Attackers are exploiting a two-year-old vulnerability in JBoss Application Servers that enables a hacker to remotely get a shell on a vulnerable webserver. The number of infections has surged since exploit code called pwn.jsp was publicly disclosed Oct. 4.
Researchers at Imperva said that a number of government and education websites have been compromised, as indicated by data collected through the company’s honeypots. An attacker with remote shell access can inject code into a website run by the server or hunt and peck for files stored on the machine and extract them.
The vulnerability in the HTTP Invoker service that provides RMI/HTTP access to Enterprise Java Beans, was discovered in 2011 and presented at a number of security events that year.
“The vulnerability allows an attacker to abuse the management interface of the JBoss AS in order to deploy additional functionality into the web server,” said Imperva’s Barry Shteiman. “Once the attackers deploy that additional functionality, they gain full control over the exploited JBoss infrastructure, and therefore the site powered by that application server.”
On Sept. 16, the National Vulnerability Database issued an advisory warning of a remote code execution bug affecting HP ProCurve Manager, network management software. The vulnerability was given the NVD’s highest criticality ranking of 10. Since then, other products running the affected JBoss Application Server have been identified, including some security software.
Within three weeks, an exploit was added to exploit-db that successfully gained shell against a product running JBoss 4.0.5.
“Immediately thereafter, we had witnessed a surge in JBoss hacking, which manifested in malicious traffic originating from the infected servers and observed in Imperva’s honeypot array,” Shteiman said.
According to Imperva’s analysis, the vulnerability lies in the Invoker service, which operates at the remote management level enabling applications to access the server. The Invoker improperly exposes the management interface, Shteiman said.
Compounding the problem is that in addition to the pwn.jsp shell, Shteiman said there is another more sophisticated shell available to attackers.
“In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities,” he said.
Imperva also said that the number of webservers running JBoss software has tripled since the initial vulnerability research was made public.