Location>code7788 >text

Shiro-721-Vulnerability Analysis (CVE-2019-12422)

Popularity:728 ℃/2024-09-21 06:02:08

catalogs
  • Padding Oracle Attack Principle
    • PKCS5 Filling
    • How do you blast an attack?
  • Vulnerability Principles
  • source code analysis
  • lit. loophole is reproduced

This article is based on shiro550 vulnerability based analysis, it is recommended to read the previous issue first:
/weixin_60521036/article/details/142373353

Padding Oracle Attack Principle

After reading a lot on the Internet, I feel that the writing is very unfriendly to people like us who are not sensitive to cryptography, after all, not all the terminology can be understood, so I summarized the attack principle of Padding Oracle Attack.

PKCS5 Filling

There are many ways of padding, and shiro uses PKCS5 padding:
As shown below (can you find a pattern?). :
在这里插入图片描述
Meaning:
Engagement :*Indicates arbitrary data, each data block is 8 bytes.
When you data for** ** ** ** ** ** ** The 7 bytes are one byte short of a block, so in order to keep the data one block at a time, it is necessary to fill in a piece of data, which is based on thePKCS5Rule, fill 01 because it's one byte short.
In the figure above, the next padding 02 02 means that he has 6 bytes of data.** ** ** ** ** ** The number of bytes is the same as the number of bytes to fill. (Isn't it a bit touching the doorway?)
The explanation to this law should be visible without too much understanding.

ps:Adding, when you happen to have 8 bytes full, it opens another block of data for you to fill:(as follows)

** ** ** ** ** ** ** ** 08 08 08 08 08 08 08 08

How do you blast an attack?

First we need to know how to determine that our padding data is correct:
The return message should be different when the validation of Padding fails, where the PKCS5Padding#unpad method determines the padding format of the data and returns -1 if there is a problem;

The CipherCore#doFinal method throws a BadPaddingException when the return value is less than zero;

go on to do sth JcaCipherService#crypt methodologies、AbstractRememberMeManager#getRememberedPrincipals methodologies均返回异常,(not only ...) but alsoAbstractRememberMeManager#getRememberedPrincipalsmethodologies还好调用onRememberedPrincipalFailure removes rememberMe cookiefurthermoreAdd deleteMe

All you need to know here is that if the attack fails it will return deleteMe
在这里插入图片描述

This padding attack involves a lot of things, I really can not explain clearly, for example, the reference article has written: the former piece of ciphertext is the latter piece of ciphertext IV, through the intermediate value of dissimilarity, to get the plaintext, this is also an important information, but this article mainly explains the occurrence of vulnerability of the most important reasons, do not go deeper into the encryption and decryption of the attack more.

Vulnerability Principles

The principle is really simple, shiro solves the key hardcoding problem by using theAES-CBC plusencryption method, which means that the rest of the encryption and decryption process remains unchanged, but the reason for the vulnerability is because the encryption is capable of beingPadding Oracle Attack That means weNo need to find the key.will be able to modify the rememberMe field directly, and the detail to note here is:
Required byKnown RememberMe Ciphertext, using Padding, Oracle Attack, a little bit.demolish (using explosives)to achieve tampering and construct malicious deserialized ciphertexts to trigger deserialization vulnerabilities.
This also explains why you have to have a token cookie in order to attack, because you need legitimate authentication to get to the point of making him padding\

I don't know if you dawgs have figured it out yet, but anyway, here's my take on it:
Because the encryption algorithm can be attacked cause can be burst decryption after tampering with the data so simple to understand.

在这里插入图片描述

source code analysis

To be lazy, just read my previous post on shiro550's source code analysis.
/weixin_60521036/article/details/142373353
721 The main decryption process has not changed, as long as you successfully padding in, you can go to the deserialization step, I personally do not feel the need to understand so thoroughly, the vulnerability itself is also quite ribbed, you need to log in to the successful authentication cookie in order to attack.
Look at the following call stack to know and shiro550 is the same, that is, encryption and decryption that changed.
在这里插入图片描述

lit. loophole is reproduced

Using vulfocus range replication

Without further ado, directly on the quickest props, and later to explain another way of grabbing packets of attacks
The following tool also works in shiro550, Tweak's is pretty awesome 13:
/SummerSec/ShiroAttack2
在这里插入图片描述

Then just blast through the utilization chain.
在这里插入图片描述

You'll be able to execute commands directly.
在这里插入图片描述

在这里插入图片描述

Remember to check Remember Me when you log in.
在这里插入图片描述
Catch and release the packet, and if your password is correct, then a cookie with the rememberMe field is returned, followed by a padding attack using that cookie.
在这里插入图片描述

  • First use the Java deserialization tool ysoserial to generate the Payload:
    java -jar CommonsBeanutils1 "ping " >
    在这里插入图片描述

  • pass (a bill or inspection etc) Padding Oracle Attack generating Evil Rememberme cookie:
    /inspiringz/Shiro-721 # Scripts for breaking AES keys

    Note: This exp will take a long time, it is recommended to use ysoserial to generate a shorter payload validation (eg: ping, touch /tmp/success, etc), it will take about 1 hour or so to generate the correct rememberme cookie, and it will stop running automatically after it is generated successfully.

    Use the cookie you just generated with
    在这里插入图片描述

  • After a long wait, get the pad data and drop it right on top of the cookie
    在这里插入图片描述
    Then look at your own dnslog logs to see if the attack was successful .

Reference Article:
/t/11633
/post/id/193165

<Previous Next>