During a recent security audit, SCRT discovered a TippingPoint SMS server that exposed a famously exploitable JBoss invoker to any unauthenticated user. By using this invoker, it is possible to upload new applications on the server that are then run with the permissions of the JBoss application server (which happens to be running as root in this case). The server can then be compromised entirely by uploading new files into the SMS application’s folder and then accessing them through a Web browser. This could be done with the help of a very practical tool called jimmix which makes it possible to invoke commands on a JBoss server from the command line.
This flaw was not discovered on the latest SMS firmware at the time, as the tested version was 3.5.0.10861. An initial analysis of the latest version (3.6.0.31698.1) seemed to show that the vulnerability had been patched. But after a little digging, we discovered that this was not the case. The vulnerable invoker had only been moved to a restricted folder that now required authentication. However, the authentication mechanism was flawed (as it is in most JBoss 4 servers) and it was possible to bypass it by tampering with the HTTP verbs that are sent to the server. For example, we could access the invoker by using the HEAD method instead of GET. The vulnerability was therefore confirmed on the latest version of the SMS firmware on branches 3.5 and 3.6!
Exploitation still leads to complete root compromise of the appliance or virtual machine, making it possible to view or modify IPS protection profiles and retrieve encrypted user passwords.
The vulnerability was reported to HP who have now issued a patch for both versions 3.5 and 3.6 of their SMS firmware. The patch simply removes the handlers for the JMX invokers which can no longer be interacted with.
CVE-2013-6201 was attributed to the vulnerability and HP published a bulletin on the 4th of March about the issue : HPSBHF02965. Make sure you update your SMS servers as soon as possible.