JBoss AS Administrative Console Password Disclosure



EKU-ID: 3272 CVE: 2013-3734 OSVDB-ID:
Author: amroot Published: 2013-06-08 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


 Product: Embedded Jopr - JBoss AS Administration Console
 Vendor: Red Hat Middleware, LLC
 Version: < 1.2
 Tested Version: 1.2
 Vendor Notified Date: May 29, 2013
 Release Date: June 03, 2013
 Risk: Moderate
 Authentication: Required
 Remote: Yes

 Description:
 Passwords submitted to the application are returned in clear form in 
 later responses from the application. Although the password field is 
 masked, it is visible via the page source regardless of SSL.
 This behavior increases the risk that passwords will be captured by an 
 attacker.
 Specifically, this can be leveraged to pivot and gain access to 
 configured databases by viewing the page source or using browser tools 
 such as "inspect element" in chrome and firefox.
 Successful exploitation of this vulnerability results in taking 
 complete control of database servers.

 Exploit steps for proof-of-concept:
 1. Navigate to: JBossAS Servers> JBoss AS> Resources> Datasources
 2. Select Datasource
 3. View page source
 4. Find input type="password"
 5. "value=" will contain the database password.
 6. Dump database.

 Vendor Notified: Yes
 Vendor Response: Does not consider this to be an exploitable security 
 flaw due to type authenticated.

 Reference:
 CVE-2013-3734
 http://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/
 amroot.com