Apache Shiro deserialization vulnerability [org.apache.shiro.web.mgt.CookieRememberMeManager]

Others 2021-03-28 19:24:34 views: null

Apache Shiro deserialization vulnerability

2021-02-06 02:34:09,886 [http-bio-8000-exec-18] WARN  [org.apache.shiro.mgt.DefaultSecurityManager] - Delegate RememberMeManager instance of type [org.apache.shiro.web.mgt.CookieRememberMeManager] threw an exception during getRememberedPrincipals().
org.apache.shiro.io.SerializationException: Unable to deserialze argument byte array.
    at org.apache.shiro.io.DefaultSerializer.deserialize(DefaultSerializer.java:82)
    at org.apache.shiro.mgt.AbstractRememberMeManager.deserialize(AbstractRememberMeManager.java:514)

 

1) The Apache Shiro framework provides a remember me function (RememberMe). After the user logs in successfully, an encrypted and encoded cookie will be generated. The key of the cookie is RememberMe, and the value of the cookie is formed by serializing the relevant information, then using aes to encrypt, and finally using base64 encoding.
When the cookie value is received on the server, it is analyzed and processed according to the following steps:
1. Retrieve the value of RememberMe cookie
2. Base 64 decoding
3. Use AES decryption (encryption key is hard-coded)
4. Deserialize (without filtering) deal with)

No filtering is performed when calling deserialization, which can trigger remote code execution vulnerabilities.

It means that shiro uses CookieRememberMeManager by default, and the process of processing cookies is: get the cookie value of rememberMe>>>Base64 decoding>>>AES decryption>>>deserialization. However, the AES key is hard-coded, which leads to an RCE vulnerability where an attacker can construct malicious data to cause deserialization.

2) Apache Shiro uses the public AES key to encrypt and transmit the server using the default AES key is vulnerable to deserialization attacks, and the attacker can execute arbitrary code on the server. Apache Shiro uses AES hard-coded secret keys in versions prior to 1.2.4, which has serious deserialization vulnerabilities. Attackers can execute arbitrary commands on remote hosts. It is recommended to check the Shiro version information. If <=1.2.4, please upgrade to 1.2.5 and above.

3), you can also customize the key to replace the default to avoid, the generated key code is as follows

 

  1. //密钥生成java代码(直接拷贝到main允许即可)

  2. KeyGenerator keygen = KeyGenerator.getInstance("AES");

  3. SecretKey deskey = keygen.generateKey();

  4. System.out.println(Base64.encodeToString(deskey.getEncoded()));

Guess you like

Origin blog.csdn.net/zhaofuqiangmycomm/article/details/113710254
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com