Liferay CE 6.0.2 Java Deserialization

Liferay CE 6.0.2 remote code execution via unsafe deserialization

Recent assessments:

theguly at March 02, 2020 5:11pm UTC reported:

on 29th of january 2020 this github[1] repo came up, with some newsfeed, speakin about a RCE via deserialization on Liferay 6.0.2

i’m aware that liferay is widely used to build both internal and internet-facing webapp, and a possible preauth RCE would be awesome.

actually i don’t remember which post i read first, because github repo doesn’t speak about any version, but i’m sure i’ve read somewhere 6.0.2: also exploit-db speaks about 6.0.2, if my memory plays tricks on me, i’m not alone.

from the very low info we see at said github repo, we understand that the vulnerability is at /api/liferay which is NOT present in 6.0.2, nor on the filesystem neither on configuration as route.

testing a more recent version, i saw that 6.1 branch actually has /api/liferay but by default it’s limited to “localhost”.
it could be possible to open it to more IPs of course, but i don’t see it happen so frequently to have a 0.0.0.0 as trusted host.

i think this vulnerability doesn’t affect 6.0 branch, it could affect 6.1 branch but not on default configuration.
plus, it’s not yet clear if this is pre-auth or post-auth.
i’ll dig newer branches as soon as i can.

p.s.: exploitability is rated against a possible 6.1, and the fact that ysoserial makes java deserialization quite easy.

[1] <https://github.com/chakadev/Liferay-CE-Portal-Java-Deserialization&gt;

20200329 edit:
lowering value, adding required auth

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3