Very High
CVE-2016-4437
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2016-4437
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the “remember me” feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
分析
Shiro组件对记住我(rememberMe)功能的cookie在CookieRememberMeManaer类中将cookie中rememberMe字段内容分别进行 序列化、AES加密、Base64编码操作。,然后用户在请求网站时,shiro又会在识别身份的时候,对Cookie里的rememberMe字段解密。
而根据加密的顺序,相等于知道解密的顺序,并且AES加密的密钥Key被硬编码在代码里,同时大部分程序员在使用github上提供的程序时和shiro组件时并未更换Key,导致每个人都可以收集Key来遍历目标系统所使用的密钥,最终导致了反序列化漏洞
漏洞相关概念已经公开,且存在着公开的POC(https://github.com/sv3nbeast/ShiroScan) ,无论是在公网还是内网存在此组件的相关系统数量众多,又由于属于历史漏洞,当初进行修复的覆盖面并不广,所以我认为他是一个被低估的RCE漏洞
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
Apache Shiro v1.2.4 is vulnerable to a Java deserialization vulnerability. An
unauthenticated user can submit a YSoSerial payload to the Apache Shiro web
server as the value to the rememberMe
cookie. This will result in code
execution in the context of the web server.
The YSoSerial CommonsCollections2
payload is known to work and is the one
leveraged by the Metasploit module.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- apache,
- redhat
Products
- aurora,
- fuse 1.0,
- jboss middleware text-only advisories 1.0,
- shiro
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Advisory
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: