Skip to content

Wrong code modification leads to Shiro deserialization vulnerability #20

Open
@BetterDefender

Description

@BetterDefender

The cause of the vulnerability
The project uses shiro1.7.0 version, this version should not have this vulnerability;
image
image
Code layer troubleshooting:

  1. The default key is used (one of the reasons for this vulnerability)
    image
  2. From the point of view of the exploited gadget, the commonscollection exploit chain is used (the second reason for this vulnerability), and the commons-collections vulnerability should use version 3.2.2 and above
    image
  3. Check shiro related calling code:
    image
    The Shiro deserialization vulnerability is caused by calling the getRememberedSerializedIdentity() function of the CookieRememberMeManager class. The official repair code is as follows, the repair plan is to delete the CookieRememberMeManager class
    image
    The CookieRememberMeManager class was added when the open source project was rewritten, which led to the generation of vulnerabilities.

Exploit:
You can use the following tools to exploit this vulnerability, Github project: https://github.com/j1anFen/shiro_attack
image
Execute system commands
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions