Merge pull request #269 from JD2344/jboss

JBOSS module
2026-02-21 11:18:06 +00:00 · 2023-04-20 10:17:17 +01:00
parent af4a41021b 63de8b276a
commit 2c077c46af
12 changed files with 156 additions and 0 deletions
--- a/modules/vulnerabilities/unix/misc/jboss/files/jboss-archive-files/jboss-as-distribution-6.1.0.Final.zip_00
+++ b/modules/vulnerabilities/unix/misc/jboss/files/jboss-archive-files/jboss-as-distribution-6.1.0.Final.zip_00
--- a/modules/vulnerabilities/unix/misc/jboss/files/jboss-archive-files/jboss-as-distribution-6.1.0.Final.zip_01
+++ b/modules/vulnerabilities/unix/misc/jboss/files/jboss-archive-files/jboss-as-distribution-6.1.0.Final.zip_01
--- a/modules/vulnerabilities/unix/misc/jboss/files/jboss-archive-files/jboss-as-distribution-6.1.0.Final.zip_02
+++ b/modules/vulnerabilities/unix/misc/jboss/files/jboss-archive-files/jboss-as-distribution-6.1.0.Final.zip_02
--- a/modules/vulnerabilities/unix/misc/jboss/files/jboss-archive-files/jboss-as-distribution-6.1.0.Final.zip_03
+++ b/modules/vulnerabilities/unix/misc/jboss/files/jboss-archive-files/jboss-as-distribution-6.1.0.Final.zip_03
--- a/modules/vulnerabilities/unix/misc/jboss/files/jre-archive-files/jre-8u351-linux-x64.tar.gz_00
+++ b/modules/vulnerabilities/unix/misc/jboss/files/jre-archive-files/jre-8u351-linux-x64.tar.gz_00
--- a/modules/vulnerabilities/unix/misc/jboss/files/jre-archive-files/jre-8u351-linux-x64.tar.gz_01
+++ b/modules/vulnerabilities/unix/misc/jboss/files/jre-archive-files/jre-8u351-linux-x64.tar.gz_01
--- a/modules/vulnerabilities/unix/misc/jboss/jboss.pp
+++ b/modules/vulnerabilities/unix/misc/jboss/jboss.pp
@@ -0,0 +1,2 @@
+include jboss::install
+include jboss::flags
--- a/modules/vulnerabilities/unix/misc/jboss/manifests/flags.pp
+++ b/modules/vulnerabilities/unix/misc/jboss/manifests/flags.pp
@@ -0,0 +1,12 @@
+class jboss::flags {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+
+  ::secgen_functions::leak_files { 'jboss-flag':
+    storage_directory => '/opt/jboss-6.1.0.Final',
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    leaked_from       => 'jboss',
+  }
+}
--- a/modules/vulnerabilities/unix/misc/jboss/manifests/install.pp
+++ b/modules/vulnerabilities/unix/misc/jboss/manifests/install.pp
@@ -0,0 +1,78 @@
+class jboss::install {
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
+    environment => ['JAVA_HOME="/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java"']}
+
+  ensure_packages(['apt-transport-https', 'ca-certificates', 'wget', 'dirmngr', 'gnupg', 'software-properties-common'])
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+
+  # Create user
+  user { $user:
+    ensure     => present,
+    home       => $user_home,
+    managehome => true,
+  }
+
+  file { '/usr/local/java':
+    ensure => 'directory'
+  }
+  -> file { '/usr/local/java/jre-archive-files':
+    ensure  => directory,
+    source  => 'puppet:///modules/jboss/jre-archive-files',
+    recurse => true,
+  }
+  -> exec { 'extract-java':
+    command => 'cat jre-archive-files/jre* > jre-8u351-linux-x64.tar.gz; tar -xvzf jre-8u351-linux-x64.tar.gz',
+    cwd     => '/usr/local/java',
+    creates => '/usr/local/java/jre1.8.0_351'
+  }
+  -> tidy {'delete-jre-archive-parts':
+    path    => '/usr/local/java/jre-archive-files',
+    recurse => true,
+  }
+  tidy {'delete-jre-archive':
+    path => '/usr/local/java/jre-8u351-linux-x64.tar.gz'
+  }
+  exec { 'change-java-install-dir-permissions':
+    command => 'chmod -R 755 /usr/local/java',
+  }
+  -> exec { 'update-java-location':
+    command => 'sudo update-alternatives --install "/usr/bin/java" "java" "/usr/local/java/jre1.8.0_351/bin/java" 1',
+  }
+  -> file { '/opt/jboss-archive-files':
+    ensure  => directory,
+    source  => 'puppet:///modules/jboss/jboss-archive-files',
+    recurse => true,
+  }
+  -> exec { 'unzip-jboss':
+    command => 'cat jboss-archive-files/jboss* > jboss-as-distribution-6.1.0.Final.zip; unzip jboss-as-distribution-6.1.0.Final.zip',
+    cwd     => '/opt',
+    creates => '/opt/jboss-6.1.0.Final/bin'
+  }
+  -> exec { 'chown-jboss':
+    command => "chown -R ${user} /opt/jboss-6.1.0.Final/",
+  }
+  -> tidy {'delete-jboss-archive-parts':
+    path    => '/opt/jboss-archive-files',
+    recurse => true,
+  }
+  tidy {'delete-jboss-archive':
+    path => '/opt/jboss-as-distribution-6.1.0.Final.zip'
+  }
+  exec { 'set-listening-interface':
+    command => 'echo "JAVA_OPTS=\"\$JAVA_OPTS -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0\"" >> /opt/jboss-6.1.0.Final/bin/run.conf; mkdir /opt/made-interface',
+    creates => '/opt/made-interface'
+  }
+  -> exec { 'change-permissions':
+    command => 'chmod a+x /opt/jboss-6.1.0.Final',
+  }
+  -> file { '/etc/systemd/system/jboss.service':
+    content => template('jboss/jboss.service.erb'),
+  }
+  -> service { 'jboss':
+    ensure => running,
+    enable => true,
+  }
+}
--- a/modules/vulnerabilities/unix/misc/jboss/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/misc/jboss/secgen_metadata.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>JBOSS EAP/AS Remoting Unified Invoker RCE</name>
+  <author>Harry J. Hall</author>
+  <author>James Davis</author>
+  <module_license>MIT</module_license>
+  <description>JBOSS EAP versions 6.x contain an RCE vulnerability that can be executed by a
+    unauthenticated user.
+    This invovles sending a serialized Java object to JBOSS EAP over a network.</description>
+
+  <type>Java web exploit</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>medium</difficulty>
+
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+  <read_fact>leaked_username</read_fact>
+
+  <default_input into="strings_to_leak">
+    <generator type="message_generator" />
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator" />
+  </default_input>
+
+  <default_input into="leaked_username">
+    <generator type="username_generator" />
+  </default_input>
+
+</vulnerability>
--- a/modules/vulnerabilities/unix/misc/jboss/templates/jboss.service.erb
+++ b/modules/vulnerabilities/unix/misc/jboss/templates/jboss.service.erb
@@ -0,0 +1,12 @@
+[Unit]
+Description=Vulnerable JBOSS server.
+
+[Service]
+Type=simple
+User=<%= @user %>
+ExecStart=/opt/jboss-6.1.0.Final/bin/run.sh
+Restart=on-abort
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
--- a/scenarios/examples/vulnerability_examples/jboss.xml
+++ b/scenarios/examples/vulnerability_examples/jboss.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <system>
+        <system_name>jboss</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/jboss" />
+
+        <network type="private_network" range="dhcp" />
+    </system>
+
+</scenario>