CVE-2017-3066 study case

@peterjson

$id

Security Enginneer @ VNG Corporation

Researching / Pentesting / Redteam

Mainly focus on server side bug, especially about Java / .NET

Twitter: https://twitter.com/peterjson

Telegram: https://t.me/peterjson

​

CVE-2017-3066

CVE-2017-3066 affected by CVE-2017-3066

CVE-2017-3066 - ENV setup

​

ColdFusion 11: https://drive.google.com/embeddedfolderview?id=0B9u7ipD8e7-oaW5fNlVvb1ZhQTQ#list

update verion 11: https://helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html

IDEA: IntelliJ + cài jdk ver 8 trên host

VM: ubuntu + cài jdk 8 trên VM

CVE-2017-3066 - setup remote debug

​

• Copy all jar file to /tmp/dumpJars

$ find /opt/coldfusion11/ -name *.jar -exec cp {} /tmp/dumpJars \;

​

• create empty IntelliJ Project then add library to project (with /tmp/dumpJars)
• add jdwp to jvm.config file in bin/ folder of cfusion
• restart server

CVE-2017-3066 - setup remote debug

​

CVE-2017-3066 - setup remote debug

​

CVE-2017-3066 - Identify the bug

​

• viewing config in /opt/coldfusion11/cfusion/wwwroot/WEB-INF
• How to find the entry point of the vulnerability ?
• read web.xml
• servlet, mapping of each servlet
• filter
• other config ?

​

CVE-2017-3066 - Identify the bug - flex module

​

​

This CVE was effected as third module (Apache Blaze DS) library

=> /WEB-INF/flex is config dir of this module

​

CVE-2017-3066 - Identify the bug - /flex/services-config.xml

​

​

CVE-2017-3066 - Identify the bug - back to web.xml

​

​

servlet class

param when init this servlet

CVE-2017-3066 - Servlet Life Circle

​

​

CVE-2017-3066 - BoostrapServlet.init()

​

CVE-2017-3066 - BoostrapServlet.init()

​

​

CVE-2017-3066 - BoostrapServlet.service()

​

​

CVE-2017-3066 - ColdFusionMessageBrokerServlet.service()

​

​

CVE-2017-3066 - MessageBrokerServlet.service()

​

​

CVE-2017-3066 - AMFEndPoint.service()

​

​

CVE-2017-3066 - BaseHTTPEndpoint.service()

​

​

CVE-2017-3066 - BaseHTTPEndpoint.filterChain.invoke(context)

CVE-2017-3066 - BaseHTTPEndpoint.filterChain.invoke(context)

deserialize untrusted user input

CVE-2017-3066 - Understanding AMF Deserializer

https://codewhitesec.blogspot.com/2017/04/amf.html

AmfMessageDeserializer.readMessage()

​

CVE-2017-3066 - Understanding AMF Deserializer

CVE-2017-3066 - Understanding AMF Deserializer

CVE-2017-3066 - Understanding AMF Deserializer

CVE-2017-3066 - Understanding AMF Deserializer

CVE-2017-3066 - Understanding AMF Deserializer

This class store basic information about the Object then using these properties to restore Object

CVE-2017-3066 - Understanding AMF Deserializer

CVE-2017-3066 - Java Proxy Mechanism

What is Java Proxy ?

CVE-2017-3066 - Java Proxy Mechanism - Quick example

CVE-2017-3066 - Understanding AMF Deserializer

CVE-2017-3066 - Understanding AMF Deserializer

CVE-2017-3066 - Apache Blaze DS 4.7.3 Release Notes

CVE-2017-3066 - Understanding AMF Deserializer

​

Where is the vulnerability ? Not like old traditional Java Deserialize huh ?

CVE-2017-3066 - AMF readExternalizable()

CVE-2017-3066 - AMF restore Object via Java Bean

CVE-2017-3066 - Exploit

• not like old readObject()
• exploit via readExternal() or setter (Java Bean)
• original resources:
• https://codewhitesec.blogspot.com/2017/04/amf.html
• https://codewhitesec.blogspot.com/2018/03/exploiting-adobe-coldfusion.html

​

CVE-2017-3066 - Exploit

CVE-2017-3066 - Exploit - readExternal() exploit

CVE-2017-3066 - Exploit - readExternal() exploit

CVE-2017-3066 - Exploit - readExternal() exploit

• sample exploit

host,port of attacker JRMP server

CVE-2017-3066 - Exploit - readExternal() exploit

CVE-2017-3066 - Exploit - readExternal() exploit

CVE-2017-3066 - Exploit - readExternal() exploit

CVE-2017-3066 - Exploit - readExternal() exploit

send to JRMP server

receive back object from JRMP server, then deserialize it

CVE-2017-3066 - Exploit - Improvement

So what if target server has no outbound connection ? and we cannot use JRMP chain anymore?

CVE-2017-3066 - Exploit - Improvement

• Chain 1: from setter to native Java Deserialization -> ReplicatedTree.setState()

​

CVE-2017-3066 - Exploit - Improvement

CVE-2017-3066 - Exploit - Improvement

CVE-2017-3066 - Exploit - Improvement

• Chain 2: from readExternal() to native Java Deserialization (no need JRMP call chain) -> MetaDataEntry.readExternal()

​

CVE-2017-3066 - Exploit - Improvement

CVE-2017-3066 - Exploit - Improvement

CVE-2017-3066 - Exploit - CommonsBeanUtil gadget

• sample exploit

CVE-2017-3066 - Exploit - CommonsBeanUtil gadget

PriorityQueue.readObject()

CVE-2017-3066 - Exploit - CommonsBeanUtil gadget

CVE-2017-3066 - Exploit - CommonsBeanUtil gadget

BeanComparator.compare()

trigger java bean TemplatesImpl.getOutputProperties()

CVE-2017-3066 - Exploit - TemplatesImpl.getOutputProperties()

CVE-2017-3066 - Exploit - TemplatesImpl.getOutputProperties()

CVE-2017-3066 - Exploit - TemplatesImpl.getOutputProperties()

control with java reflection API�=> load malicious java byte code

CVE-2017-3066 - Exploit - Ysoserial

• Gadget.createTemplatesImpl() ysoserial

CVE-2017-3066 - Exploit - Ysoserial

Any gadget always end with Runtime.getRuntime().exec(“command here”)

But in scenario which target server has no outbound connection it will be a blind RCE

But how can we archive a reliable shell ?

​

CVE-2017-3066 - Exploit - Ysoserial

CVE-2017-3066 - Exploit - Ysoserial Improvement

Basic idea

modify CommonsBeanUtil gadget to load malicious with byte code as below:

• finding request / response object in ThreadLocal of each Thread while handling the request
• execute command, get the output
• using response object to write the output of command then close the connection

​

​

CVE-2017-3066 - Exploit - Ysoserial Improvement

CVE-2017-3066 - Exploit - Result