Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id D7EB82009FB for ; Fri, 6 May 2016 13:42:14 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id D67701609F6; Fri, 6 May 2016 11:42:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 2A619160A0C for ; Fri, 6 May 2016 13:42:14 +0200 (CEST) Received: (qmail 1274 invoked by uid 500); 6 May 2016 11:42:13 -0000 Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@shiro.apache.org Delivered-To: mailing list dev@shiro.apache.org Received: (qmail 1263 invoked by uid 99); 6 May 2016 11:42:13 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 May 2016 11:42:13 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id DEA2C2C1F64 for ; Fri, 6 May 2016 11:42:12 +0000 (UTC) Date: Fri, 6 May 2016 11:42:12 +0000 (UTC) From: "Richard Bradley (JIRA)" To: dev@shiro.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (SHIRO-550) Pre-authentication deserialization vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 06 May 2016 11:42:15 -0000 [ https://issues.apache.org/jira/browse/SHIRO-550?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D15273= 938#comment-15273938 ]=20 Richard Bradley commented on SHIRO-550: --------------------------------------- > This is really really serious, should get a CVE and a security fix releas= ed ASAP. +1=20 I understand that Open Source projects may or may not be actively maintaine= d, and that you use them at your own risk, but It seems to me to be simply = irresponsible to be distributing Apache Shiro when it has a known RCE attac= k in its default configuration. It seems to me that Shiro is not safe to use (in its default configuration)= while this bug is open and a deprecation warning should be put on the Shir= o homepage until this can be fixed.=20 I don't see this on Metasploit yet, but is that what is needed for this to = get any attention? > 5 months and no fix. The underlying bug, SHIRO-441, that the RememberMe key is hardcoded and pub= licly available (and enabled by default) has been open since May 2013, so I= 'd say this has been open for 3 years. I've tried to cross-reference the recent committers in git with the mailing= list to see who is responsible for Shiro. [~bdemers] -- do you have commit rights? Are you a Shiro maintainer? Do you= agree that this needs attention ASAP and that all Shiro users need to be a= lerted that their webapps have an easy RCE attack hole wide open? [~ankon] -- you have recent commits in https://git-wip-us.apache.org/repos/= asf?p=3Dshiro.git , but it sounds from your comments above that you are not= a Shiro maintainer? I'll email the dev list as well > Pre-authentication deserialization vulnerability > ------------------------------------------------ > > Key: SHIRO-550 > URL: https://issues.apache.org/jira/browse/SHIRO-550 > Project: Shiro > Issue Type: Bug > Components: RememberMe > Affects Versions: 1.2.4 > Reporter: Tim Stibbs > > The way shiro is set up by default exposes a web application to deseriali= zation attacks. This is dangerous anyway, but particularly in light of the = recent exploits using commons-collections (see http://foxglovesecurity.com/= 2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-applic= ation-have-in-common-this-vulnerability/ for more info). > By default, shiro uses the {{CookieRememberMeManager}}. This serializes, = encrypts and encodes the users identity for later retrieval. Therefore, whe= n it receives a request from an unauthenticated user, it looks for their re= membered identity by doing the following: > * Retrieve the value of the {{rememberMe}} cookie > * Base 64 decode > * Decrypt using AES > * Deserialize using java serialization ({{ObjectInputStream}}). > However, the default encryption key is hardcoded, meaning anyone with acc= ess to the source code knows what the default encryption key is. So, an att= acker can create a malicious object, serialize it, encode it, then send it = as a cookie. Shiro will then decode and deserialize, meaning that your mali= cious object is now live on the server. With careful construction of the ob= jects, they can be made to run some malicious code (see link above for more= detail). > Note this is not theoretical; I have a working exploit using the [ysoseri= al commons-collections4 exploit|https://github.com/frohoff/ysoserial/blob/m= aster/src/main/java/ysoserial/payloads/CommonsCollections2.java] and http c= lient. I can provide my test code if required. > I understand that this requires your shiro to be set up using the default= remember me settings, but in my case my application doesn't even make use = of the remember me functionality (there=E2=80=99s no way for the user to as= k to be remembered), so I didn't even consider that I needed to secure this= part. Yet, my application still has this vulnerability. -- This message was sent by Atlassian JIRA (v6.3.4#6332)