RichFaces Framework 3.X Expression Language (EL) Injection (CVE-2018-14667)
Recently, a new vulnerability in the RichFaces framework was discovered and was assigned with CVE-2018-14667. RichFaces is one of the libraries that implement the JavaServer faces (JSF) specification which is the Java standard for building server-side user interfaces. RichFaces provides large amount of advanced Ajax based UI components. In this case the vulnerable feature of RichFaces is the one that allows it to dynamically generate resources such as images or videos based on data received from the user. Each one of those resources are assigned with a unique identifier that is sent to the server via the requested URL alongside with a Java serialized object that is deserialized by the server and supplies it withthe metadata required for generating and rendering the resource. The serialized Java object that is passed to the server is compressed and encoded using the URL safe base64 encoding. Figure 1: RichFaces dynamically generated JPEG file. Figure 2: Example of decompressing and decoding the data sent to the server In past cases it was found that those Java serialized objects helping RichFaces to serve resources could be replaced with malicious ones that may allow attackers to execute arbitrary code on the server running RichFaces, and this case is of no difference. João Matos the researcher who discovered the vulnerability found that another class of resources named “UserResource” by RichFaces receives serialized Java objects as input and therefor prone to similar vulnerability. Mitigating the vulnerability using iRulesLX BIG-IP customers are encouraged to deploy the attached iRule in order to mitigate this vulnerability. The usage of a dedicated iRule is required as the payload exploiting the vulnerability is both encoded and compressed. /Portals/0/Images/userfiles/306666/CVE-2018-14667.zip Additional Reading https://codewhitesec.blogspot.com/2018/05/poor-richfaces.htmlJBoss Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter (CVE-2017-12149)
In late August 2017 Redhat have published a security advisory regarding an arbitrary code execution vulnerability in JBoss and recently a Proof of Concept exploit was publicly released. This vulnerability is added to the long list of unsafe deserialization vulnerabilities discovered this year. The vulnerable code is part of the HTTP Invoker service that provides HTTP and Remote Method Invocation (RMI) access. This service was first introduced in JBoss Application Server version 3.0.3 (which was released in September 2002) and is installed by default on instances based on versions prior to 7.0.0. Figure 1: invoker.war package pre-installed on JBoss Application Server 5. The unsafe deserialization takes place in the ReadOnlyAccessFilter.java file which receives a request object and calls readObject on the POST data sent by the user without doing any validations on the user supplied input. This provides attackers the possibility to send a crafted serialized object to the server that once deserialized will trigger arbitrary code execution in the context of the user running the vulnerable JBoss server. Figure 2: User supplied input is being deserialized without any validations being made on it. Figure 3: Part of the POST request sent by the Proof-of-Concept exploit. Mitigation Using BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Javacode injection and command execution attack signatures which can be found in signature sets that include “Command Execution” and “Server Side Code Injection” attack types or “Java Servlets/JSP” System. Figure 4: Exploit blocked with Attack Signature (200003437) Figure 5: Exploit blocked with Attack Signature (200003057) Figure 6: Exploit blocked with Attack Signature (200004297) Figure 7: Exploit blocked with Attack Signature (200004298) Figure 8: Exploit blocked with Attack Signature (200004299)
