Allele Security Alert
ASA-2018-00051
Identifier(s)
ASA-2018-00051, CVE-2018-14667
Title
Unauthenticated remote code execution via expression language (EL) in UserResource resource
Vendor(s)
JBoss
Product(s)
RichFaces Framework
Affected version(s)
RichFaces Framework 3.X through 3.3.4
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
RichFaces Framework 3.X through 3.3.4 (all versions) is vulnerable to Expression Language (EL) Injection via UserResource resource, allowing an unauthenticated remote attacker to execute Java arbitrary code and potentially OS commanding using a special chain of java serialized objects inside a org.ajax4jsf.resource.UserResource$UriData.
Technical details
The Richfaces expects to receive a serialized resource of the type “org.ajax4jsf.resource.UserResource” via URLs with the pattern:
“/a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/s/{HashCode of the
MimeType Resource}/DATA/{Encoded Serialized Object}”.
When this occurs, a check of allowed types is made using a restrict whitelist (Look-Ahead) in order to avoid deserialization vulnerabilities.
Following is the Look-Ahead strict whitelist with the allowed types:
1) org.ajax4jsf.resource.InternetResource
2) org.ajax4jsf.resource.SerializableResource
3) javax.el.Expression
4) javax.faces.el.MethodBinding
5) javax.faces.component.StateHolderSaver
6) java.awt.Color
However, although it is not vulnerable to deserialization, it is possible to construct a special chain of objects using only allowed types and containing a tainted Expression Language (EL) in a specific way that result in it being automatically evaluated by the UserResource class after the correct deserialization of the chain (after the cast, not before).
In order to be vulnerable, an application only need to:
1) Use the mediaOutput feature in any point at any time (the attacker don’t need to know where this feature is used. It just needs that this functionality had been used at any time by the application).
If the point (1) is satisfied, the application will contain a resource inside an internal HashMap with the key like the following:
/----- Resource Name
\/
Key: org.ajax4jsf.resource.UserResource/n/s/-1487394660 <--- HasCode of
resource MimeType (eg "image/jpeg")
/\ /\
| \____
if the resource is of session scope (/s) or not (/n)
\_______
if the resource is cacheable (/c) or not cacheable (/n)
The original intent of the UserResource is to create or restore a resource (like images, flash, audio, etc) and send it back/draw to the user. So, this is one of the most commons features used by richfaces web applications.
An attacker can abuse of this feature forcing the application to evaluate his tainted EL using a chain like the following:
1] [Obj] org.ajax4jsf.resource.UserResource$UriData
createContent:
2] [Obj] javax.faces.component.StateHolderSaver
savedState:
3] [Obj] com.sun.facelets.el.TagMethodExpression
orig:
4] [obj] org.jboss.el.MethodExpressionImpl
exp:
"${OUR PAYLOAD}" <----- The malicious EL can be put here.
In the previous chain, notice that all types used are allowed by the look-ahead protection:
1] “org.ajax4jsf.resource.UserResource$UriData” is an “InternetResourceBase” that is an “InternetResource” (whitelisted);
2] “javax.faces.component.StateHolderSaver” (whitelisted)
3] “com.sun.facelets.el.TagMethodExpression” is an “MethodExpression” that is and “Expression” (whitelisted)
4] “org.jboss.el.MethodExpressionImpl” is and “MethodExpression” (whitelisted)
Notice that the points [2] and [3] of the chain can also be changed in order to exploit different platforms.
After create the exploit chain, it is needed to encode it properly and make an HTTP GET in the proper UserResource URL with the payload.
eg. /a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/n/DATA/{hashCode of mime}/payload
The {hashCode of MimeType} is not always needed (depends on how the application uses these features).
When the payload is received by the app, the chain is deserialized and the UserResource.send() method is invoked by the ResourceLifecycle.sendResource(). Inside this method, the content of UserResource$UriData is restored and our MethodExpression is invoked. Thus, our tainted data (EL) has reached a taint sink (MethodExpression.invoke()), leading to the EL evaluation.
Stacktrace example:
org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276) <- This contains user controlled data! org.ajax4jsf.resource.UserResource.send(UserResource.java:109) org.ajax4jsf.resource.ResourceLifecycle.sendResource(ResourceLifecycle.java:221) org.ajax4jsf.resource.ResourceLifecycle.send(ResourceLifecycle.java:148) org.ajax4jsf.resource.InternetResourceService.serviceResource(InternetResourceService.java:226) org.ajax4jsf.resource.ResourceBuilderImpl.decrypt(ResourceBuilderImpl.java:626) org.ajax4jsf.resource.ResourceBuilderImpl.getResourceDataForKey(ResourceBuilderImpl.java:371) org.ajax4jsf.resource.InternetResourceService.serviceResource(InternetResourceService.java:156) org.ajax4jsf.resource.InternetResourceService.serviceResource(InternetResourceService.java:141)
Credits
Joao F M Figueiredo
Reference(s)
Unauthenticated Remote Code execution in WebApps using Richfaces 3.X all versions (CVE-2018-14667)
https://seclists.org/fulldisclosure/2018/Nov/47
CVE-2018-14667
https://access.redhat.com/security/cve/cve-2018-14667
CVE-2018-14667
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14667
CVE-2018-14667
https://nvd.nist.gov/vuln/detail/CVE-2018-14667
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019