exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Liferay JSON Server API Authentication

Liferay JSON Server API Authentication
Posted Aug 3, 2012
Authored by Danilo Massa, Enrico Cinquini

The Liferay JSON implementation does not check if a user calling a method on a serviceClass is disabled. Usually the default administrator user, test@liferay.com, is used to create a new administrator and disabled without a change to the default password, so it is possible to use it to execute JSON API calls. Versions 6.0.5 and 6.0.6 are vulnerable.

tags | exploit, bypass
SHA-256 | 840d89136b0bbd34dcc7fbaa674c8f425af2c5bab7ef9bb1fac81338af82ef39

Liferay JSON Server API Authentication

Change Mirror Download
=============================================

- Release date: August 3rd, 2012

- Discovered by: Danilo Massa & Enrico Cinquini

- Severity: High

=============================================

I. VULNERABILITY

-------------------------

Liferay JSON service API authentication vulnerability



II. BACKGROUND

-------------------------

JSON service API are provided by all Liferay services that allows invoking
its methods directly through HTTP using JSON as a data serialization
mechanisms.

This API is automatically generated by Service Builder, which means that
you can also provide it for your custom services developed in the extension
environment with no extra effort.



III. INTRODUCTION

-------------------------

The Liferay JSON implementation do not check if a user that call a method
on a serviceClass is disabled. Usually the default administrator user,
test@liferay.com, is used to create a new administrator and disabled
without to change the default password, so it is possible to use it to
execute JSON API calls.



IV. DESCRIPTION

-------------------------

In order to get control of a Liferay portal is necessary to:


- create a fake openID user on a free provider (like myopenid.com)

- enumerate users calling the method getUserById of UserServiceUtil
service class (the parameter of this call is a number so it is virtually
possible to enumerate all users)

- find a user with administrative role calling the method getUserRole of
RoleServiceUtil service class using the valid userIds harvested in the
previous step

- set the previously created fake openId URL for the discovered
administrator user using a call to updateOpenId method of the
UserServiceUtil service class



At this point is possible to login to Liferay as the discovered
administrator selecting the OpenId authentication method to the portal.



V. PROOF OF CONCEPT

-------------------------

Below is a harmless test that can be executed to check if a Liferay
installation is vulnerable.



Using a browser go to the following URL:

http://<liferay_url>/tunnel-web/secure/json

and use the standard test@liferay.com user and password when the web site
require a basic authentication in order to check if they are still valid.



A vulnerable Liferay installation will show a blank web page, a secured
installation will ask the authentication credentials three times before to
show an error page.



VI. BUSINESS IMPACT

-------------------------

An attacker could exploit the vulnerability to become administrator and
retrive or publish any kind of data on Liferay.

It is also possible to inject a web comand shell on the Liferay machine.



VII. SYSTEMS AFFECTED

-------------------------

Versions 6.0.5 and 6.0.6 are vulnerable.

Versions 6.1 is vulnerable but the password for the standard administrator
user is not hardcoded in the installation but asked at installation time
(so can be different from the standard one)



VIII. SOLUTION

-------------------------

Upgrade to a patched release (when availble) or as quick workaround change
the default password for user test@liferay.com.



IX. REFERENCES

-------------------------

Liferay's JSON API usage examples:

http://www.liferay.com/web/james.falkner/blog/-/blogs/yet-another-liferay-json-service-example

http://www.liferay.com/es/web/raymond.auge/blog/-/blogs/476431



Liferay's service classes documentation:

http://docs.liferay.com/portal/6.0/javadocs/com/liferay/portal/service/package-tree.html



X. CREDITS

-------------------------

The vulnerability has been discovered by:

Danilo Massa massa(under_score)danilo(at)gmail(dot)com

Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com



XI. VULNERABILITY HISTORY

-------------------------

June 11th, 2012: Vulnerability identification

June 12th, 2012: Vendor notification

August 3rd, 2012: Vulnerability disclosure



XII. LEGAL NOTICES

-------------------------

The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close