Adding HEAD bypass support to JBoss Invoke Deploy

[0x42424242]

JBoss has a number of administration interfaces along with known vulnerabilities. Two commonly spoken about vulnerabilities are as follows.

CVE-2010-0738 (HEAD Verb Authorisation Bypass)

This vulnerability is typically been talked about in context with the jmx-console. Essentially POST and GET requests require authorization however this could be bypassed by using a HEAD request instead of a GET. Several Metasploit modules take advantage of this (jboss_deploymentfilerepository / jboss_bshdeployer / jboss_maindeployer) and support the HEAD verb.

CVE-2007-1036 (Exposed Invokers)

This vulnerability relates to no password protection surrounding the Java invokers (JMXInvokerServlet / EJBInvokerServlet) which also allow the ability to invoke MBeans directly. This is taken advantage of with the jboss_invoke_deploy module.

Suggestion

During an engagement I've discovered that the HEAD verb bypass also applies to the JMXInvokerServlet. It's unknown if this is due to insufficient patching or if previous patches don't apply appropriate access controls to the JMXInvokerServlet by default.

I believe adding the HEAD verb support to jboss_invoke_deploy could be beneficial if it's possible.

Cheers.

[github-actions]

Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.

We've labeled this as attic and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.