One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 682502 |
| Date de publication | 2018-05-30 15:00:04 (vue: 2018-05-30 15:04:07) |
| Titre | Poor RichFaces |
| Texte | RichFaces is one of the most popular component libraries for JavaServer Faces (JSF). In the past, two vulnerabilities (CVE-2013-2165 and CVE-2015-0279) have been found that allow RCE in versions 3.x ≤ 3.3.3 and 4.x ≤ 4.5.3. Code White discovered two new vulnerabilities which bypass the implemented mitigations. Thereby, all RichFaces versions including the latest 3.3.4 and 4.5.17 are vulnerable to RCE. Introduction JavaServer Faces (JSF) is a framework for building user interfaces for web applications. While there are only two major JSF implementations (i. e., Apache MyFaces and Oracle Mojarra), there are several component libraries, which provide additional UI components and features. RichFaces is one of the most popular libraries among these component libraries and since it became part of JBoss (and thereby also part of Red Hat), it is also part of several JBoss/Red Hat products, for example JBoss EAP and JBoss Portal.[1] RichFaces has three major version branches: 3.x, 4.x, and 5.x. However, as 5.x has never left alpha state, it is rather irrelevant. In early 2016, the developers of RichFaces announced the end-of-life of RichFaces in June 2016. The latest releases of the respective branches are 3.3.4 and 4.5.17. The Past In the past, two significant vulnerabilities have been discovered by Takeshi Terada of MBSD, which both affect various RichFaces versions: CVE-2013-2165: Arbitrary Java Deserialization in RichFaces 3.x ≤ 3.3.3 and 4.x ≤ 4.3.2 Deserialization of arbitrary Java serialized object streams in org.ajax4jsf.resource.ResourceBuilderImpl allows remote code execution. CVE-2015-0279: Arbitrary EL Evaluation in RichFaces 4.x ≤ 4.5.3 (RF-13977) Injection of arbitrary EL method expressions in org.richfaces.resource.MediaOutputResource allows remote code execution. Both vulnerabilities rely on the feature to generate images, video, sounds, and other resources on the fly based on data provided in the request. The provided data is either interpreted as a plain array of bytes or as a Java serialized object stream. In RichFaces 3.x, the data gets appended to the URL path preceded by either /DATB/ (byte array) or /DATA/ (Java serialized object stream); in RichFaces 4.x, the data is transmitted in a request parameter named db (byte array) or do (Java serialized object stream). In all cases, the binary data is compressed using DEFLATE and then encoded using a URL-safe Base64 encoding. CVE-2013-2165: Arbitrary Java Deserialization This vulnerability is a straight forward Java deserialization vulnerability. When a RichFaces 3.x resource is requested, it eventually gets processed by ResourceBuilderImpl.getResourceDataForKey(String). If the requested resource key begins with /DATA/, the remaining data gets decoded and decompressed (using ResourceBuilderImpl.decrypt(byte[]), which actually, despite its name, does not incorporate encryption[2]) and finally deserialized without any further validation. In RichFaces 4.x, it is basically the same: the org.richfaces.resource.DefaultCodecResourceRequestData holds |
| Envoyé | Oui |
| Condensat | /data/ 0279 14309 14310 17: 2013 2015 2016 2165 about actually add added after ajax4jsf all also although another answers apache api application appropriate are base64 because been behavior binding block blocking bonus bug but called calls can case cast choice classes clear codec com commit component concerned conclusion containing contentproducer custom cve dead depends des deserialization details determine develop disallowed discovered discovering does dummy either elcontext elresolver encoded encryption end enterprise equals evaluated eventually example execute expect exploit exploitable expression expressions faces faces/jboss faces/jsf facescontext fails fimilar first fortunately framework from function functions further future gadget gadgets gets gettype github glassfish/javax happen has hat have history however implementation implementations including independent information instances interesting internally internals introduced issue its java javax jboss jsf june know lang later latest life like literally looking mappers maps matching mediaoutputresource method mitigate multiple myfaces myfaces1 myfaces2 name needed needs not object official one only org org/richfaces/resource/resource other parenthesis password patch patches paths platform poor portal prefix:name pretty primitive probably promising: properties property questions reached reason recent red reference repository requests require requires resolve resource respectively restore resulting richfaces richfaces4/core@12ee116 security see seemed serializable serialization serious set should shown similar spec starting state stateholder stateholdersaver sun support switch thereafter: therefore these thing time tostring two type unfortunate unfortunately url urls urls: use used uses util valid value valuebinding valuebindingvalueexpressionadapter valueexpression valueexpressionvaluebindingadapter var variable variablemapper variablemapperimpl variables various version versions very vulnerabilities vulnerabilities: way ways what which whitelist whitelisted will work would wrapping your yourself ysoserial |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.