what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

QRadar RemoteJavaScript Deserialization

QRadar RemoteJavaScript Deserialization
Posted Oct 19, 2020
Authored by Securify B.V.

A Java deserialization vulnerability exists in the QRadar RemoteJavaScript Servlet. An authenticated user can call one of the vulnerable methods and cause the Servlet to deserialize arbitrary objects. An attacker can exploit this vulnerability by creating a specially crafted (serialized) object, which amongst other things can result in a denial of service, change of system settings, or execution of arbitrary code. This issue was successfully verified on QRadar Community Edition version 7.3.1.6 (7.3.1 Build 20180723171558).

tags | exploit, java, denial of service, arbitrary
advisories | CVE-2020-4280
SHA-256 | 0f8533fd0513dc351a0c6bb51c862f6156842187d3e72a38a9b78ea74a771878

QRadar RemoteJavaScript Deserialization

Change Mirror Download
------------------------------------------------------------------------
Java deserialization vulnerability in QRadar RemoteJavaScript Servlet
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Java deserialization vulnerability exists in the QRadar
RemoteJavaScript Servlet. An authenticated user can call one of the
vulnerable methods and cause the Servlet to deserialize arbitrary
objects.

An attacker can exploit this vulnerability by creating a specially
crafted (serialized) object, which amongst other things can result in a
denial of service, change of system settings, or execution of arbitrary
code.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
CVE-2020-4280 [2]
6344079 [3] - IBM QRadar SIEM is vulnerable to deserialization of
untrusted data

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM has released the following versions of QRader in which this issue
has been resolved:

- QRadar / QRM / QVM / QRIF / QNI 7.4.1 Patch 1 [5]
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 5 [6]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [7] is IBM's enterprise SIEM [8] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

A Java deserialization vulnerability [9] exists in the QRadar
RemoteJavaScript Servlet. This Servlet contains a custom JSON-RPC [10]
implementation (based on JSON-RPC version 1.0). Certain methods accept
base64 encoded serialized Java objects. No checks have been implemented
to prevent deserialization of arbitrary objects. Consequently, an
authenticated user can call one of the affected methods and cause the
RemoteJavaScript Servlet to deserialize arbitrary objects.

An attacker can exploit this vulnerability by creating a specially
crafted (serialized) object, which amongst other things can result in a
denial of service, change of system settings, or execution of arbitrary
code.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The RemoteJavaScript Servlet is only accessible for authenticated users.
It is mapped to the following URLs:

- /remoteJavaScript
- /remoteMethod
- /JSON-RPC
- /JSON-RPC/*

The JSON data can be passed via the URL query string or as POST data.
The JSON data should contain a field named method, which contains the
name of the application and the method that needs to be invoked. The
requested application is looked up in the Application Registry. Each
application has a mapping XML file located under
/opt/qradar/conf/appconfig/ named <appname>-exported_methods.xml, which
is essentially a list of all (Java) methods that can be called including
their associated Java class, access control, and other settings.

When the application is found (and licensed), a call is made to
getExportedMethod() to lookup the Java method that needs to be invoked.
After some additional checks - like authorization - the Servlet will
eventually invoke the call() method of the found Java method. If
present, arguments are passed as a String array to the call() method.
These arguments are then converted into the correct type using the
com.q1labs.core.shared.util.ReflectionUtils.stringsToObjects() method.

com.q1labs.uiframeworks.application.ExportedMethod:
public abstract class ExportedMethod extends AllowableObject {

[...]

public Object call(PageContext pageContext, String... passedArguments)
throws Exception {
if (passedArguments != null && passedArguments.length != 0) {
if (this.log.isDebugEnabled()) {
this.log.debug("Calling with passed in arguments: " +
Arrays.toString(passedArguments));
}

return this.call(pageContext,
this.stringsToObjects(passedArguments));

[...]

private Object[] stringsToObjects(String[] paramaters) throws
ExportedMethodException {
return ReflectionUtils.stringsToObjects(this.getParameterTypes(),
paramaters);
}

The parameter types differ per method and are provided via the
getParameterTypes() method. If the parameter type is a 'simple' type, it
will be converted without deserialization. However, some methods also
accept complex types, which are passed as serialized objects.

com.q1labs.core.shared.util.ReflectionUtils:
public class ReflectionUtils {
public static Object stringToObject(Class type, String param) throws
NoSuchMethodException, InvocationTargetException,
InstantiationException, IllegalAccessException {
long i;
int i;
if (type.isPrimitive()) {
if (type.equals(Integer.TYPE)) {
if (param == null) {
param = "0";
}

i = (new Double(param)).longValue();
if (i > 2147483647L) {
i = 0L - (2147483647L - i);
}

return (int)i;
} else if (type.equals(Character.TYPE)) {
return param.charAt(0);
} else if (type.equals(Double.TYPE)) {
return new Double(param);
[...]
} else {
throw new RuntimeException("Unknown primitive type: " +
type.getName());
}
} else if (param != null && !param.equalsIgnoreCase("$_NULL_$")) {
if (type.equals(Short.class)) {
i = (new Double(param)).intValue();
if (i > 32767) {
i = 0 - (32767 - i);
}

return (short)i;
[...]
} else {
return SerializationUtils.deserialize(Base64.decode(param));
}
[...]
}

public static Object[] stringsToObjects(Class[] types, String...
parameters) throws RuntimeException {
Pattern arrayMatcher = Pattern.compile("^\\[(.+)\\]$");
if (parameters != null && parameters.length > 0) {
Object[] newArgs = new Object[types.length];

for(int i = 0; i < types.length; ++i) {
try {
Class type = types[ i ];
if (!type.isArray()) {
newArgs[ i ] = stringToObject(type, parameters[ i ]);
[...]

Deserialization of objects is done using the
org.apache.commons.lang3.SerializationUtils class. This class doesn't
perform any checks on the objects that are deserialized. Since no checks
are done in the RemoteJavaScript Servlet it can be abused to deserialize
arbitrary objects. An attacker can exploit this vulnerability by
creating a specially crafted (serialized) object.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The JSON-RPC interface already contains a method that allows running of
arbitrary commands (as the nobody user). This method is named
qradar.executeCommand and can be called by any user, no special
privileges are required. However, the method checks if the property
console.enableExecuteCommand exists and is set to true. By default this
property doesn't exist and thus it is not possible to call this method
to run arbitrary commands. By utilizing the deserialization
vulnerability it is possible to create this property, after which it is
possible to use qradar.executeCommand to run arbitrary commands.

com.q1labs.qradar.ui.qradarservices.UIQRadarServices:
public static Object executeCommand(PageContext pageContext, String
command, int timeoutSeconds) throws Exception {
if
(!"true".equalsIgnoreCase(QSystem.getProperty("console.enableExecuteCommand")))
{
throw new Exception("Cannot execute remote system commands");
} else {
File qradarDir = new File(NVAReader.getProperty("NVA",
"/opt/qradar"));
Process proc = Runtime.getRuntime().exec(new String[]{"/bin/sh",
"-c",
command}, (String[])null, qradarDir);
[...]

One of the methods that can be used to trigger a deserialization
operation is the method qradar.validateChangesAssetConfiguration. This
method is mapped to the Java method
com.q1labs.assetprofilerconfiguration.ui.util.AssetProfilerConfig.validateChangesAssetConfiguration().
The method takes one argument of the type java.util.List.

The proof of concept uses a Jython gadget. The Jython Java library is
present in the Servlet's class path and consequently we can deserialize
objects found in this library. The ysoserial [11] payload generation
tool already contains a gadget [12] that uses the Jython library.
ysoserial's payload will first write a Python file to the target system,
after which the file is executed. The payload has been modified to
directly create the target property (console.enableExecuteCommand)
without the need to write a file to disk first. The payload is modified
to execute the following Python code (upon deserialization):

eval("__import__('com.q1labs.frameworks.util.QSystem', globals(),
locals(), ['setProperty'],
0).setProperty('console.enableExecuteCommand', 'true')")

https://gist.github.com/ykoster/90d3d13fe70c357ae93f5ddb3faee4f2

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://www.securify.nl/advisory/java-deserialization-vulnerability-in-qradar-remotejavascript-servlet
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4280
[3] https://www.ibm.com/support/pages/node/6344079
[4] https://developer.ibm.com/qradar/ce/
[5]
https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.1-QRADAR-QRSIEM-20200915010309&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true
[6]
https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Vulnerability+Manager&release=All&platform=All&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200929154613&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true
[7] https://www.ibm.com/security/security-intelligence/qradar
[8] https://en.wikipedia.org/wiki/Security_information_and_event_management
[9] https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
[10] https://en.wikipedia.org/wiki/JSON-RPC
[11] https://github.com/frohoff/ysoserial
[12]
https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Jython1.java



Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close