One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 1609311 |
| Date de publication | 2020-03-20 13:49:55 (vue: 2020-03-20 13:01:01) |
| Titre | Liferay Portal JSON Web Service RCE Vulnerabilities |
| Texte | Code White has found multiple critical rated JSON deserialization vulnerabilities affecting the Liferay Portal versions 6.1, 6.2, 7.0, 7.1, and 7.2. They allow unauthenticated remote code execution via the JSON web services API. Fixed Liferay Portal versions are 6.2 GA6, 7.0 GA7, 7.1 GA4, and 7.2 GA2. The corresponding vulnerabilities are: CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981) The JSONDeserializer of Flexjson allows the instantiation of arbitrary classes and the invocation of arbitrary setter methods. CST-7205: Unauthenticated Remote code execution via JSONWS (LPS-97029/CVE-2020-7961) The JSONWebServiceActionParametersMap of Liferay Portal allows the instantiation of arbitrary classes and invocation of arbitrary setter methods. Both allow the instantiation of an arbitrary class via its parameter-less constructor and the invocation of setter methods similar to the JavaBeans convention. This allows unauthenticated remote code execution via various publicly known gadgets. Liferay released the patched versions 6.2 GA6 (6.2.5), 7.0 GA7 (7.0.6) and 7.1 GA4 (7.1.3) to address the issues; the version 7.2 GA2 (7.2.1) was already released in November 2019. For 6.1, there is only a fixpack available. Introduction Liferay Portal is one of the, if not even the most popular portal implementation as per Java Portlet Specification JSR-168. It provides a comprehensive JSON web service API at '/api/jsonws' with examples for three different ways of invoking the web service method: Via the generic URL /api/jsonws/invoke where the service method and its arguments get transmitted via POST, either as a JSON object or via form-based parameters (the JavaScript Example) Via the service method specific URL like /api/jsonws/service-class-name/service-method-name where the arguments are passed via form-based POST parameters (the curl Example) Via the service method specific URL like /api/jsonws/service-class-name/service-method-name where the arguments are also passed in the URL like /api/jsonws/service-class-name/service-method-name/arg1/val1/arg2/val2/… (the URL Example) Authentication and authorization checks are implemented within the invoked service methods themselves while the processing of the request and thus the JSON deserialization happens before. However, the JSON web service API can also be configured to deny unauthenticated access. First, we will take a quick look at LPS-88051, a vulnerability/insecure feature in the JSON deserializer itself. Then we will walk through LPS-97029 that also utilizes a feature of the JSON deserializer but is a vulnerability in Liferay Portal itself. CST-7111: Flexjson's JSONDeserializer In Liferay Portal 6.1 and 6.2, the Flexjson library is used for seriali |
| Envoyé | Oui |
| Condensat | /api/jsonws /api/jsonws/invoke /api/jsonws/service 0 ga7 1 ee ga3 1 ga4 102 110 16598 165981 168 2 ee ga2 2 ga2 2 ga6 2018 2019 2020 7111: 7205: 7961 88051 88051/lpe 97029 97029/cve >jsonwebserviceactionimpl above access address affecting after allow allowed allows already also any api arbitrary are are: arguments authentication authorization available backwards based been before binding both but call calls can check checks class classes classloader code coded com: community comprehensive confidentially configured constructor contains convention corresponding created critical cst curl data days december demo deny deserialization deserialize deserializer deserializing different does during edition editions either enterprise even example examples execution explicitly extends feature field filled first fixed fixpack fixpack 1692 fixpack 71 fixpacks flexjson following form found free from gadgets generic get gets github happens hard has have here hierarchy holds however implementation implemented instance instanciated instantiation instead interesting: introduction invocation invoked invoking issue issues issues; istypeof its itself java javabeans javascript jodd json jsondeserializer jsonparser jsonwebserviceactionparameters jsonwebserviceactionparametersmap jsonws jsr june key key: known lang later less library liferay like lines loadclass look looking lpe lps made map mapping mentioned method method: methods most multiple name name/arg1/val1/arg2/val2/… name/service not november object objects one only originates originating own parameter parameters parametertype parametertypes part passed patched per popular portal portal: portlet post preparation prepareparameters processing project provided provides publicly put quick rated rce reflectutil released remote replaced reported request right root roottype see selected serializing service services setter shows similar since some source specific specification specified specifies specifying string support supports syntax take taken themselves then three through thus tracing tracker transmitted tutorial two type typename types unauthenticated unveils: url use used using utilizes value variable various version versions vulnerabilities vulnerability vulnerability/insecure walk ways web when where whether white whitelist will within write |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.