Table of Contents
Shiro-550 Deserialization Vulnerability
Vulnerability introduction
Vulnerability principle
Shiro-721 Deserialization Vulnerability (CVE-2019-12422)
What is the difference between Shiro550 and Shiro721
vulnerability fingerprint
Vulnerability introduction
Vulnerability principle
Attack process
Vulnerability recurrence: CVE-2016-4437
Vulnerability recurrence: CVE-2019-12422
Shiro-550 Deserialization Vulnerability
Vulnerability Introduction
shiro-550 is mainly a command execution vulnerability caused by the deserialization of shiro’s rememberMe content. The reason is that the default encryption key is hard-coded in the shiro source code. Anyone with access to the source code can know the default encryption key. . An attacker can then create a malicious object, serialize it, encode it, and then send it as the contents of the cookie’s rememberMe field, which Shiro will decode and deserialize, causing the server to run some malicious code.
Features: The cookie contains the rememberMe field
Repair suggestions:
Update shiro to version 1.2.4 or above.
Instead of using the default encryption key, generate a randomly generated key.
Principle of Vulnerability
1. Introduction to Shiro
Apache Shiro is a powerful and easy-to-use Java security framework that provides authentication, authorization, encryption, session management and other functions. For any application, Shiro can provide comprehensive security management services.
In Apache Shiro<=1.2.4 version, the key used in AES encryption is hard-coded in the code, so we can construct the value of Remembe Me and then let it be deserialized and executed.
2. Shiro server identity recognition encryption and decryption process
(1) Encryption
1. Users log in using their account and password, and check “Remember Me”.
2. Shiro verifies the user’s login information. After passing it, check whether the user has checked “Remember Me”.
3. If checked, the user identity will be serialized, the serialized content will be AES encrypted, and then base64 encoded.
4. Finally, place the processed content in the rememberMe field in the cookie.
(2) Decryption
1. When the server receives a request from an unauthenticated user, it will obtain the rememberMe field content from the cookie in the request sent by the client.
2. Base64 decode the obtained rememberMe field, and then use AES to decrypt it.
3. Finally, deserialize the decrypted content and obtain the user identity.
3. Key
The AES encryption key Key is hard-coded in the code
So the construction process of Payload can be obtained:
Malicious command–>Serialization–>AES encryption–>base64 encoding–>Send Cookie
Shiro-721 Deserialization Vulnerability (CVE-2019-12422)
What is the difference between Shiro550 and Shiro721
Shiro550 only needs to collide the key and blast out the key, and then it can be exploited.
Shiro721’s ASE encrypted key cannot be guessed under normal circumstances. It is randomly generated by the system, and the next stage of the process will only be entered when there is valid user information. Therefore, we need to use the rememberMe Cookie after login before proceeding to the next step. attack.
Vulnerability fingerprint
URL contains Shiro field
The cookie contains the rememberMe field
The returned package contains rememberMe
Vulnerability Introduction
In Shiro721, Shiro encrypts the rememberMe field in the cookie through AES-128-CBC, so users can use the attack code generated by PaddingOracle encryption to construct a malicious rememberMe field and conduct deserialization attacks. The more complex the commands that need to be executed, The longer it takes to generate the payload.
Principle of vulnerability
Due to a problem with the rememberMe field encrypted by AES-128-CBC mode in the Apache Shiro cookie, users can construct a malicious rememberMe field through the attack code generated by Padding Oracle encryption, use a valid RememberMe cookie as the prefix of the Padding Oracle Attack, and then create A crafted RememberMe to perform Java deserialization attacks
Attack Process
Log in to the website and get RememberMe from the cookie. Use RememberMe cookie as prefix for Padding Oracle Attack. Encrypt the serialized payload of syserial to create a crafted RememberMe via Padding Oracle Attack. Requests a website with a new RememberMe cookie to perform a deserialization attack. The attacker does not need to know the password key for RememberMe encryption.
Encryption method: AES-128-CBC
The CBC mode, which belongs to the AES encryption algorithm, uses 128-bit data blocks as a group for encryption and decryption, that is, 16 bytes of plain text, corresponding to 16 bytes of cipher text. When encrypting the plain text, if the data is not enough for 16 bytes, the data will be padded. All remaining bytes
If the remaining plaintext is less than 16 bytes, it needs to be filled, usually using PKCS7. For example, if the last 3 bytes are missing, fill in 3 bytes of 0x03; if the last 10 bytes are missing, fill in 10 bytes of 0x0a;
If the plaintext is exactly an integer multiple of 16 bytes, finally add a 16-byte 0x10 group before encrypting it.
Padding Oracle Attack Principle
Padding Oracle attack can encrypt or decrypt ciphertext without a key
Shiro Padding Oracle Attack is a security vulnerability attack against the Apache Shiro authentication framework. Apache Shiro is an authentication and authorization framework widely used in Java applications to manage user sessions, permission verification and other functions.
Padding Oracle Attack is a security vulnerability attack that uses padding on encryption algorithms. In encrypted communications, padding is used to extend plaintext data to a multiple of the encryption algorithm’s block size. In this attack, the attacker uses the padded response information to infer the secret information in the encryption algorithm.
The Shiro Padding Oracle Attack exploits a vulnerability in the authentication process in the Shiro framework that allows an attacker to determine errors in the authentication process through varying response times for padding information. By constantly trying different padding methods, an attacker can gradually deduce the encryption key and eventually gain access.
This attack exploits padding of incorrect authentication responses to obtain information about secret information and then performs further attacks based on this information. In order to prevent Shiro Padding Oracle Attack, it is recommended to update the Apache Shiro version in time to ensure that the vulnerability has been fixed, and to take other security measures, such as using secure encryption algorithms and key management strategies.
Vulnerability recurrence: CVE-2016-4437
Environment: kali linux
Range use: vulhub/shiro/CVE-2016-4437
address:
Capture the packet and analyze it:
The words rememberMe=deleteMe are found in the returned package. You can roughly confirm that shiro is configured and you can proceed to the next step. Because Shiro’s own function is an authentication management, it can usually be seen at the login port.
UI one-click utilization tool
Use tools to check and confirm:
Enter the URL address of the target and blast the secret key based on the keywords
Next, the blasting exploit chain and echo method:
Next, the command can be executed:
Rebound shell:
Tools can be used for detection:
After the detection is completed, you can perform command execution, rebound shell and other operations:
Use tools for simple bounce:
Set listening port
window:
linux:
You can also use the ysoserial monitoring module JRMP to perform a rebound shell. Please refer to the reference document for details. The operations are similar.
It is precisely because it is easy to use that it causes greater harm.
Tool address
Vulnerability recurrence: CVE-2019-12422
Environment: kali linux
Docker builds and starts
git clone https://github.com/3ndz/Shiro-721.git cd Shiro-721/Docker docker build -t shiro-721 . docker run -p 8080:8080 -d shiro-721
access:
The utilization process is similar to shiro550. shiro710 needs to log in to the website and obtain RememberMe from the cookie.
To log in, use the correct account and password:
After logging in with the correct account and password, capture the packet to obtain legal cookies (check Remember Me)
If authentication fails, you can only get rememberMe=deleteMe
Copy the rememberMe value among the set-cookie values obtained after logging in and put it into the tool.
Select shiro721, enter the target URL, set the rememberMe value, click Next and wait.
Select detection method:
Just wait:
Using shiro synthesis tools:
After entering the URL: perform blasting key, blasting exploit chain and echo
Command execution:
Source: https://www.freebuf.com/articles/web/380382.html
Statement: The technologies, ideas and tools involved in this article are only for safety-oriented learning and exchange purposes. No one may use them for legal purposes or profit, otherwise you will bear the consequences. All penetrations require authorization!
Receive a safety learning package for free! (Chat privately in the group to learn and make progress together)
Penetration tools
Technical documents, books
Interview questions
Help you stand out in interviews
video
Basic to advanced
Environment construction, HTML, PHP, MySQL basic learning, information collection, SQL injection, XSS, CSRF, brute force cracking, etc.
Emergency Response Notes
learning route