Vulnerable JBoss entry points

As we know, JBoss comes with a number of fully functional and operational add-ons and extensions, such as JNDI, JMX and JMS so the number of possible entry points for JBoss exploitation increases accordingly. The following table lists the vulnerable MBeans, with their respective service and method names, that can be used for JBoss reconnaissance and exploitation:

Category

MBean domain name

MBean service name

MBean method name

MBean method description

Exploitation

jboss.system

MainDeployer

deploy(),

undeploy(), and

redeploy()

The deploy() method is used to deploy the applications.

The undeploy() method is used to un-deploy the deployed application.

The redeploy() method is used by the server to redeploy the deployed application stored in the server itself (the local file).

Reconnaissance

jboss.system

Server

exit(),

shutdown(), and

halt()

The exit(), shutdown(), and halt() methods are quite dangerous methods. A threat actor can use these methods to disrupt the service by shutting down the application server.

Reconnaissance

jboss.system

ServerInfo
N/A N/A

Reconnaissance

jboss.system

ServerConfig
N/A N/A

Exploitation

jboss.deployment

DeploymentScanner

addURL() and

listDeployedURLs()

The addURL() method is used to add a remote/local application by URL for the deployment.

The listDeploymentURLs() method is used to list all the previously deployed applications with their URLs. This method is helpful for finding out whether the current JBoss AS instance has already been exploited.

Exploitation

jboss.deployer

BSHDeployer

createScriptDeployment(),

deploy(),

undeploy(), and

redeploy()

The createScriptDeployment() method is used to deploy the application via a Bean Shell (BSH) script. The script content should be mentioned in this method for deployment. The MBean then creates a temporary file with a .bsh extension, which will be used for the deployment.

The deploy(), undeploy(), and redeploy() methods are used to manage the deployment using BSH scripts.

Exploitation

jboss.admin

DeploymentFileRepository

store()

The store() method is used by the deployer to store the filename with its extension, folder name, and timestamp. A threat actor just needs to mention the WAR file with the aforementioned information and the payload will be directly deployed on the server.

The MainDeployer MBean is the deployment entry point and all the requests for component deployment are sent over to MainDeployer. MainDeployer can deploy WAR archives, JARs, Enterprise Application Archives (EARs), Resource Archives (RARs), Hibernate Archives (HARs), Service Archives (SARs), BSHes, and many other deployment packages.

Category	MBean domain name	MBean service name	MBean method name	MBean method description
Exploitation	`jboss.system`	`MainDeployer`	`deploy()`, `undeploy()`, and `redeploy()`	The `deploy()` method is used to deploy the applications. The `undeploy()` method is used to un-deploy the deployed application. The `redeploy()` method is used by the server to redeploy the deployed application stored in the server itself (the local file).
Reconnaissance	`jboss.system`	`Server`	`exit()`, `shutdown()`, and `halt()`	The `exit()`, `shutdown()`, and `halt()` methods are quite dangerous methods. A threat actor can use these methods to disrupt the service by shutting down the application server.
Reconnaissance	`jboss.system`	`ServerInfo`	N/A	N/A
Reconnaissance	`jboss.system`	`ServerConfig`	N/A	N/A
Exploitation	`jboss.deployment`	`DeploymentScanner`	`addURL()` and `listDeployedURLs()`	The `addURL()` method is used to add a remote/local application by URL for the deployment. The `listDeploymentURLs()` method is used to list all the previously deployed applications with their URLs. This method is helpful for finding out whether the current JBoss AS instance has already been exploited.
Exploitation	`jboss.deployer`	`BSHDeployer`	`createScriptDeployment()`, `deploy()`, `undeploy()`, and `redeploy()`	The `createScriptDeployment()` method is used to deploy the application via a Bean Shell (BSH) script. The script content should be mentioned in this method for deployment. The MBean then creates a temporary file with a `.bsh` extension, which will be used for the deployment. The `deploy()`, `undeploy()`, and `redeploy()` methods are used to manage the deployment using BSH scripts.
Exploitation	`jboss.admin`	`DeploymentFileRepository`	`store()`	The `store()` method is used by the deployer to store the filename with its extension, folder name, and timestamp. A threat actor just needs to mention the WAR file with the aforementioned information and the payload will be directly deployed on the server.