Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2016-4437

Disclosure Date: June 07, 2016
Exploited in the Wild
Reported by AttackerKB Worker
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the “remember me” feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Add Assessment

7
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

分析

  • Shiro组件对记住我(rememberMe)功能的cookie在CookieRememberMeManaer类中将cookie中rememberMe字段内容分别进行 序列化、AES加密、Base64编码操作。,然后用户在请求网站时,shiro又会在识别身份的时候,对Cookie里的rememberMe字段解密。

  • 而根据加密的顺序,相等于知道解密的顺序,并且AES加密的密钥Key被硬编码在代码里,同时大部分程序员在使用github上提供的程序时和shiro组件时并未更换Key,导致每个人都可以收集Key来遍历目标系统所使用的密钥,最终导致了反序列化漏洞

  • 漏洞相关概念已经公开,且存在着公开的POC(https://github.com/sv3nbeast/ShiroScan) ,无论是在公网还是内网存在此组件的相关系统数量众多,又由于属于历史漏洞,当初进行修复的覆盖面并不广,所以我认为他是一个被低估的RCE漏洞

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

Apache Shiro v1.2.4 is vulnerable to a Java deserialization vulnerability. An
unauthenticated user can submit a YSoSerial payload to the Apache Shiro web
server as the value to the rememberMe cookie. This will result in code
execution in the context of the web server.

The YSoSerial CommonsCollections2 payload is known to work and is the one
leveraged by the Metasploit module.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • apache,
  • redhat

Products

  • aurora,
  • fuse 1.0,
  • jboss middleware text-only advisories 1.0,
  • shiro

Exploited in the Wild

Reported by:
Technical Analysis