ASA-2018-00051 – RichFaces: Unauthenticated remote code execution via expression language (EL) in UserResource

Allele Security Alert



ASA-2018-00051, CVE-2018-14667


Unauthenticated remote code execution via expression language (EL) in UserResource resource




RichFaces Framework

Affected version(s)

RichFaces Framework 3.X through 3.3.4

Fixed version(s)


Proof of concept



RichFaces Framework 3.X through 3.3.4 (all versions) is vulnerable to Expression Language (EL) Injection via UserResource resource, allowing an unauthenticated remote attacker to execute Java arbitrary code and potentially OS commanding using a special chain of java serialized objects inside a org.ajax4jsf.resource.UserResource$UriData.

Technical details

The Richfaces expects to receive a serialized resource of the type “org.ajax4jsf.resource.UserResource” via URLs with the pattern:

“/a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/s/{HashCode of the
MimeType Resource}/DATA/{Encoded Serialized Object}”.

When this occurs, a check of allowed types is made using a restrict whitelist (Look-Ahead) in order to avoid deserialization vulnerabilities.

Following is the Look-Ahead strict whitelist with the allowed types:

1) org.ajax4jsf.resource.InternetResource
2) org.ajax4jsf.resource.SerializableResource
3) javax.el.Expression
4) javax.faces.el.MethodBinding
5) javax.faces.component.StateHolderSaver
6) java.awt.Color

However, although it is not vulnerable to deserialization, it is possible to construct a special chain of objects using only allowed types and containing a tainted Expression Language (EL) in a specific way that result in it being automatically evaluated by the UserResource class after the correct deserialization of the chain (after the cast, not before).

In order to be vulnerable, an application only need to:

1) Use the mediaOutput feature in any point at any time (the attacker don’t need to know where this feature is used. It just needs that this functionality had been used at any time by the application).

If the point (1) is satisfied, the application will contain a resource inside an internal HashMap with the key like the following:

                                                /----- Resource Name
Key: org.ajax4jsf.resource.UserResource/n/s/-1487394660 <--- HasCode of
resource MimeType (eg "image/jpeg")
                                                                                                                              /\ /\
                                                                                                                               |   \____
if the resource is of session scope (/s) or not (/n)
if the resource is cacheable (/c) or not cacheable (/n)

The original intent of the UserResource is to create or restore a resource (like images, flash, audio, etc) and send it back/draw to the user. So, this is one of the most commons features used by richfaces web applications.

An attacker can abuse of this feature forcing the application to evaluate his tainted EL using a chain like the following:

1] [Obj] org.ajax4jsf.resource.UserResource$UriData
2]                [Obj] javax.faces.component.StateHolderSaver
3]                              [Obj] com.sun.facelets.el.TagMethodExpression
4]                                             [obj] org.jboss.el.MethodExpressionImpl
                                                                "${OUR PAYLOAD}" <----- The malicious EL can be put here.

In the previous chain, notice that all types used are allowed by the look-ahead protection:

1] “org.ajax4jsf.resource.UserResource$UriData” is an “InternetResourceBase” that is an “InternetResource” (whitelisted);
2] “javax.faces.component.StateHolderSaver” (whitelisted)
3] “com.sun.facelets.el.TagMethodExpression” is an “MethodExpression” that is and “Expression” (whitelisted)
4] “org.jboss.el.MethodExpressionImpl” is and “MethodExpression” (whitelisted)

Notice that the points [2] and [3] of the chain can also be changed in order to exploit different platforms.

After create the exploit chain, it is needed to encode it properly and make an HTTP GET in the proper UserResource URL with the payload.

eg. /a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/n/DATA/{hashCode of mime}/payload

The {hashCode of MimeType} is not always needed (depends on how the application uses these features).

When the payload is received by the app, the chain is deserialized and the UserResource.send() method is invoked by the ResourceLifecycle.sendResource(). Inside this method, the content of UserResource$UriData is restored and our MethodExpression is invoked. Thus, our tainted data (EL) has reached a taint sink (MethodExpression.invoke()), leading to the EL evaluation.

Stacktrace example:

org.jboss.el.MethodExpressionImpl.invoke( <- This contains user controlled data!


Joao F M Figueiredo


Unauthenticated Remote Code execution in WebApps using Richfaces 3.X all versions (CVE-2018-14667)




If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.