Shiro

Apache Shiro Deserialization RCE

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.

In order to maintain user's login status, Shiro implemented the rememberMe cookie. This cookie is encrypted. However, Shiro used a hardcoded AES encryption key kPH+bIxk5D2deZiIxcaaaA==. This allows an attacker to forge a cookie containing an malicious object that causes RCE. Shiro will then decrypt this cookie and deserialize it, and then the RCE payload will be triggered.

This is how rememberMe cookie is processed by the server side:

get rememberMe cookie -> Base64 decode -> AES decryption -> deserialization

This is how we achieve RCE by reversing the above logic:

serialized command -> AES encryption -> Base64 encode -> rememberMe cookie

If you find rememberMe=deleteMe in a failed login attempt, then the web app is vulnerable to Shiro deserialization.

Lab: Vulhub Apache Shiro 1.2.4 Deserialization RCE

Setup

Logovulhub/shiro/CVE-2016-4437 at master Β· vulhub/vulhubGitHub
Vulhub

Spawn a Docker instance:

The vulnerable application will be hosted on http://localhost:8080. Log in with credential admin:vulhub.

Generate RCE payload using ysoserial:

Encrypt the payload using the hardcoded key:

Send the output as rememberMe cookie. Verify that the RCE works:

Reference

LogoVulhub - Open-Source Vulnerable Docker Environmentsvulhub.org
Apache Shiro 1.2.4 Deserialization - Vulhub
PreviousJava DeserializationNextFastJSON

Last updated

Was this helpful?