Hi Everyone, today i want to share with you a post about a vulnerability i’ve discovered times ago, it was already fixed by the vendor. So before i get started i’ll explain first what is a second-order code injection mostly code injection vulnerabilities.
Code Injection is a type of exploitation caused by processing invalid data input. The concept of injection attacks is to introduce (or “inject”) malicious code into a program so as to change the course of execution. Such an attack may be performed by adding strings of malicious characters into data values in the form or argument values in the URL. Injection attacks generally take advantages of inadequate validation over input/output data, for example:
- – Lack of defining a class of allowed characters (such as standard regular expressions or custom classes)
- – Lack of restricting the data format.
- – Lack of checking the amount of expected data (such as maximum length restriction)
- – Lack of restricting the data type (such as numerical input only)
-Second-order code injection :
Second-order code injection is the realisation of malicious code injected into an application by an attacker, but not activated in real-time by the application. In a lot of cases, the victim of the attack may not even be using the same application that the attacker injected their code.
I – Weakness Analysis :
-[ /consolejndi.portal?_nfpb=true&_pageLabel=JNDIHomePage&server=(MALICIOUS_CODE) ] and it was a successfull injection, i can execute any code passed to the argument value.
- All the source codes are included in the following link : http://pastebin.com/BLeW9Wmp
Let’s look more deeper to identify the source of this issue, If we check “tree.js” we find actually that we can ovewrite/corrupt 3 TreeNode() function parameters.
When we take a look at the code *(1-1) we realize that TreeNode function it’s created as a “JSTree” class object, once all arguments are set the JNDI Tree is created by the function createTree(startNode) then we add new nodes in the previous tree with the function addNode(parentNode, recursedNodes) if the “nodeName” is valid. Therefore any attacker can take advantages of this inadequate validation over input/output data. The link above mention the main functions/methods that are processing and building the tree, its content and identifying the vulnerable parameters. (*Check the link )
Difference between the application behaviour in the (1-1) and (1-2) cases :
Actually Dynamic Analysis of data flow and tracking the execution of some functionalities such as ( Tree creation, Add new node, Expand/ collapse operation, Methods used to build JNDI tree,..etc.) helped me to identify the source of this weakness. The following link shows how to recognize the application behaviour in 2 statements, normal and in case of injecting a malicious code :
III – Exploitation :
In order to exploit this vulnerability an attacker can use several ways to inject a payload and execute arbitrary codes. Furthermore there is a possibility to interact with the environment, gain control of JSTree Class objects and the possibility to access an object in a WebLogic Server environment.
- XSS Shell.
- Framework-based attacks :-Different attacks/exploitation could be provided with the help of a framework like BeEF, XSSF.
-Access to local files from browser/ Screen-captures and send data to attacker :
So guys by this we come up to the end of this article,
See you soon, stay tuned 🙂
Follow me on twitter : https://twitter.com/r007hunt