 3.0.3 (which was released in September 2002) and is installed by default on instances based on versions prior to 7.0.0.
Figure 1: invoker.war package pre-installed on JBoss Application Server 5.
The unsafe deserialization takes place in the ReadOnlyAccessFilter.java file which receives a request object and calls readObject on the POST data sent by the user without doing any validations on the user supplied input. This provides attackers the possibility to send a crafted serialized object to the server that once deserialized will trigger arbitrary code execution in the context of the user running the vulnerable JBoss server.
Figure 2: User supplied input is being deserialized without any validations being made on it.
Figure 3: Part of the POST request sent by the Proof-of-Concept exploit.
Mitigation Using BIG-IP ASM
BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection and command execution attack signatures which can be found in signature sets that include “Command Execution” and “Server Side Code Injection” attack types or “Java Servlets/JSP” System.
Figure 4: Exploit blocked with Attack Signature (200003437)
Figure 5: Exploit blocked with Attack Signature (200003057)
Figure 6: Exploit blocked with Attack Signature (200004297)
Figure 7: Exploit blocked with Attack Signature (200004298)
Figure 8: Exploit blocked with Attack Signature (200004299)