Shiro deserialization vulnerability principle analysis and vulnerability reproduction (CVE-2016-4437)

Table of Contents

Shiro-550 Deserialization Vulnerability

Vulnerability introduction

Vulnerability principle

Shiro-721 Deserialization Vulnerability (CVE-2019-12422)

What is the difference between Shiro550 and Shiro721

vulnerability fingerprint

Vulnerability introduction

Vulnerability principle

Attack process

Vulnerability recurrence: CVE-2016-4437

Vulnerability recurrence: CVE-2019-12422

Shiro-550 Deserialization Vulnerability

Vulnerability Introduction

shiro-550 is mainly a command execution vulnerability caused by the deserialization of shiro’s rememberMe content. The reason is that the default encryption key is hard-coded in the shiro source code. Anyone with access to the source code can know the default encryption key. . An attacker can then create a malicious object, serialize it, encode it, and then send it as the contents of the cookie’s rememberMe field, which Shiro will decode and deserialize, causing the server to run some malicious code.

Features: The cookie contains the rememberMe field

Repair suggestions:

Update shiro to version 1.2.4 or above.

Instead of using the default encryption key, generate a randomly generated key.

Principle of Vulnerability

1. Introduction to Shiro
Apache Shiro is a powerful and easy-to-use Java security framework that provides authentication, authorization, encryption, session management and other functions. For any application, Shiro can provide comprehensive security management services.

In Apache Shiro<=1.2.4 version, the key used in AES encryption is hard-coded in the code, so we can construct the value of Remembe Me and then let it be deserialized and executed.

2. Shiro server identity recognition encryption and decryption process

(1) Encryption

1. Users log in using their account and password, and check “Remember Me”.

2. Shiro verifies the user’s login information. After passing it, check whether the user has checked “Remember Me”.

3. If checked, the user identity will be serialized, the serialized content will be AES encrypted, and then base64 encoded.

4. Finally, place the processed content in the rememberMe field in the cookie.

(2) Decryption

1. When the server receives a request from an unauthenticated user, it will obtain the rememberMe field content from the cookie in the request sent by the client.

2. Base64 decode the obtained rememberMe field, and then use AES to decrypt it.

3. Finally, deserialize the decrypted content and obtain the user identity.

3. Key

The AES encryption key Key is hard-coded in the code

So the construction process of Payload can be obtained:

Malicious command–>Serialization–>AES encryption–>base64 encoding–>Send Cookie

Shiro-721 Deserialization Vulnerability (CVE-2019-12422)

What is the difference between Shiro550 and Shiro721

Shiro550 only needs to collide the key and blast out the key, and then it can be exploited.
Shiro721’s ASE encrypted key cannot be guessed under normal circumstances. It is randomly generated by the system, and the next stage of the process will only be entered when there is valid user information. Therefore, we need to use the rememberMe Cookie after login before proceeding to the next step. attack.

Vulnerability fingerprint

URL contains Shiro field

The cookie contains the rememberMe field

The returned package contains rememberMe

Vulnerability Introduction

In Shiro721, Shiro encrypts the rememberMe field in the cookie through AES-128-CBC, so users can use the attack code generated by PaddingOracle encryption to construct a malicious rememberMe field and conduct deserialization attacks. The more complex the commands that need to be executed, The longer it takes to generate the payload.

Principle of vulnerability

Due to a problem with the rememberMe field encrypted by AES-128-CBC mode in the Apache Shiro cookie, users can construct a malicious rememberMe field through the attack code generated by Padding Oracle encryption, use a valid RememberMe cookie as the prefix of the Padding Oracle Attack, and then create A crafted RememberMe to perform Java deserialization attacks

Attack Process

Log in to the website and get RememberMe from the cookie. Use RememberMe cookie as prefix for Padding Oracle Attack. Encrypt the serialized payload of syserial to create a crafted RememberMe via Padding Oracle Attack. Requests a website with a new RememberMe cookie to perform a deserialization attack. The attacker does not need to know the password key for RememberMe encryption.

Encryption method: AES-128-CBC
The CBC mode, which belongs to the AES encryption algorithm, uses 128-bit data blocks as a group for encryption and decryption, that is, 16 bytes of plain text, corresponding to 16 bytes of cipher text. When encrypting the plain text, if the data is not enough for 16 bytes, the data will be padded. All remaining bytes

If the remaining plaintext is less than 16 bytes, it needs to be filled, usually using PKCS7. For example, if the last 3 bytes are missing, fill in 3 bytes of 0x03; if the last 10 bytes are missing, fill in 10 bytes of 0x0a;

If the plaintext is exactly an integer multiple of 16 bytes, finally add a 16-byte 0x10 group before encrypting it.

Padding Oracle Attack Principle
Padding Oracle attack can encrypt or decrypt ciphertext without a key

Shiro Padding Oracle Attack is a security vulnerability attack against the Apache Shiro authentication framework. Apache Shiro is an authentication and authorization framework widely used in Java applications to manage user sessions, permission verification and other functions.

Padding Oracle Attack is a security vulnerability attack that uses padding on encryption algorithms. In encrypted communications, padding is used to extend plaintext data to a multiple of the encryption algorithm’s block size. In this attack, the attacker uses the padded response information to infer the secret information in the encryption algorithm.

The Shiro Padding Oracle Attack exploits a vulnerability in the authentication process in the Shiro framework that allows an attacker to determine errors in the authentication process through varying response times for padding information. By constantly trying different padding methods, an attacker can gradually deduce the encryption key and eventually gain access.

This attack exploits padding of incorrect authentication responses to obtain information about secret information and then performs further attacks based on this information. In order to prevent Shiro Padding Oracle Attack, it is recommended to update the Apache Shiro version in time to ensure that the vulnerability has been fixed, and to take other security measures, such as using secure encryption algorithms and key management strategies.

Vulnerability recurrence: CVE-2016-4437

Environment: kali linux

Range use: vulhub/shiro/CVE-2016-4437

address:

Capture the packet and analyze it:

The words rememberMe=deleteMe are found in the returned package. You can roughly confirm that shiro is configured and you can proceed to the next step. Because Shiro’s own function is an authentication management, it can usually be seen at the login port.

UI one-click utilization tool

Use tools to check and confirm:

Enter the URL address of the target and blast the secret key based on the keywords

Next, the blasting exploit chain and echo method:

Next, the command can be executed:

Rebound shell:

Tools can be used for detection:

After the detection is completed, you can perform command execution, rebound shell and other operations:

Use tools for simple bounce:

Set listening port

window:

linux:

You can also use the ysoserial monitoring module JRMP to perform a rebound shell. Please refer to the reference document for details. The operations are similar.

It is precisely because it is easy to use that it causes greater harm.

Tool address

Vulnerability recurrence: CVE-2019-12422

Environment: kali linux

Docker builds and starts

git clone https://github.com/3ndz/Shiro-721.git
cd Shiro-721/Docker
docker build -t shiro-721 .
docker run -p 8080:8080 -d shiro-721

access:

The utilization process is similar to shiro550. shiro710 needs to log in to the website and obtain RememberMe from the cookie.

To log in, use the correct account and password:

After logging in with the correct account and password, capture the packet to obtain legal cookies (check Remember Me)

If authentication fails, you can only get rememberMe=deleteMe

Copy the rememberMe value among the set-cookie values obtained after logging in and put it into the tool.

Select shiro721, enter the target URL, set the rememberMe value, click Next and wait.

Select detection method:

Just wait:

Using shiro synthesis tools:

After entering the URL: perform blasting key, blasting exploit chain and echo

Command execution:

Source: https://www.freebuf.com/articles/web/380382.html

Statement: The technologies, ideas and tools involved in this article are only for safety-oriented learning and exchange purposes. No one may use them for legal purposes or profit, otherwise you will bear the consequences. All penetrations require authorization!