Detected JBoss JMX Console was accessible without authentication. The exposed console provided complete access to all MBeans, including MainDeployer, which enabled arbitrary WAR file deployment, leading to remote code execution. Attackers could view the entire MBean tree, deploy malicious applications, and invoke administrative operations without valid credentials.
PoC代码[已公开]
id: jboss-jmx-console-unauth
info:
name: JBoss JMX Console - Unauthenticated Access
author: 0x_Akoko
severity: high
description: |
Detected JBoss JMX Console was accessible without authentication. The exposed console provided complete access to all MBeans, including MainDeployer, which enabled arbitrary WAR file deployment, leading to remote code execution. Attackers could view the entire MBean tree, deploy malicious applications, and invoke administrative operations without valid credentials.
reference:
- https://developer.jboss.org/wiki/SecureTheJmxConsole
- https://www.invicti.com/web-application-vulnerabilities/jboss-jmx-console-unrestricted-access
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.0
cwe-id: CWE-306
cpe: cpe:2.3:a:redhat:jboss_application_server:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
tags: jboss,unauth,misconfig
http:
- method: GET
path:
- "{{BaseURL}}/jmx-console/HtmlAdaptor?action=displayMBeans"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "JMX Agent View", "ObjectName Filter", "service=MainDeployer")'
- 'contains_any(body, "jboss.deployment", "jboss.system")'
- '!contains_any(body, "j_security_check", "j_username", "j_password")'
condition: and
# digest: 490a004630440220543f09e02d1256f8973ad1003b7769e4426673f5feb90080a1e15b105e0c0b6302207da412763123ae13c2d08c084d91e0c7929e1f7e3d66ad38e9a42a07979c6e47:922c64590222798bb761d5b6d8e72950