what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization

Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization
Posted May 19, 2020
Authored by Moritz Bechler | Site syss.de

Protection Licensing Toolkit ReadyAPI version 3.2.5 suffers from an unsafe deserialization vulnerability that allows for remote code execution.

tags | exploit, remote, code execution
advisories | CVE-2020-12835
SHA-256 | 0a738ab46dd18ea4fe3151340310163ee7d1af2f6352f68d94c163c9e82580b4

Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization

Change Mirror Download
Advisory ID: SYSS-2019-039
Product: Protection Licensing Toolkit, SoapUI/LoadUI/ServiceV Pro
Manufacturer: jProductivity LLC, SmartBear Software
Affected Version(s): - ReadyAPI 3.2.5
Tested Version(s): ReadyAPI 3.2.5
Vulnerability Type: Unsafe deserialization/remote code execution (CWE-502)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-09-02
Public Disclosure: 2020-05-18
CVE Reference: CVE-2020-12835
Author of Advisory: Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

jProductivity Protection! is a solution for software vendors to
implement licensing checks and management in their products.

The manufacturer describes the product as follows (see [1]):

"Protection! - is a powerful multi-platform Licensing Toolkit and License
Manager that provides the ability to add licensing into custom applications
or components only allowing the permitted use according to the supplied
license."


ReadyAPI is a suite of web service testing tools. It is using
the jProductivity Protection licensing solution.

The manufacturer describes the product as follows (see [2]):

"The ReadyAPI platform accelerates functional, security, and load testing
of RESTful, SOAP, GraphQL and other web services right inside your CI/CD
pipeline."

The jProductivity Protection Licensing Toolkit is using RMI-based
network protocols to communicate with its network license server.
These protocols are susceptible to deserialization attacks, which
in the case of ReadyAPI can be exploited to gain remote code execution
on the client side.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

When trying to check out a remote floating license, the client
softare, ReadyAPI, contacts the Licensing Server using the
Java RMI protocol on port 1099. As there is no transport security,
this service can be impersonated by an attacker in a suitable
position on the network.

Java RMI, and the underlying JRMP protocol, heavily relies on
Java serialization to transport method arguments, return values
and exception data.
Java serialization has been shown ([5]) to in many cases
allow the execution of arbitrary code when certain specially
crafted object graphs are reconstructed during deserialization.

ReadyAPI contains multiple libraries with published gadgets
that can be exploited in this way.

While the license server suffers from the same vulnerability,
no gadgets were identified that lead to direct code execution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Setup a JRMP/RMI service that returns a malicious serialized object
graph. In this case, a gadget from the commons-beanutils library is
used to get command execution. Other options exist on the ReadyAPI
classpath.

========================================================================
$ java -DproperXalan=true \
-cp commons-beanutils-1.9.3.jar:target/ysoserial-0.0.6-SNAPSHOT-all.jar
ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 gnome-calculator
* Opening JRMP listener on 1099
Have connection from /192.168.56.102:34834
Reading message...
Sending return with payload for obj [0:0:0, 0]
Closing connection
========================================================================

When trying to check out a floating license from the rogue server,
RMI calls are made which results in the deserialization of the
attacker-provided serialized data. Here, this causes the gnome-calculator
program to be run.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Avoid using Java serialization-based network prococols like RMI and
deserializing untrusted data in general.
If they cannot be avoided, strict whitelist-based filtering allowing only
the neccessary object types should be performed.

Other users of the jProductivity Protection Licensing Server are likely
affected as well.

There is no vendor patch available as of now.

Mitigation in ReadyAPI may be possible adding the following serialization
filter to bin/ready-api.sh (however, this may break other features):

JAVA_OPTS="$JAVA_OPTS -Djdk.serialFilter=java.util.*;java.security.*;
java.lang.*;sun.security.**;com.jp.protection.pub.**;dev.util.collections.*;
com.jp.protection.pub.pro.lserver.rmi.**;java.rmi.**;sun.rmi.**;!*"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-08-08: Vulnerability discovered
2019-09-02: Vulnerability reported to manufacturer
2019-10-10: On inquiry, "early 2020" is mentioned as the fix timeline
2020-01-30: Requested an update, no reply
2020-03-20: Another inquiry, no clear timeline provided
2020-04-15: Final 4 week deadline set, mitigation suggested
2020-05-18: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for jProductivity Protection!
http://www.jproductivity.com/products/protection/
[2] Product website for ReadyAPI
https://smartbear.com/product/ready-api/
[3] SySS Security Advisory SYSS-2019-039

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-039.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[5] ysoserial, "Marshalling Pickles: how deserializing objects will ruin
your day"
https://github.com/frohoff/ysoserial/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close