One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 2907680 |
| Date de publication | 2021-06-11 12:05:33 (vue: 2021-06-11 11:05:19) |
| Titre | About the Unsuccessful Quest for a Deserialization Gadget (or: How I found CVE-2021-21481) |
| Texte | This blog post describes the research on SAP J2EE Engine 7.50 I did between October 2020 and January 2021. The first part describes how I set off to find a pure SAP deserialization gadget, which would allow to leverage SAP's P4 protocol for exploitation, and how that led me, by sheer coincidence, to an entirely unrelated, yet critical vulnerability, which is outlined in part two. The reader is assumed to be familiar with Java Deserialization and should have a basic understanding of Remote Method Invocation (RMI) in Java. PrologueIt was in 2016 when I first started to look into the topic of Java Exploitation, or, more precisely: into exploitation of unsafe deserialization of Java objects. Because of my professional history, it made sense to have a look at an SAP product that was written in Java. Naturally, the P4 protocol of SAP NetWeaver Java caught my attention since it is an RMI-like protocol for remote administration, similar to Oracle WebLogic's T3. In May 2017, I published a blog post about an exploit that was getting RCE by using the Jdk7u21 gadget. At that point, SAP had already provided a fix long ago. Since then, the subject has not left me alone. While there were new deserialization gadgets for Oracle's Java server product almost every month, it surprised me no one ever heard of an SAP deserialization gadget with comparable impact. Even more so, since everybody who knows SAP software knows the vast amount of code they ship with each of their products. It seemed very improbable to me that they would be absolutely immune against the most prominent bug class in the Java world of the past six years. In October 2020 I finally found the time and energy to set off for a new hunt. To my great disappointment, the search was in the end not successful. A gadget that yields RCE similar to the ones from the famous ysoserial project is still not in sight. However in January, I found a completely unprotected RMI call that in the end yielded administrative access to the J2EE Engine. Besides the fact that it can be invoked through P4 it has nothing in common with the deserialization topic. Even though a mere chance find, it is still highly critical and allows to compromise the security of the underlying J2EE server. The bug was filed as CVE-2021-21481. On march 9th 2021, SAP provided a fix. SAP note 3224022 describes the details. P4 and JNDI Listing 1 shows a small program that connects to a SAP J2EE server using P4: The only hint that this code has something to do with a proprietary protocol called P4 is the URL that starts with P4://. Other than that, everything is encapsulated by P4 RMI calls (for those who want to refresh their memory about JNDI). Furthermore, it is not obvious that what is going on behind the scenes has something to do with RMI. However, if you inspect more closely the types of the involved Java objects, you'll find that keysMngr is of type com.sun.proxy.$Proxy (implementing interface KeystoreManagerWrapper) and keysMngr.getKeystore() is a plain vanilla RMI-call. The argument (the name of the keystore to be instantiated) will be serialized and sent to the server which will return a serialized keystore object (in this case it won't because there is no keystore "whatever"). Also not obvious is that the instantiation of the InitialContext requires various RMI calls in the background, for example the instantiation of a RemoteLoginContext object that will allow to process the login with the provided credentials. Each of these RMI calls would in theory be a sink to send a deserialization gadget to. In the exploit I mentioned above, one of the first calls inside new InitialContext() was used to |
| Envoyé | Oui |
| Condensat | $proxy 000 100 160 191 2015 2016 2017 2019 2020 2021 21481 3224022 5372 749: 9th able about above absolutely access accessible addition admin administration administrative administrator affects after afternoon against ago all allow allowed allows almost alone already also amount amounts analyses analysis annoying any anymore api app application applications approach arbitrary archive archives are argument asm assumed attack attacker attacks attention attribute attributes authenticated authentication authorization available avenue back background based basic because been before behind believed below beneath besides between bindings: blog bottom box branches bug build building busy but bytecode call called calling calls can carefully case cast caught cause causing chain challenge chance check child chosen class classes classloader classloaders classloading classnotfoundexception classpath clause client cloneable closely cluster code codebase coincidence com come common comparable compare completely complex component components components: compromise condition config/system/custom configuration connects consequences consist consisting constantly context controlled core could count couple course cover covers credentials critical cryptographic ctxt cve cwe dangerous debugging declare declares default definitively depend dependencies dependency depends deploy described describes deserialization deserialized deserve details developed development did didn difficult digressing direct directorymanager: disappointment discovered disposal distinct does don dos down download downloaded dramatic during each eager easily eclipse either ejbs elaborate element eliminate else enabled encapsulated encountered end energy engine entirely enumeration establish even eventually ever every everybody everyone everything exact exactly example exception executed exercise exhaustion exist existed exists exploit exploitable exploitation export exported exposed fact factory factoryname familiar famous features figure file filed finally find finding findings fine: first fishy five fix fixed flood focussing folder following found four framwork from frustration full fun function furthermore gadget gadgetprobe gadgets gave get getkeystore getobjectfactorybuilder getobjectfactoryfromreference getobjectinstance getoutputproperties gets getting give glean global/cfg/services/com going great greatly had handle handy happens harm has have heard hey hierarchical highly hightlighted hint history hit how however http huge hunt ideal ignore immune impact implement implemented implementing important improbable increased information inheritance initialcontext injection inside insider inspect install instance instantiated instantiation instead interesting interface interfaces inventing invocation invoked involved issue items iterate its j2ee january java javax jdk jdk7u21 jndi jre jupgradeif key keysmgr keysmngr keystore keystoremanager keystoremanagerwrapper keystores kids knowledge knows label lang layer ldap leaf least led left let leverage libraries library like limitation limitation: line list listed listening listing little loaders local location log login logon long look looked looking lookup made management many march mass matter may memory mentioned mere merely messaging method methods might migrationservice missing monitorbean monitorhi month months more most much name naming naturally need needed needs neither netweaver network never new node non nor not note nothing now null number object objectfactorybuilder objectfactorybuilderimpl objectinputstream objects oblivious obvious occasions october off officially one ones only opencfg opened or: oracle order organized original other out outdated outlined overview ow2 own p4: p4:// pair parent part past path perfectly perform performs permission plain plus point port post potentially precisely precisely: pretty primitives private probably problem process product products professional program project prologueit prominent proprietary protocol provided provider provides proxy published pure put queries query quer |
| Tags | Tool Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.