fe1w0

@fe1w0

Joined on Aug 4, 2020

  • Describe the bug In apps/compile server/resources/compilation. Py 126 lines, after get complie server validation, the risk of python deserialization attack can achieve command execution, etc. Additional context import pickle import base64 import requests import json
     Like  Bookmark
  • Vulnerability Details - Potential Command Execution via Deserialization Exploit Chain in Specific Component Combinations Vulnerability Description A critical vulnerability has been identified in ZAPROXY version 2.14.0 stemming from its dependency components(i.e. net.sf.json and org.apache.commons.beanutils)' interaction with spring-aop, resulting in a novel deserialization gadget chain. This gadget chain potentially enables remote attackers to execute arbitrary commands on the affected system. The vulnerability arises due to a new deserialization gadget chain involving the JdkDynamicAopProxy class from the spring-aop library. This chain leverages the JdkDynamicAopProxy class to proxy instances of TemplatesImpl, leading to a scenario where the getOutputProperties method of TemplatesImpl can be invoked in a controlled manner when WrapDynaBean.get() method is triggered. This controlled invocation facilitates the execution of malicious code through the deserialization process. A crucial element of this exploit chain is the reliance on the serialization capabilities of components from the Apache Commons Collections library. Specifically, the vulnerability manipulates the factory.create() process within LazyList instances to execute the gadget chain successfully. The exploitation of this vulnerability requires the environment to permit the serialization of Apache Commons Collections components, underscoring the complexity and specificity of the attack vector. It is highly recommended to review and update the dependency components of ZAPROXY to versions that do not support the described deserialization gadget chain. Additionally, limiting or disabling the serialization capabilities of the Apache Commons Collections library within the application's environment can mitigate the risk associated with this vulnerability. Organizations are advised to follow secure coding practices and implement robust deserialization filters to protect against similar deserialization vulnerabilities.
     Like  Bookmark
  • Vulnerability Description Under org.clojure:clojure (1.9.0 - 1.12.0), there exists a OS Command Injection initiated through deserialization. Arbitrary command execution can be achieved by constructing suitable objects. The latest conclusion is that the poc generated by the same version of clojure can directly affect the command execution in the corresponding version, without considering the fn 5920 anonymous function class, see New Way Clojure. core$partial$fn__5920 is actually obtained by reading the jar file, and I am not very familiar with Clojure. The discovery of this vulnerability was made using a private tool, but due to a lack of knowledge in Clojure. Verification Demonstration
     Like  Bookmark
  • Vulnerability Description Under org.clojure:clojur (1.2.0 - 1.12.0-alpha5), there exists a denial of service attack initiated through deserialization. By constructing appropriate objects, continuous hashcode calculations can be initiated. core$partial$fn__5920 is actually obtained by reading the jar file, and I am not very familiar with Clojure. The discovery of this vulnerability was made using a private tool, but due to a lack of knowledge in Clojure. Verification Demonstration gtimeout 30s /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java -classpath /Users/fe1w0/.m2/repository/org/clojure/clojure/1.12.0-alpha5/clojure-1.12.0-alpha5.jar:/Users/fe1w0/.m2/repository/org/clojure/spec.alpha/0.3.218/spec.alpha-0.3.218.jar:/Users/fe1w0/.m2/repository/org/clojure/core.specs.alpha/0.2.62/core.specs.alpha-0.2.62.jar clojure.main /Users/fe1w0/Project/Poc/PocALL/src/main/clojure/poc/clojure/dos.clj Vulnerability demo - triple speed
     Like  Bookmark